Red Hat OpenShift GitOps release notes

Before this update, pods in a different namespace could access the Redis server on port 6379 to obtain read and write access to the data. This issue has been fixed in this release by enabling secure authentication.

Before this update, users could not use the argocd-k8s-auth binary to add Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS) clusters because this binary was not available in the GitOps container. This update fixes the issue by adding the argocd-k8s-auth binary in the GitOps container. GITOPS-4226

Before this update, attempts to connect to Azure DevOps with Argo CD would result in an error due to the deprecation of the rsa-ssh host key algorithm by the Azure DevOps Repository service. This update fixes the issue by providing support for the rsa-ssh host key algorithms during the communication process between Argo CD and Azure DevOps Repository service. GITOPS-4543

Before this update, the ignoreDifferences sync option in Argo CD did not work for array fields. This update fixes the issue by modifying the merge strategy of the ignoreDifferences sync option used in the upstream project to handle array fields. As a result, the sync option now functions correctly by allowing users to ignore specific elements in the array during sync. GITOPS-2962

Before this update, users accessing a Red Hat OpenShift on AWS (ROSA) cluster after hibernation were unable to log in to the Argo CD web console due to an error indicating an invalid redirect URI in the Dex configuration. With this update, users can now log in to the Argo CD web console without facing any errors when the ROSA cluster is operational post-hibernation. GITOPS-4358

Before this update, users were unable to log in to the Argo CD web console if the availability of the openshift-gitops route was delayed while the Red Hat OpenShift GitOps Operator processed an Argo CD custom resource instance. An error message was displayed indicating an invalid redirect URI in the Dex configuration. With this update, users can now log in to the Argo CD web console without facing any errors. GITOPS-3736

Before this update, users could not create custom resources for Argo CD from the Add page on the Developer perspective of the Red Hat OpenShift GitOps web console. This issue has been observed from Red Hat OpenShift GitOps 1.10 and later releases. This update fixes the issue because Operator-backed resources with the correct versions are included in the ClusterServiceVersion manifest file. GITOPS-4513

With this update, you can selectively disable the redis and application-controller components for an Argo CD instance in a specified namespace. These components are enabled by default. To disable a component, set the enabled flag to false in the .spec.<component>.enabled field of the Argo CD Custom Resource (CR). GITOPS-3723

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
spec:
  controller:
    enabled: false
  redis:
    enabled: false

Before this update, the Argo CD Notifications Controller did not support custom certificates added to the argocd-tls-certs-cm config map. As a result, notification services with custom certificates did not receive notifications due to the x509: certificate signed by unknown authority error message. This update fixes the issue by correctly initializing the cert resolver function in the Argo CD Notifications Controller to load all certificates stored in the argocd-tls-certs-cm config map. Now, notification services with custom certificates can successfully receive notifications. GITOPS-2809

Before this update, users would face PrometheusOperatorRejectedResources alerts when the Red Hat OpenShift GitOps Operator was not installed in the openshift-gitops-operator namespace. The problem affected users who upgraded from earlier versions of the Red Hat OpenShift GitOps Operator to v1.10. This update fixes the issue by updating the Operator’s serverName metrics service to reflect the correct installation namespace. Now, users who upgrade or install the Red Hat OpenShift GitOps Operator in namespaces other than openshift-gitops-operator should not see these alerts. GITOPS-3424

Before this update, pods in a different namespace could access the Redis server on port 6379 to obtain read and write access to the data. This update fixes the issue by enabling secure authentication.

Before this update, users could not use the argocd-k8s-auth binary to add Google Kubernetes Engine (GKE) and Amazon Elastic Kubernetes Service (EKS) clusters because this binary was not available in the GitOps container. This update fixes the issue by adding the argocd-k8s-auth binary in the GitOps container. GITOPS-4226

Before this update, attempts to connect to Azure DevOps with Argo CD would result in an error due to the deprecation of the rsa-ssh host key algorithm by the Azure DevOps Repository service. This update fixes the issue by providing support for the rsa-ssh host key algorithms during the communication process between Argo CD and Azure DevOps Repository service. GITOPS-4543

Before this update, the ignoreDifferences sync option in Argo CD did not work for array fields. This update fixes the issue by modifying the merge strategy of the ignoreDifferences sync option used in the upstream project to handle array fields. As a result, the sync option now functions correctly by allowing users to ignore specific elements in the array during sync. GITOPS-2962

Before this update, users could not create custom resources for Argo CD from the Add page on the Developer perspective of the Red Hat OpenShift GitOps web console. This issue has been observed from Red Hat OpenShift GitOps 1.10 and later releases. This update fixes the issue because Operator-backed resources with the correct versions are included in the ClusterServiceVersion manifest file. GITOPS-4513

With this update, the Argo CD CRD API version is upgraded from v1alpha1 to v1beta1 to accomodate the breaking changes resulting from the deprecation of .spec.dex and certain .spec.sso fields. To streamline the automatic migration of existing v1alpha1 Argo CD CRs to v1beta1, conversion webhook support is implemented. GITOPS-3040

With this update, the Red Hat OpenShift GitOps Operator deploys three monitoring dashboards in the Administrator perspective of the web console. The three dashboards are GitOps Overview, GitOps Components, and GitOps gRPC. To access these dashboards, go to Observe → Monitoring. GITOPS-1767

Previously, timestamps were presented in a Unix epoch format. With this update, the timestamps are changed to RFC3339 format, for example: 2023-06-27T07:12:48-04:00, to improve overall readability. GITOPS-2898

With this update, the default Argo CD instance in the openshift-gitops namespace has restricted permissions for non-admin users by default. This improves security because non-admin users no longer have access to sensitive information. However, as an administrator, you can set permissions and grant non-admin users access to the resources managed by the default openshift-gitops Argo CD instance by configuring your Argo CD RBAC. This change only applies to the default openshift-gitops Argo CD instance. GITOPS-3032

With this update, the default installation namespace for Red Hat OpenShift GitOps Operator is changed to its own namespace called openshift-gitops-operator. You can still choose the old default installation namespace, openshift-operators, through a drop-down menu available in the OperatorHub UI at installation time. You can also enable cluster monitoring on the new namespace by selecting the check box, which makes the Operator’s performance metrics accessible within the OpenShift Container Platform web console. GITOPS-3073

With this update, the Red Hat OpenShift GitOps Operator exports custom metrics that allow you to track the performance of the Operator. The following are the exported metrics:

Before this update, there was no option for choosing an algorithm for distributing the destination clusters equally across the different application controller shards. Now, you can set the sharding algorithm to the round-robin parameter, which distributes clusters equally across the different application controller shards so that the synchronization load is spread equally among the shards. GITOPS-3288

Before this update, there was no option for scaling the application controller replicas dynamically. Now, you can dynamically scale the number of application controllers based on the number of clusters managed by each application controller. GITOPS-3287

With this release, the following deprecated sso and dex fields are removed from Argo CD CR:

With this update, the deprecated .spec.resourceCustomizations field is removed from Argo CD CR. Bug fixes and support are only provided through the end of the Red Hat OpenShift GitOps v1.9 lifecycle. As an alternative to .spec.resourceCustomizations, you can use .spec.resourceHealthChecks, .spec.resourceIgnoreDifferences, and .spec.resourceActions fields instead. GITOPS-3041

With this update, the deprecated legacy Configuration Management Plugins (CMPs) feature, specified in the argocd-cm config map or the Operator through the .spec.configManagementPlugins field in Argo CD CR, has been removed in Argo CD v2.8. To continue using your legacy plugins, consider migrating them to the new sidecar available in the Operator through the .spec.repo.sidecarContainers field in Argo CD CR. GITOPS-3462

Before this update, there were vulnerabilities on Redis. This update fixes the issue by upgrading Redis to the latest version of registry.redhat.io/rhel-8/redis-6. GITOPS-3069

Before this update, users were facing an "x509: certificate signed by unknown authority" error when using scmProvider with GitLab. This update fixes the issue by adding support for the Insecure flag for scmProvider with GitLab, and an option for mounting TLS certificate on the applicationSet controller. This certificate can then be utilized for scmProvider interactions with GitLab. GITOPS-3107

Before this update, an old Redis image version was used when deploying the Red Hat OpenShift GitOps Operator, which resulted in vulnerabilities. This update fixes the vulnerabilities on Redis by upgrading it to the latest version of the registry.redhat.io/rhel-8/redis-6 image. GITOPS-3069

With this update, the bundled Argo CD has been updated to version 2.7.6.

Before this update, Argo CD was becoming unresponsive when there was an increase in namespaces and applications. This update fixes the issue by removing a deadlock. Deadlock occurs when two functions are competing for resources. Now, you should not experience crashes or unresponsiveness when there is an increase in namespaces or applications. GITOPS-2782

Before this update, the Argo CD application controller resource could suddenly stop working when resynchronizing applications. This update fixes the issue by adding logic to prevent a cluster cache deadlock. Now, you should not experience the deadlock situation, and applications should resynchronize successfully. GITOPS-2880

Before this update, there was a mismatch in the RSA key for known hosts in the argocd-ssh-known-hosts-cm config map. This update fixes the issue by matching the RSA key with the upstream project. Now, you can use the default RSA keys on default deployments. GITOPS-3042

Before this update, the reconciliation timeout setting in the argocd-cm config map was not being correctly applied to the Argo CD application controller resource. This update fixes the issue by correctly reading and applying the reconciliation timeout setting from the argocd-cm config map. Now, you can modify the reconciliation timeout value from the AppSync setting without a problem. GITOPS-2810

With this update, you can use a custom must-gather tool to collect diagnostic information for project-level resources, cluster-level resources, and Red Hat OpenShift GitOps components. This tool provides the debugging information about the cluster associated with Red Hat OpenShift GitOps, which you can share with the Red Hat Support team for analysis. GITOPS-2797

With this update, you can add support to progressive delivery using Argo Rollouts. Currently, the supported traffic manager is only Red Hat OpenShift Service Mesh. GITOPS-959

In Red Hat OpenShift GitOps 1.7.0, the .spec.resourceCustomizations parameter was deprecated. The deprecated .spec.resourceCustomizations parameter is planned to be removed in the upcoming Red Hat OpenShift GitOps GA v1.10.0 release. You can use the new formats spec.ResourceHealthChecks, spec.ResourceIgnoreDifferences, and spec.ResourceActions instead. GITOPS-2890

With this update, the support for the following deprecated sso and dex fields extends until the upcoming Red Hat OpenShift GitOps GA v1.10.0 release:

Before this update, when the argocd-server-tls secret was updated with a new certificate Argo CD was not always picking up this secret. As a result, the old expired certificate was presented. This update fixes the issue with a new GetCertificate function and ensures that the latest version of certificates is in use. When adding new certificates, now Argo CD picks them up automatically without the user having to restart the argocd-server pod. GITOPS-2375

Before this update, when enforcing GPG signature verification against a targetRevision integer pointing to a signed Git tag, users got a Target revision in Git is not signed error. This update fixes the issue and lets users enforce GPG signature verification against signed Git tags. GITOPS-2418

Before this update, users could not connect to Microsoft Team Foundation Server (TFS) type Git repositories through Argo CD deployed by the Operator. This update fixes the issue by updating the Git version to 2.39.3 in the Operator. GITOPS-2768

Before this update, when the Operator was deployed and running with the High availability (HA) feature enabled, setting resource limits under the .spec.ha.resources field did not affect Redis HA pods. This update fixes the reconciliation by adding checks in the Redis reconciliation code. These checks ensure whether the spec.ha.resources field in the Argo CD custom resource (CR) is updated. When the Argo CD CR is updated with new CPU and memory requests or limit values for HA, now these changes are applied to the Redis HA pods. GITOPS-2404

Before this update, if a namespace-scoped Argo CD instance was managing multiple namespaces by using the managed-by label and one of those managed namespaces was in a Terminating state, the Argo CD instance could not deploy resources to all other managed namespaces. This update fixes the issue by enabling the Operator to remove the managed-by label from any previously managed now terminating namespace. Now, a terminating namespace managed by a namespace-scoped Argo CD instance does not block the deployment of resources to other managed namespaces. GITOPS-2627

Currently, the Argo CD does not read the Transport Layer Security (TLS) certificates from the path specified in the argocd-tls-certs-cm config map resulting in the x509: certificate signed by unknown authority error.