ArgoCD Changelog

Abstract

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

ArgoCD Changelog#

For full list of changes please check ArtifactHub changelog[1].

Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.

7.0.0#

We changed the type of .Values.configs.clusterCredentials from list to object. If you used the value, please migrate like below.

# before
configs:
  clusterCredentials:
    - mycluster:
      server: https://mycluster.example.com
      labels: {}
      annotations: {}
      # ...

# after
configs:
  clusterCredentials:
    mycluster:
      server: https://mycluster.example.com
      labels: {}
      annotations: {}
      # ...

6.10.0#

This version introduces authentication for Redis to mitigate GHSA-9766-5277-j5hr.

How to rotate Redis secret?#

Upstream steps in the [FAQ] are not enough, since we chose a different approach. (We use a Kubernetes Job with [Chart Hooks] to create the auth secret argocd-redis.)

Steps to rotate the secret when using the helm chart (bold step is additional to upstream):

  • Delete argocd-redis secret in the namespace where Argo CD is installed.

    kubectl delete secret argocd-redis -n <argocd namesapce>

  • Perform a helm upgrade

    helm upgrade argocd argo/argo-cd --reuse-values --wait

  • If you are running Redis in HA mode, restart Redis in HA.

    kubectl rollout restart deployment argocd-redis-ha-haproxy
kubectl rollout restart statefulset argocd-redis-ha-server

  • If you are running Redis in non-HA mode, restart Redis.

    kubectl rollout restart deployment argocd-redis

  • Restart other components.

    kubectl rollout restart deployment argocd-server argocd-repo-server
kubectl rollout restart statefulset argocd-application-controller

6.9.0#

ApplicationSet controller is always created to follow upstream’s manifest.

6.4.0#

Added support for application controller dynamic cluster distribution. Please refer to the docs for more information.

Added env variables to handle the non-standard names generated by the helm chart. Here are the docs and code

6.1.0#

Added support for global domain used by all components.

6.0.0#

This version removes support for:

  • deprecated component options logLevel and logFormat

  • deprecated component arguments <components>.args.<feature> that were replaced with configs.params

  • deprecated configuration server.config that was replaced with configs.cm

  • deprecated configuration server.rbacConfig that was replaced with configs.rbac

Major version also contains breaking changes related to Argo CD Ingress resources that were hard to extend and maintain for various ingress controller implementations. Please review your setup and adjust to new configuration options:

  • catch all rule was removed for security reasons. If you need this please use server.ingress.extraRules to provide ingress rule without hostname

  • ingress rule for paths changed to path as there is only single Argo CD backend path

  • ingress rule for hosts changed to hostname as there can be only single SSO redirect for given hostname

  • ingress TLS for server uses by default argocd-server-tls secret required by Argo CD server, additional ingresses are using <hostname>-tls secret when tls: true

  • additional hostnames and routing can be provided via extraHosts configuration section

  • additional TLS secrets can be provided via extraTls configuration section

5.53.0#

Argocd-repo-server can now optionally use Persistent Volumes for its mountpoints instead of only emptydir()

5.52.0#

Because [Argo CD Extensions] is now deprecated and no further changes will be made, we switched to [Argo CD Extension Installer], adding an Argo CD Extension Installer to init-container in the Argo CD API server. If you used old mechanism, please move to new mechanism. For more details, please refer .Values.server.extensions in values.yaml.

5.35.0#

This version supports Kubernetes version >=1.23.0-0. The current supported version of Kubernetes is v1.24 or later and we align with the Amazon EKS calendar, because many AWS users follow a conservative approach.

Please see more information about EoL: [Amazon EKS EoL][EKS EoL].

5.31.0#

The manifests are now using [tini as entrypoint][tini], instead of entrypoint.sh. Until Argo CD v2.8, entrypoint.sh is retained for upgrade compatibility. This means that the deployment manifests have to be updated after upgrading to Argo CD v2.7, and before upgrading to Argo CD v2.8 later. In case the manifests are updated before moving to Argo CD v2.8, the containers will not be able to start.

5.26.0#

This version adds support for Config Management Plugins using the sidecar model and configured in a ConfigMap named argocd-cmp-cm. Users will need to migrate from the previous argocd-cm ConfigMap method to using the sidecar method before Argo CD v2.8. See the Argo CD CMP migration guide for more specifics.

To migrate your plugins, you can now set the configs.cmp.create to true and move your plugins from configs.cm to configs.cmp.plugins. You will also need to configure the sidecar containers under repoServer.extraContainers and ensure you are mounting any custom volumes you need from repoServer.volumes into here also.

5.24.0#

This version adds additional global parameters for scheduling (nodeSelector, tolerations, topologySpreadConstraints). Default global.affinity rules can be disabled when none value is used for the preset.

5.22.0#

This version adds global.affinity options that are used as a presets. Override on component level works as before and replaces the default preset completely.

5.19.0#

This version consolidates config for custom repository TLS certificates and SSH known hosts. If you provided these values (configs.knownHosts.*, configs.knownHostsAnnotations, configs.tlsCerts, configs.tlsCertsAnnotations) please move them into new configs.ssh and configs.tls sections. You can also use new option configs.ssh.extraHosts to configure your SSH keys without maintaining / overwriting keys for public Git repositories.

5.13.0#

This version reduces history limit for Argo CD deployment replicas to 3 to provide more visibility for Argo CD deployments that manage itself. If you need more deployment revisions for rollbacks set global.revisionHistoryLimit parameter.

5.12.0#

If Argo CD is managing termination of TLS and you are using configs.secret.argocdServerTlsConfig option to provide custom TLS configuration for this chart, please use server.certificate or server.certificateSecret instead. For the secrets for tls termination, please use a secret named argocd-server-tls instead of argocd-secret. For the technical details please check the Argo CD documentation. When transitioning from the one secret to the other pay attention to tls.key and tls.crt keys.

5.10.0#

This version hardens security by configuring default container security contexts and adds hard requirement for Kubernetes 1.22+ to work properly. The change aligns chart with officially supported versions by upstream project.

5.7.0#

This version introduces new configs.cm and configs.rbac sections that replaces server.config and server.rbacConfig respectively. Please move your current configuration to the new place. The Argo CD RBAC config now also sets defaults in the argocd-rbac-cm. If you have manually created this ConfigMap please ensure templating is disabled so you will not lose your changes.

5.5.20#

This version moved API version templates into dedicated helper. If you are using these in your umbrella chart please migrate your templates to pattern argo-cd.apiVersion.<component>.

5.5.0#

This version introduces new configs.params section that replaces command line arguments for containers. Please refer to documentation in values.yaml for migrating the configuration.

5.2.0#

Custom resource definitions were moved to templates folder so they can be managed by Helm.

To adopt already created CRDs, please use following command:

YOUR_ARGOCD_NAMESPACE="" # e.g. argo-cd
YOUR_ARGOCD_RELEASENAME="" # e.g. argo-cd

for crd in "applications.argoproj.io" "applicationsets.argoproj.io" "argocdextensions.argoproj.io" "appprojects.argoproj.io"; do
  kubectl label --overwrite crd $crd app.kubernetes.io/managed-by=Helm
  kubectl annotate --overwrite crd $crd meta.helm.sh/release-namespace="$YOUR_ARGOCD_NAMESPACE"
  kubectl annotate --overwrite crd $crd meta.helm.sh/release-name="$YOUR_ARGOCD_RELEASENAME"
done

5.0.0#

This version removes support for:

  • deprecated repository credentials (parameter configs.repositoryCredentials)

  • option to run application controller as a Deployment

  • the parameters server.additionalApplications and server.additionalProjects

Please carefully read the following section if you are using these parameters!

In order to upgrade Applications and Projects safely against CRDs’ upgrade, server.additionalApplications and server.additionalProjects are moved to ../argocd-apps.

If you are using server.additionalApplications or server.additionalProjects, you can adopt to ../argocd-apps as below:

  1. Add helm.sh/resource-policy annotation to avoid resources being removed by upgrading Helm chart

    You can keep your existing CRDs by adding "helm.sh/resource-policy": keep on additionalAnnotations, under server.additionalApplications and server.additionalProjects blocks, and running helm upgrade.

    e.g:

    server:
   additionalApplications:
     - name: guestbook
       namespace: argocd
       additionalLabels: {}
       additionalAnnotations:
         "helm.sh/resource-policy": keep # <-- add this
       finalizers:
       - resources-finalizer.argocd.argoproj.io
       project: guestbook
       source:
         repoURL: https://github.com/argoproj/argocd-example-apps.git
         targetRevision: HEAD
         path: guestbook
         directory:
           recurse: true
       destination:
         server: https://kubernetes.default.svc
         namespace: guestbook
       syncPolicy:
         automated:
           prune: false
           selfHeal: false
       ignoreDifferences:
       - group: apps
         kind: Deployment
         jsonPointers:
         - /spec/replicas
       info:
       - name: url
         value: https://argoproj.github.io/

    You can also keep your existing CRDs by running the following scripts.

    # keep Applications
for app in "guestbook"; do
  kubectl annotate --overwrite application $app helm.sh/resource-policy=keep
done

# keep Projects
for project in "guestbook"; do
  kubectl annotate --overwrite appproject $project helm.sh/resource-policy=keep
done

  2. Upgrade argo-cd Helm chart to v5.0.0

  3. Remove keep helm.sh/resource-policy annotation

    # delete annotations from Applications
for app in "guestbook"; do
  kubectl annotate --overwrite application $app helm.sh/resource-policy-
done

# delete annotations from Projects
for project in "guestbook"; do
  kubectl annotate --overwrite appproject $project helm.sh/resource-policy-
done

  4. Adopt existing resources to ../argocd-apps.

4.9.0#

This version starts to use upstream image with applicationset binary. Start command was changed from applicationset-controller to argocd-applicationset-controller

4.3.*#

With this minor version, the notification notifier’s service.slack is no longer configured by default.

4.0.0 and above#

This helm chart version deploys Argo CD v2.3. The Argo CD Notifications and ApplicationSet are part of Argo CD now. You no longer need to install them separately. The Notifications and ApplicationSet components are bundled into default Argo CD installation. Please read the [v2.2 to 2.3 upgrade instructions] in the upstream repository.

3.13.0#

This release removes the flag --staticassets from argocd server as it has been dropped upstream. If this flag needs to be enabled e.g for older releases of Argo CD, it can be passed via the server.extraArgs field

3.10.2#

Argo CD has recently deprecated the flag --staticassets and from chart version 3.10.2 has been disabled by default It can be re-enabled by setting server.staticAssets.enabled to true

3.8.1#

This bugfix version potentially introduces a rename (and recreation) of one or more ServiceAccounts. It only happens when you use one of these customization:

# Case 1) - only happens when you do not specify a custom name (repoServer.serviceAccount.name)
repoServer:
  serviceAccount:
    create: true

# Case 2)
controller:
  serviceAccount:
    name: "" # or <nil>

# Case 3)
dex:
  serviceAccount:
    name: "" # or <nil>

# Case 4)
server:
  serviceAccount:
    name: "" # or <nil>

Please check if you are affected by one of these cases before you upgrade, especially when you use cloud IAM roles for service accounts. (eg. IRSA on AWS or Workload Identity for GKE)

3.2.*#

With this minor version we introduced the evaluation for the ingress manifest (depending on the capabilities version), See Pull Request. Issue 703 reported that the capabilities evaluation is not handled correctly when deploying the chart via an Argo CD instance, especially deploying on clusters running a cluster version prior to 1.19 (which misses Ingress on apiVersion networking.k8s.io/v1).

If you are running a cluster version prior to 1.19 you can avoid this issue by directly installing chart version 3.6.0 and setting kubeVersionOverride like:

kubeVersionOverride: "1.18.0"

Then you should no longer encounter this issue.

3.0.0 and above#

Helm apiVersion switched to v2. Requires Helm 3.0.0 or above to install. Read More on how to migrate your release from Helm 2 to Helm 3.

2.14.7 and above#

The matchLabels key in the Argo CD Application Controller is no longer hard-coded. Note that labels are immutable so caution should be exercised when making changes to this resource.

2.10.x to 2.11.0#

The application controller is now available as a StatefulSet when the controller.enableStatefulSet flag is set to true. Depending on your Helm deployment this may be a downtime or breaking change if enabled when using HA and will become the default in 3.x.

1.8.7 to 2.x.x#

controller.extraArgs, repoServer.extraArgs and server.extraArgs are now arrays of strings instead of a map

What was

server:
  extraArgs:
    insecure: ""

is now

server:
  extraArgs:
  - --insecure
Contents