Skip to content

Update dependency argoproj/argo-cd to v2.5.0

Renovate Bot requested to merge renovate/argoproj-argo-cd-2.x into main

This MR contains the following updates:

Package Type Update Change
argoproj/argo-cd Kustomization minor v2.4.11 -> v2.5.0

Dependency Lookup Warnings

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

Release Notes

argoproj/argo-cd

v2.5.0

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.5.0/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.5.0/manifests/ha/install.yaml

Release signatures

All Argo CD container images and CLI binaries are signed by cosign. See the documentation on how to verify the signatures.

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
-----END PUBLIC KEY-----

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changes

This release includes 301 contributions from 136 contributors (89 of them new) with 59 features and 62 bug fixes.

Features
  • feat(ui): notification subscriptions edit field #​10310 (#​10839)
  • feat: system level extensions (#​10758)
  • feat: equality-based and set-based filtering by label keys and values for list, sync, delete and wait App commands (#​10548)
  • feat: add health checks for storage.cnrm.cloud.google.com/StorageBucketAccessControl (#​10727)
  • feat: add the ability to filter apps based on clusters (#​10465)
  • feat: argocd app delete apps by label (#​10091) (#​10118)
  • feat: add health checks for iam.cnrm.cloud.google.com/IAMPolicy (#​10725)
  • feat: add Prometheus health check (#​10508)
  • feat: add health check for cloudscheduler.cnrm.cloud.google.com/CloudSchedulerJob (#​10606)
  • feat: add health check for cloudscheduler.cnrm.cloud.google.com/CloudFunctionsFunction (#​10607)
  • feat: health check for compute.cnrm.cloud.google.com/ComputeDisk (#​10608)
  • feat: health check for OnePasswordItem (#​10690)
  • feat: health check storage.cnrm.cloud.google.com/StorageDefaultObjectAccessControl (#​10726)
  • feat(ui): Collapsable sidebar with filters (#​10626)
  • feat: dark mode (#​4722) (#​9703)
  • feat: create cli commands for ApplicationSet (#​9584)
  • feat: add permitOnlyProjectScopedClusters flag (#​10237)
  • feat: add scrollbar to live manifest (#​10379)
  • feat: add notifications API (#​10279)
  • feat(applicationset): reuse repo-creds for an existing GitHub App (#​10092)
  • feat: Support Custom Application Actions in CLI #​7577 (#​10015)
  • feat: make https repo credentials editable in the UI (#​9108) (#​9782)
  • feat!(cli): add confirm for cluster remove (#​10319)
  • feat: server-side manifest generation for local diff (#​8145) (#​10019)
  • feat: support gzip compression for data stored in redis (#​10190)
  • feat: Make additional namespaces configurable via environment (#​10270)
  • feat: Applications in any namespace (#​9755)
  • feat: add support for default container annotation (#​8015) (#​9769)
  • feat: add projects filter to app sync command (#​8320) (#​10133)
  • feat: add Gitlab MR generator webhooks support (#​10235)
  • feat: refactor redis-ha NetworkPolicy to include egress rules (#​10226)
  • feat: restrict egress onredis (#​10227)
  • feat: Added health check for spot.io SpotDeployment (#​10152)
  • feat: Added Google Project health check (#​10230)
  • feat: Added Google PubSub Topic and Subscription health checks (#​10229)
  • feat: ApplicationSet Go template (#​10026)
  • feat: Introduces Server-Side Apply as sync option (#​9711)
  • feat: app wait with --degraded (#​10139)
  • feat: Expose the Argo CD ID through an ENV in the Dockerfile (#​10113) (#​10115)
  • feat: Support environment variables in Helm value file paths (#​10213)
  • feat: Add labelSelector style to filter all generators (#​9312)
  • feat: add deny destinations for projects (#​9464) (#​9652)
  • feat: argocd app manifests --local (#​5525) (#​10061)
  • feat: add ingress network policies for applicationset and notifications controller (#​10053)
  • feat: add HTTPS to dex server (#​9424) (#​9883)
  • feat: allow argocd cluster rotate-auth to accept cluster name (#​9838)
  • feat(applicationset): add short sha to MR generator (#​9668) (#​9669)
  • feat: implement consistent startup messages for all components (#​9800)
  • feat: allow interpolation of cluster generator values (#​9254)
  • feat: add initiatedBy info to App status field when performing a rollback (#​9713)
  • feat: Add Azure DevOps SCM Provider Generator; add branchNormalized to SCM Generator template fields. (#​9283)
  • feat: Added the ability to filter MRs by 'state' to Gitlab MR Generator (#​9540)
  • feat: support health check on FlinkDeployment (#​9300) (#​9300)
  • feat: Slugified the branch name in MR generators (#​9462)
  • feat: combine form repo settings page #​9167 (#​9374)
  • feat: Matrix generator where a generator can reference items of another one (#​9080)
  • feat: Expansion support and line relayout (#​8661)
  • feat: Network view should group pods into higher level workload (#​5468) (#​8996)
  • feat: Move app resources commands to dedicated command file (#​9306)
Bug fixes
  • fix: Update custom health check for kiali.io/Kiali (#​10995)
  • fix: Resource list in sync page msg style#​10887 (#​10970)
  • fix: upgrade Helm to avoid disk use issue (#​8773) (#​10937)
  • fix: Resource list loading slowly due to Sync Wave sorting (#​10932)
  • fix: add applicationsets to RBAC policy (#​10810) (#​10891)
  • fix: duplicate source namespace validation (#​10853)
  • fix: applicationset controller should respect logging flags (#​10513)
  • fix: show revision in badge when param is true (#​10545)
  • fix: Unbreak app refresh from panel list (#​10825)
  • fix: Add filter icon to help users find filters (#​10809)
  • fix: reduce noise in logs (#​10369) (#​10765)
  • fix: New sidebar icons are missing margin (#​10794)
  • fix: incorrect filters placement on resource list (#​10781)
  • fix: add theme to version panel in ui (#​10762)
  • fix: always prune on git fetch (#​10664)
  • fix: duplicate z-index (#​10760)
  • fix: ui add tooltips on repository url links and names (#​9868) (#​10108)
  • fix: add tooltip for long title in list view ui (#​9792)
  • fix: button consistency in logs panel #​9945 (#​10016)
  • fix: Provide better error message when application source is missing some settings (#​10694)
  • fix: Application details page crashes with JS error (#​10640)
  • fix: snyk report bugs (#​10544)
  • fix: add more info to creationtime format (#​10286) (#​10493)
  • fix: invalid error handling (#​10384) (#​10385)
  • fix: Remove quotes from delete dialog #​10008 (#​10471)
  • fix(ui): Remove application namespace field in app creation (#​10481)
  • fix(ui): Fix multi-app refresh and sync in the UI (#​10421)
  • fix: add space before prompt in CLI (#​10362)
  • fix: Add logic to handle for fileHandle.Close() (#​9963) (#​10361)
  • fix: Replace dangerous use of xargs (#​10331)
  • fix: Trim white space from string slice retrieved from environment (#​10275)
  • fix(applicationset): support webhook with matrix interpolation (#​9931) (#​10236)
  • fix: consistent example indentation in CLI (#​10075)
  • fix: set default value for users.session.duration (#​9962) (#​10185)
  • fix: Add logic to handle for file.Close() (#​9963) (#​10159)
  • fix: add logic to handle for f.Close() for util/gpg (#​9963) (#​10130)
  • fix: Add logic to handle for f.Close() for util/db (#​9963) (#​10127)
  • fix: Handle github ping webhook event (#​7555) (#​10082)
  • fix: add logic to handle for f.Close() for util/io/files/tar.go (#​9963)
  • fix: off positioned filter icon (#​10013)
  • fix: Add logic to handle for f.Close() in util/localconfig/ (#​9963)
  • fix: copy claims before modifying for logs (#​10044)
  • fix: api server should use ARGOCD_SERVER_LOG_LEVEL instead of ARGOCD_REPO_SERVER_LOGLEVEL (#​9970) (#​9975)
  • fix: don't log group claims unless log level is debug (#​9549) (#​9947)
  • fix: bad error message (#​9967)
  • fix: validateProject() function in app_project_types.go file has nil dereference bug (#​9917)
  • fix: 'unexpected reserved bits' breaking web terminal (#​9605) (#​9895)
  • fix: make test-tools-image work on apple silicon (#​9808)
  • fix(applicationset): provide nameNormalized template param for local cluster (#​9728)
  • fix: upgrade superagent from 7.1.3 to 7.1.6 (#​9748)
  • fix: pss restricted securityContext (#​9765)
  • fix: overrides should not appear in the manifest cache key (#​9601)
  • fix: ui add tooltips on cluster urls (#​9567)
  • fix: better error message for invalid repo URL (#​9513)
  • fix: Use the matchMode specified in the rbac configmap (#​9419)
  • fix: New line layout not applied to load balancer; podGroup fix (#​9452) (#​9523)
  • fix: added extra protection to syncing app with replace (#​9187)
  • fix: upgrade superagent to resolve potential CVE (#​9494)
  • fix: restore broken source-maps to simplify UI debugging (#​9491)
  • fix: Pass context to resource tree (#​5468) (#​9401)
  • fix spelling (#​9372)
  • fix: http headers contain colons in the field value (#​9375)
Documentation
  • docs: fix 'bellow' typos (#​11038)
  • docs: mention that OCI helm does not support version ranges (#​11026)
  • docs: release signature verification (#​10967)
  • docs: more versioned docs fixes (#​10342)
  • docs: fix examples for ArgoCD ApplicationSet Git Generator (#​10857)
  • docs: Add example about how to patch with SSA syncs (#​10829)
  • docs: Add OccMundial to list of users (#​10712)
  • docs: Fix TLS configure link on getting started (#​10734)
  • docs: Default value for server.rootpath is incorrect (#​10665)
  • docs: Add enigmo to list of users (#​10603)
  • docs: decision about logs RBAC enforcement in release notes (#​10563)
  • docs: Include Pandosearch in USERS.md (#​10596)
  • docs: Add Productboard to users (#​10528)
  • docs: Fix typo and rephrase sentence (#​10504)
  • docs: document sync interval setting (#​10520)
  • docs: Remove invalid link to hands-on labs (#​10466)
  • docs: Add CERN as a ArgoCD user (#​10470)
  • docs: add OpsVerse as an official user (USERS.md) (#​10436)
  • docs: add nethopper to users.md (#​10402)
  • docs: Add fully-local developer workflow and traps (#​10333)
  • docs: s/ArgoCD/Argo CD (#​10352)
  • docs: fix indentation of example AppProject in 'Sync Windows' documentation (#​10388)
  • docs: use table instead of list for Snyk scans (#​10141)
  • docs: Note Helm has been upgraded (#​10349)
  • docs: add wemaintain as official user (#​10348)
  • docs: remove version notes - rely on docs versioning (#​10338)
  • docs: fix first sentence in custom style docs (#​10322)
  • docs: grammar fix (#​10328)
  • docs: fixes the YAML codefence for Slack notification service (#​8776) (#​10311)
  • docs: document revision history limit field (#​10302)
  • docs: add freshop to USERS.md (#​10276)
  • docs: revert appset path.path and path.segments docs (#​10254)
  • docs: add gloat to USERS.md (#​10252)
  • docs: update changelog for 2.1.x through 2.4.x (#​10241) (#​10242)
  • docs: recommend offline bcrypt (#​10050) (#​10056)
  • docs: use install instead of curling directly to /usr/local/bin (#​9944)
  • docs: add Lian Chu Securities to Users (#​10080)
  • docs: add Techcombank to users (#​10085)
  • docs: add kurly to Argo CD Users (#​10069)
  • docs: fix typo - user->use (#​10078)
  • docs: improve docs/user-guide/kustomize.md (#​10025)
  • docs: add GLOBIS to users (#​9987)
  • docs: fix Ingress documentation for AWS ALBs (#​9926)
  • docs: Add application.resourceTrackingMethod to example CM (#​9892)
  • docs: fix outdated example in helm.md (#​8506)
  • docs correction on how to override azure devops URL. (#​9699)
  • docs: clarify microsoft.md OIDC setup (#​8329)
  • docs: Add server-side apply proposal (#​8812)
  • docs: fix MR generators list (#​9387)
  • docs: add Meican to users (#​9377)
  • docs: add Coralogix to users (#​9361)
  • docs: Reword SSO Client Secrets doc (#​8666)
  • docs: fix local apiserver host name (#​9313)
Other
  • chore: fix CI (#​11022)
  • chore: fix e2e (#​11005)
  • chore: upgrade actions/checkout to v3, i.e. Node.js 16 (#​10947)
  • chore: release signature of sbom (#​10969)
  • Bump version to 2.5.0-rc3
  • Bump version to 2.5.0-rc3
  • Bump version to 2.5.0-rc2
  • Bump version to 2.5.0-rc2
  • chore: update Server-Side Apply docs for patching of existing rresources (#​10822)
  • Bump version to 2.5.0-rc1
  • Bump version to 2.5.0-rc1
  • chore: remove unused import (#​10773)
  • chore: Add support for apple sillicon build machines (#​10777)
  • chore: update to gitops engine 98ccd3d (#​10787)
  • chore: Add Gridfuse to USERS.md (#​10750)
  • chore: fix incorrect cluster delete description (#​10631)
  • chore: Add security logging for Dex errors (#​10455)
  • chore: Upgrade shipped version of Redis to 7.0.5 to fix CVE-2022-35951 (#​10702)
  • chore: Added Hetki to USERS.md (#​10586)
  • chore: add Adfinis to USERS.md (#​10741)
  • test: read appset (#​10743)
  • chore: typo for SyncStatusCodeOutOfSync comment (#​10748)
  • chore: upgrade dex to v2.32.1-distroless (#​10746)
  • Add Splunk as ArgoCD user (#​10718)
  • tests: cmd unit test version (#​10689)
  • chore: upgrade k8s.io/kube-openapi to avoid CVE-2022-1996 (#​10691)
  • chore: update install-codegen-tools.sh and upgrade docs (#​10692)
  • chore: update Helm and Kustomize versions (#​10273) (#​10599)
  • test: Add logic to handle for fileHandle.Close() (#​10632)
  • Add Kandji to users list (#​10650)
  • Adding Elastic as an ArgoCD User (#​10649)
  • added ./ for broken url link (#​10623)
  • chore: update gitops-engine (3951079) (#​10616)
  • chore: remove incompatible miniredis dependency (#​10566)
  • chore: Remove bad symlink used for tests (#​10527)
  • chore: add security log issue template (#​10368)
  • Adding Magic Leap as argocd user (#​10509)
  • chore: update gitops-engine to c036d3f (#​10423)
  • chore: drop hardcoded processors from HA manifests (#​10458)
  • chore: remove duplicate word in comments (#​10479)
  • chore: Add security logging in util/app (#​10416)
  • chore: Add security logging in util/git|helm (#​10410)
  • Add a newline character to fix the render (#​10431)
  • chore: sort users.md (#​10387)
  • chore: infer managed resources health from redis instead of storing it in CRD (#​10191)
  • chore: deprecate argocd-cm plugins (#​8117) (#​10341)
  • chore: add security logging and cwe fields (#​10256)
  • chore: Ignore VERSION file for Snyk scan (#​10363)
  • chore: downgrade go version to v1.18 (#​10351)
  • chore: Don't run snyk report in clones (#​10323)
  • ci: Update K3s version matrix in e2e tests (#​10313)
  • chore: upgrade helm to most recent version (v3.9.3) (#​10296)
  • chore: upgrade redis-ha chart to 4.17.8, HAProxy v2.6.2 (#​10032) (#​10297)
  • chore: improve logs in util/argo/argo.go (#​10271)
  • chore: Bump version in master to 2.5.0 (#​10266)
  • chore(deps): bump terser from 5.12.1 to 5.14.2 in /ui (#​10064)
  • chore: improve argocd app delete (#​10160)
  • proposal: Applications outside argocd namespace (#​6409)
  • chore: cleanup remnants of snyk scan removal (#​10225)
  • chore: no non-container scans in workflow (scan limit hit) (#​10222)
  • chore: Upgrade Golang to 1.19 (#​10176) (#​10186)
  • chore: fix some typos (#​10217)
  • chore: upgrade dex to distroless avoid CVE-2022-2097/CVE-2022-30065 (#​10203)
  • chore: fix codegen (#​10202)
  • chore: update redis-ha manifests (#​10032)
  • build: Enable optional skipping of building test-tools-image (#​10199)
  • chore: install snyk before generating report (#​10158)
  • chore: upgrade codeql action to v2 (#​10165)
  • chore: no colons in filenames (#​10183)
  • chore: fix sarif upload categories (#​10171)
  • chore: fix typo in image workflow (again) (#​10164)
  • chore: fix typo in image workflow (#​10161)
  • chore: fix codeql category error (#​10137)
  • chore: exclude docs from Sonar check completely (#​10142)
  • chore: exclude docs from Sonar check (#​10136)
  • chore: ignore CVE-2022-0624 - not exploitable in Argo CD (#​10128)
  • test: Add logic to handle for f.Close() for cmd/argocd/commands/admin (#​9963) (#​10074)
  • chore: add Snyk scans to docs (#​9856)
  • chore: argocd app create output states whether app exists (#​9984)
  • add securityContext to redis-ha containers (#​9930)
  • chore: spelling: retrieve (#​10051)
  • add logic to handle for f.Close() (#​10004)
  • chore: use manifest version for redis+dex in E2E tests (#​9955) (#​9959)
  • chore: upgrade k8s client to v0.24.2 (#​9932)
  • test: check for error messages from CI env (#​9953)
  • block out of bounds symlinks (#​9738) (#​9843)
  • chore: Replace deprecated ioutil in CLI code (#​9846)
  • Added health checks for Config Connector resources. (#​9878)
  • chore: Replace deprecated ioutil in util packages (#​9848)
  • chore: Replace deprecated ioutil in hacks (#​9851)
  • refactor: improve context handling in cmd/ (#​9860)
  • chore: Fix import of context package across codebase (#​9852)
  • chore: remove semicolon from end of statement (#​9837)
  • chore: adjust docs (#​9829)
  • Add scmp.com to argo-cd users (#​9823)
  • chore: add k8s v1.24.1 to test matrix (#​9714)
  • chore: upgrade kustomize to 4.5.5 (#​9650)
  • log: debug manifest cache (#​9602)
  • chore: revert adding k8s 1.24.1 to test matrix (#​9657)
  • chore: add k8s v1.24.1 release to test matrix (#​9636)
  • chore: fix typo in godoc string (#​9644)
  • chore: use Ubuntu 22.04 in CI (#​9587)
  • Grupo MasMovil Spain added to users list (#​9585)
  • chore: remove controller liveness probe (#​9557)
  • ci: remove cache from image build (#​9564)
  • Add elementor (#​9544)
  • chore: ignore irrelevant formidable vulnerability (#​9470)
  • add pismo on users (#​9532)
  • Fix radio button click experience problem (#​9520)
  • bump helm version to 3.9.0 (#​9486)
  • chore: Simplified GetRepoHTTPClient function (#​9396)
  • chore: add argocd binary to argocd-test-tool docker image (#​9459) (#​9467)
  • bug(gitpod): change Kubebuilder curl (#​9097) (#​9197)
  • chore: add GOPKGINYAMLV2-2840885 to snyk ignore list (#​9495)
  • Add GitLab MR generator for applicationset (#​9264)
  • chore: upgrade golangci-lint to v1.46.2 (#​9448)
  • some optimizations for cert.go (#​9404)
  • chore: add labels to notifications controller serviceaccount (#​9373)
  • add reev.com (#​9409)
  • chore: use filepath.Join to get sock path (#​9395)
  • chore: ignore irrelevant go-restful vulnerability (#​9347)
  • use filepath to combire dirs (#​9358)
  • Remove Kubernetes External Secret from docs (#​9251)
  • improved pr generator doc (#​9350)
  • chore: resource state tests (#​9307)
  • chore: Set GITHUB_TOKEN in the test container (#​9317)
  • chore: Pull in recent kubectl to test container (#​9316)

v2.4.15

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.15/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.15/manifests/ha/install.yaml

Release signatures

All Argo CD container images and CLI binaries are signed by cosign. See the documentation on how to verify the signatures.

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
-----END PUBLIC KEY-----

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changes

This release includes 24 contributions from 15 contributors (10 of them new) with 9 bug fixes.

A special thanks goes to the 10 new contributors:

  • Aiman Fatima
  • Chris Davis
  • Eddie Knight
  • Lars Kellogg-Stedman
  • Matt Morrison
  • Mayursinh Sarvaiya
  • Nir Shtein
  • Richard Jennings
  • rumstead
  • Sakshi Jain
Bug fixes
  • fix: Display pointer on labels for resource names in sync panel (#​10959)
  • fix: Use os.PathSeparator instead of hard-coded string to resolve local file paths (#​10945) (#​10946)
  • fix(ui): sync option label doesn't check corresponding box (#​10863) (#​10876)
  • fix: clicking HEAD in bitbucket leads to a 404 page (#​10862)
  • fix: added css to change cursor to pointer on hover (#​10864) (#​10867)
  • fix: consider destination cluster name when validating destinations (#​10594)
  • fix: Add missing statuses to MinIO Tenant health check (#​10815)
  • fix: add applicationset to crds generated by gen-crd-spec (#​10833)
  • fix(ui): Don't jump back to tiles view on app deletion (#​8764) (#​10826)
Documentation
  • docs: appset MR generator docs fixes (#​10567)
  • docs: add link to 2.4-2.5 upgrade guide (#​10808)
  • docs: more docs for directory apps (#​10879)
  • docs: clarify how default RBAC policy works (#​10896)
  • docs: fix examples for ArgoCD ApplicationSet Git Generator (#​10857)
  • docs: remove unused plugin config fields (#​10304)
  • docs: fix advice about preferred version in high availability (#​10619)
  • docs: Correct grammar issues in docs on manifest path annotations (#​10776)
  • docs: Update link to resource customizations (#​10827) (#​10828)
Other
  • chore: add script to generate release notes (#​10806)
  • chore: sign checksums file for release binaries (#​10963)
  • chore: implement signed images (#​10925)
  • chore: upgrade dex to v2.35.3 to avoid CVE-2022-27665 (#​10939)
  • Revert "fix: add applicationset to crds generated by gen-crd-spec (#​10833)"
  • chore: Added recommended permissions to github actions workflows (#​10812)

v2.4.14

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.14/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.14/manifests/ha/install.yaml

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changes

Other

v2.4.13

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.13/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.13/manifests/ha/install.yaml
Security fixes

CVE-2022-39222 is a backchannel attack against the Dex OIDC provider. If you are impacted Argo CD, an attacker could use the process described in the vulnerability description to steal an Argo CD token from some Argo CD user. The attacker could then impersonate the targeted user and act with the victim's privileges.

Am I impacted?

This Dex vulnerability impacts Argo CD users who either 1) use the bundled Dex instance for OIDC or 2) use an external Dex instance running Dex <= 2.34.x.

If you do not use Dex, then you are not impacted.

Bundled Dex

To determine if you use the bundled Dex instance, run this command, replacing argocd with the namespace where your Argo CD instance is installed:

kubectl get cm -n argocd argocd-cm -ojson | jq '.data["dex.config"] != null'

If that command prints true, then you use the bundled Dex instance, and you should upgrade.

External Dex

To determine if you use an external Dex instance, run this command:

kubectl get cm -n argocd argocd-cm -ojson | jq '.data["oidc.config"]'

That will print your Argo CD instance's OIDC config. It might be obvious whether the OIDC provider is Dex (for example, the word dex might be in the URL). Or you might have to contact whoever manages the configured OIDC provider to ask.

You will also have to check with whoever manages the Dex instance to determine if it is still running a vulnerable version (<= 2.34.x).

How can I resolve the vulnerability as a user of the bundled Dex instance?

Upgrading Dex is the only way to resolve the vulnerability.

If you're using the manifests from the argo-cd repository to install Argo CD, the easiest way to resolve the vulnerability is to use the latest release's manifests, which point to the Dex 2.35.0 image. If you do not want to upgrade the full manifest, then you can manually change the Dex image tags in your deployed manifests to use a >= 2.35.0 tag.

If you're using the argo-helm argo-cd chart, you can either upgrade to 5.5.8 which points to the new Dex version, or you can set the dex.image.tag parameter to a >= 2.35.0 tag.

To confirm that you are using a patched version of Dex, use this command (replacing argocd with the namespace where your Argo CD instance is deployed):

kubectl get deployment -n argocd argocd-dex-server -ojson | jq '.spec.template.spec.containers[0].image'

The image tag should point to a Dex version >= 2.35.0.

Bug fixes
  • fix: fix subscription health check (#​10450)
  • fix: Fix a nil pointer crash for repo server (#​10696)
Other changes
  • docs: add note about multiple sync options on annotation (#​10739)
  • docs: fix broken links in faq.md (#​10744)
  • chore: upgrade Dex to 2.35.0 (#​10775)
  • docs: syncWindows in project.yaml (#​10591)
  • docs: Update Generators-Pull-Request.md (#​10643) (#​10642)
  • docs: fix typo in GitHub section (#​10723)
  • chore: upgrade dex to v2.32.1-distroless (#​10746)

v2.4.12

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.12/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.12/manifests/ha/install.yaml
Bug fixes
  • fix: add skip-test-tls flag to optionally skip testing for tls (#​9679) (10564)
  • fix: update deploymentConfig's healthcheck to wait for replicationController to be Available (#​10462)
  • fix: hide terminal on the non-pod resource kind (#​9980) (#​10556)
  • fix: appset controller should preserve argocd refresh annotation (#​10510)
  • fix: invalid error handling (#​10384) (#​10385)
Other changes
  • docs: decision about logs RBAC enforcement in release notes for 2.4 (#​10564)
  • docs: update description of policy.csv example in rbac.md (#​10565)
  • docs: Fix Broken Link in Getting Started Docs (#​10585)
  • docs: remove duplicate word in user-management doc (#​10546)
  • fix: added github and gitlab response mock and replaced external calls (#​9305)
  • test: fix flaky gitea tests (#​10354)
  • fix: Added mock for gitea response in appset MR,SCM generator (#​9400)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot.

Edited by Renovate Bot

Merge request reports