{gitops-title} 1.16.0 is now available on {OCP} 4.12, 4.13, 4.14, 4.15, 4.16, 4.17, and 4.18.
Issued: 2025-03-30
The list of security fixes that are included in this release are documented in the following advisory:
If you have installed the {gitops-title} Operator in the default namespace, run the following command to view the container images in this release:
$ oc describe deployment gitops-operator-controller-manager -n openshift-gitops-operator-
With this update, {gitops-title} is designed for environments running in Federal Information Processing Standards (FIPS) mode. When deployed on {OCP} configured for FIPS mode, the platform uses the Red Hat Enterprise Linux (RHEL) cryptographic libraries that have been submitted to National Institute of Standards and Technology (NIST) for FIPS validation. For more information about enabling {OCP} FIPS support, see the {OCP} documentation. GITOPS-6365
NoteWhen the {gitops-title} Operator is deployed on an {OCP} cluster configured for FIPS mode, Single Sign-on (SSO) configuration for Argo CD using Keycloak is not supported.
-
With this update, support is provided for masking sensitive annotations on
Secretresources in the Argo CD user interface (UI) and command-line interface (CLI). A new configuration key,resource.sensitive.mask.annotations, has been introduced. This key accepts a comma-separated list of.metadata.annotationskeys. The values associated with these keys are masked in the Argo CD UI and CLI, enhancing the security of sensitive information stored in annotations. GITOPS-5903 -
With this update, support is provided to configure the
respectRBACoption, which controls how Argo CD watches resources on a cluster in a cluster-scoped installation. You can updaterespectRBACconfigurations in theConfigMapthrough an Argo CD resource, allowing for more flexible and granular control over resource viewing behavior. GITOPS-5212 -
With this update, you can view the cause of failure directly in the status of Argo CD resources. The error message is clearly provided in the resource status, reducing the need to analyze logs to identify the root cause of failures. GITOPS-5871
-
With this update, you can configure various policies for the ApplicationSet controller in the Argo CD Custom Resource (CR). These policies allow administrators to restrict the types of modifications that can be made to the managed Argo CD Application resources, offering enhanced control over resource management. For more information, see ApplicationSet Controller policies. GITOPS-5236
-
With this update, the revision history and rollback pages in Argo CD feature collapsible sections for application parameters. This change reduces the need to scroll through multiple lines of input parameters and you can navigate revision entries more efficiently. Important details such as the commit SHA, remain visible outside the collapsible sections, ensuring easy search and reference. This enhancement applies to single and multi-source applications, streamlining the user experience across application types. GITOPS-5082
-
With this update, the Argo CD Operator adds support for the
InstallationIDfield in the Argo CD Spec type, enabling better management of multi-instance deployments. Use this feature to assign a unique identifier to each Argo CD instance, ensuring proper differentiation of applications with the same name across multiple instances. By setting anInstallationIDfield, you can prevent conflicts between applications and ensure accurate tracking of resources in multi-instance environments. GITOPS-5432 -
With this update, specifying the container image when configuring a sidecar container for a config management plugin is optional. If omitted, the image used by the repo server is automatically applied to the plugin. GITOPS-3372
-
Before this update, when installing a namespace-scoped instance of {gitops-shortname}, the
argocd-redisServiceAccountswere assigned thenonroot-v2SecurityContextConstraints(SCC), which provided more privileges than the standardrestricted-v2SCC, which might lead to potential security risks. With this update, the namespace-scoped and cluster-scoped instances of {gitops-shortname} enforce the use of therestricted-v2SCC for theargocd-redisServiceAccounts. This change enhances security compliance by minimizing unnecessary privileges. GITOPS-6236 -
Before this update, the on-deployed trigger in the Argo CD notification-controller could incorrectly send a success notification while the application was still in the
progressingstate. This issue arose from the way Argo CD handled application status updates. With this update, a new timestamp field,status.health.lastTransitionTime, has been introduced in the application status to address this issue. This field prevents false-positive alerts by capturing the last health status change and enabling the on-deployed trigger to send notifications only after a stable transition. GITOPS-3699 -
Before this update, during an upgrade, the
argocd-redis-ha-configmap,argocd-redis-ha-health-configmap, and the Redis HAStatefulSetresources were not correctly updated. This led to Redis HA pods encountering anAUTHerror. With this update, the {gitops-shortname} Operator correctly updates the Redis HA config maps andStatefulSetduring an upgrade process. As a result, Redis HA pods are prevented from entering anAUTHerror state post-upgrade. GITOPS-5975 -
Before this update, any changes to the
serviceAccountNameandserviceAccountfields in the Redis deployment were not reconciled by the {gitops-title} Operator. With this update, this issue is fixed by ensuring that any unintended changes to these fields are reset to their expected value,<argocd-instance-name>-argocd-redis. GITOPS-6032 -
Before this update, Argo CD relied solely on the
sub claimfor user identification, which could be non-deterministic with Dex and cause unexpected Role-Based Access Control (RBAC) policy failures. With this update, Argo CD identifies users in the following order:-
Checks the
federated_claims.user_idfield when Dex is the identity provider. -
If federated claims are unavailable or empty, it falls back to the sub claim.
With this update, this issue is fixed. This change ensures RBAC policies are based on actual user identifiers, such as email addresses rather than encoded values.
ExampleOld method (encoded sub value): g, ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ, role:admin New method (actual user identifier): g, [email protected], role:admin
-
-
Before this update, Argo CD components, such as,
server,repo-server, andapplication-controllercould crash when accessing the Redis instance due to network or DNS instabilities within the cluster. This issue stemmed from a race condition in thego-redisclient library when multiple connections in a connection pool call thedial hookfunction. With this update, this issue is fixed. This update resolves the issue by integrating an updatedgo-redisclient library that eliminates race conditions duringdial hookfunction calls. It also improves the handling and recovery from network and DNS errors, ensuring greater stability for Argo CD components. GITOPS-6287 -
Before this update, upgrading the {gitops-title} Operator to v1.15.1 raised a health check error that prevented Red Hat Advanced Cluster Management (ACM) policies from syncing. This update fixes the issue by adding a missing nil check to
status.placementfor Policy. GITOPS-6500
-
There is currently a known issue that assigns a lower
SecurityContextConstraints(SCC) to Redis service account in {gitops-shortname} v1.16 after upgrading from {gitops-shortname} v1.15 to v1.16. The {gitops-shortname} Operator does not update thesecurityContextof theredis-ha-serverStatefulSet, which causes the container’s user to be statically set instead of being randomly assigned as required by therestricted-v2SCC. Theredis-ha-serverStatefulSetpods retain the old configurations and are not updated with the new settings. As a result, the new configuration of theStatefulSetis not applied correctly.Workaround: Manually delete the
redis-ha-serverStatefulSetto trigger the re-creation of the pods with the updated settings. GITOPS-6670
-
In {gitops-title} v1.16, the
.spec.initialRepositoriesand.spec.repositoryCredentialsfields in Argo CD CR are deprecated. These fields will no longer be supported by {gitops-title} Operator and the Argo CD CR in a future release. Update your configurations to remove dependencies on these fields. Use the Argo CD web UI or CLI to add or modify repositories. GITOPS-5961