Abstract
A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
ArgoCD Changelog#
For full list of changes please check ArtifactHub changelog[1].
Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
7.0.0#
We changed the type of .Values.configs.clusterCredentials
from list
to object
.
If you used the value, please migrate like below.
# before
configs:
clusterCredentials:
- mycluster:
server: https://mycluster.example.com
labels: {}
annotations: {}
# ...
# after
configs:
clusterCredentials:
mycluster:
server: https://mycluster.example.com
labels: {}
annotations: {}
# ...
6.10.0#
This version introduces authentication for Redis to mitigate GHSA-9766-5277-j5hr.
How to rotate Redis secret?#
Upstream steps in the [FAQ] are not enough, since we chose a different approach.
(We use a Kubernetes Job with [Chart Hooks] to create the auth secret argocd-redis
.)
Steps to rotate the secret when using the helm chart (bold step is additional to upstream):
Delete
argocd-redis
secret in the namespace where Argo CD is installed.kubectl delete secret argocd-redis -n <argocd namesapce>
Perform a helm upgrade
helm upgrade argocd argo/argo-cd --reuse-values --wait
If you are running Redis in HA mode, restart Redis in HA.
kubectl rollout restart deployment argocd-redis-ha-haproxy kubectl rollout restart statefulset argocd-redis-ha-server
If you are running Redis in non-HA mode, restart Redis.
kubectl rollout restart deployment argocd-redis
Restart other components.
kubectl rollout restart deployment argocd-server argocd-repo-server kubectl rollout restart statefulset argocd-application-controller
6.9.0#
ApplicationSet controller is always created to follow upstream’s manifest.
6.4.0#
Added support for application controller dynamic cluster distribution. Please refer to the docs for more information.
Added env variables to handle the non-standard names generated by the helm chart. Here are the docs and code
6.1.0#
Added support for global domain used by all components.
6.0.0#
This version removes support for:
deprecated component options
logLevel
andlogFormat
deprecated component arguments
<components>.args.<feature>
that were replaced withconfigs.params
deprecated configuration
server.config
that was replaced withconfigs.cm
deprecated configuration
server.rbacConfig
that was replaced withconfigs.rbac
Major version also contains breaking changes related to Argo CD Ingress resources that were hard to extend and maintain for various ingress controller implementations. Please review your setup and adjust to new configuration options:
catch all rule was removed for security reasons. If you need this please use
server.ingress.extraRules
to provide ingress rule without hostnameingress rule for
paths
changed topath
as there is only single Argo CD backend pathingress rule for
hosts
changed tohostname
as there can be only single SSO redirect for given hostnameingress TLS for server uses by default
argocd-server-tls
secret required by Argo CD server, additional ingresses are using<hostname>-tls
secret whentls: true
additional hostnames and routing can be provided via
extraHosts
configuration sectionadditional TLS secrets can be provided via
extraTls
configuration section
5.53.0#
Argocd-repo-server can now optionally use Persistent Volumes for its mountpoints instead of only emptydir()
5.52.0#
Because [Argo CD Extensions] is now deprecated and no further changes will be made, we switched to [Argo CD Extension Installer], adding an Argo CD Extension Installer to init-container in the Argo CD API server.
If you used old mechanism, please move to new mechanism. For more details, please refer .Values.server.extensions
in values.yaml.
5.35.0#
This version supports Kubernetes version >=1.23.0-0
. The current supported version of Kubernetes is v1.24 or later and we align with the Amazon EKS calendar, because many AWS users follow a conservative approach.
Please see more information about EoL: [Amazon EKS EoL][EKS EoL].
5.31.0#
The manifests are now using [tini
as entrypoint][tini], instead of entrypoint.sh
. Until Argo CD v2.8, entrypoint.sh
is retained for upgrade compatibility.
This means that the deployment manifests have to be updated after upgrading to Argo CD v2.7, and before upgrading to Argo CD v2.8 later.
In case the manifests are updated before moving to Argo CD v2.8, the containers will not be able to start.
5.26.0#
This version adds support for Config Management Plugins using the sidecar model and configured in a ConfigMap named argocd-cmp-cm
.
Users will need to migrate from the previous argocd-cm
ConfigMap method to using the sidecar method before Argo CD v2.8. See the Argo CD CMP migration guide for more specifics.
To migrate your plugins, you can now set the configs.cmp.create
to true
and move your plugins from configs.cm
to configs.cmp.plugins
.
You will also need to configure the sidecar containers under repoServer.extraContainers
and ensure you are mounting any custom volumes you need from repoServer.volumes
into here also.
5.24.0#
This version adds additional global parameters for scheduling (nodeSelector
, tolerations
, topologySpreadConstraints
).
Default global.affinity
rules can be disabled when none
value is used for the preset.
5.22.0#
This version adds global.affinity
options that are used as a presets. Override on component level works as before and replaces the default preset completely.
5.19.0#
This version consolidates config for custom repository TLS certificates and SSH known hosts. If you provided these values (configs.knownHosts.*
, configs.knownHostsAnnotations
, configs.tlsCerts
, configs.tlsCertsAnnotations
) please move them into new configs.ssh
and configs.tls
sections.
You can also use new option configs.ssh.extraHosts
to configure your SSH keys without maintaining / overwriting keys for public Git repositories.
5.13.0#
This version reduces history limit for Argo CD deployment replicas to 3 to provide more visibility for Argo CD deployments that manage itself. If you need more deployment revisions for rollbacks set global.revisionHistoryLimit
parameter.
5.12.0#
If Argo CD is managing termination of TLS and you are using configs.secret.argocdServerTlsConfig
option to provide custom TLS configuration for this chart, please use server.certificate
or server.certificateSecret
instead.
For the secrets for tls termination, please use a secret named argocd-server-tls
instead of argocd-secret
.
For the technical details please check the Argo CD documentation. When transitioning from the one secret to the other pay attention to tls.key
and tls.crt
keys.
5.10.0#
This version hardens security by configuring default container security contexts and adds hard requirement for Kubernetes 1.22+ to work properly. The change aligns chart with officially supported versions by upstream project.
5.7.0#
This version introduces new configs.cm
and configs.rbac
sections that replaces server.config
and server.rbacConfig
respectively.
Please move your current configuration to the new place. The Argo CD RBAC config now also sets defaults in the argocd-rbac-cm
.
If you have manually created this ConfigMap please ensure templating is disabled so you will not lose your changes.
5.5.20#
This version moved API version templates into dedicated helper. If you are using these in your umbrella
chart please migrate your templates to pattern argo-cd.apiVersion.<component>
.
5.5.0#
This version introduces new configs.params
section that replaces command line arguments for containers.
Please refer to documentation in values.yaml for migrating the configuration.
5.2.0#
Custom resource definitions were moved to templates
folder so they can be managed by Helm.
To adopt already created CRDs, please use following command:
YOUR_ARGOCD_NAMESPACE="" # e.g. argo-cd
YOUR_ARGOCD_RELEASENAME="" # e.g. argo-cd
for crd in "applications.argoproj.io" "applicationsets.argoproj.io" "argocdextensions.argoproj.io" "appprojects.argoproj.io"; do
kubectl label --overwrite crd $crd app.kubernetes.io/managed-by=Helm
kubectl annotate --overwrite crd $crd meta.helm.sh/release-namespace="$YOUR_ARGOCD_NAMESPACE"
kubectl annotate --overwrite crd $crd meta.helm.sh/release-name="$YOUR_ARGOCD_RELEASENAME"
done
5.0.0#
This version removes support for:
deprecated repository credentials (parameter
configs.repositoryCredentials
)option to run application controller as a Deployment
the parameters
server.additionalApplications
andserver.additionalProjects
Please carefully read the following section if you are using these parameters!
In order to upgrade Applications and Projects safely against CRDs’ upgrade,
server.additionalApplications
and server.additionalProjects
are moved to
../argocd-apps
.
If you are using server.additionalApplications
or server.additionalProjects
,
you can adopt to ../argocd-apps
as below:
Add helm.sh/resource-policy annotation to avoid resources being removed by upgrading Helm chart
You can keep your existing CRDs by adding
"helm.sh/resource-policy": keep
onadditionalAnnotations
, underserver.additionalApplications
andserver.additionalProjects
blocks, and runninghelm upgrade
.e.g:
server: additionalApplications: - name: guestbook namespace: argocd additionalLabels: {} additionalAnnotations: "helm.sh/resource-policy": keep # <-- add this finalizers: - resources-finalizer.argocd.argoproj.io project: guestbook source: repoURL: https://github.com/argoproj/argocd-example-apps.git targetRevision: HEAD path: guestbook directory: recurse: true destination: server: https://kubernetes.default.svc namespace: guestbook syncPolicy: automated: prune: false selfHeal: false ignoreDifferences: - group: apps kind: Deployment jsonPointers: - /spec/replicas info: - name: url value: https://argoproj.github.io/
You can also keep your existing CRDs by running the following scripts.
# keep Applications for app in "guestbook"; do kubectl annotate --overwrite application $app helm.sh/resource-policy=keep done # keep Projects for project in "guestbook"; do kubectl annotate --overwrite appproject $project helm.sh/resource-policy=keep done
Upgrade argo-cd Helm chart to v5.0.0
Remove keep helm.sh/resource-policy annotation
# delete annotations from Applications for app in "guestbook"; do kubectl annotate --overwrite application $app helm.sh/resource-policy- done # delete annotations from Projects for project in "guestbook"; do kubectl annotate --overwrite appproject $project helm.sh/resource-policy- done
Adopt existing resources to
../argocd-apps
.
4.9.0#
This version starts to use upstream image with applicationset binary. Start command was changed from applicationset-controller
to argocd-applicationset-controller
4.3.*#
With this minor version, the notification notifier’s service.slack
is no longer configured by default.
4.0.0 and above#
This helm chart version deploys Argo CD v2.3. The Argo CD Notifications and ApplicationSet are part of Argo CD now. You no longer need to install them separately. The Notifications and ApplicationSet components are bundled into default Argo CD installation. Please read the [v2.2 to 2.3 upgrade instructions] in the upstream repository.
3.13.0#
This release removes the flag --staticassets
from argocd server as it has been dropped upstream. If this flag needs to be enabled e.g for older releases of Argo CD, it can be passed via the server.extraArgs
field
3.10.2#
Argo CD has recently deprecated the flag --staticassets
and from chart version 3.10.2
has been disabled by default
It can be re-enabled by setting server.staticAssets.enabled
to true
3.8.1#
This bugfix version potentially introduces a rename (and recreation) of one or more ServiceAccounts. It only happens when you use one of these customization:
# Case 1) - only happens when you do not specify a custom name (repoServer.serviceAccount.name)
repoServer:
serviceAccount:
create: true
# Case 2)
controller:
serviceAccount:
name: "" # or <nil>
# Case 3)
dex:
serviceAccount:
name: "" # or <nil>
# Case 4)
server:
serviceAccount:
name: "" # or <nil>
Please check if you are affected by one of these cases before you upgrade, especially when you use cloud IAM roles for service accounts. (eg. IRSA on AWS or Workload Identity for GKE)
3.2.*#
With this minor version we introduced the evaluation for the ingress manifest (depending on the capabilities version), See Pull Request.
Issue 703 reported that the capabilities evaluation is not handled correctly when deploying the chart via an Argo CD instance,
especially deploying on clusters running a cluster version prior to 1.19
(which misses Ingress
on apiVersion networking.k8s.io/v1
).
If you are running a cluster version prior to 1.19
you can avoid this issue by directly installing chart version 3.6.0
and setting kubeVersionOverride
like:
kubeVersionOverride: "1.18.0"
Then you should no longer encounter this issue.
3.0.0 and above#
Helm apiVersion switched to v2
. Requires Helm 3.0.0
or above to install. Read More on how to migrate your release from Helm 2 to Helm 3.
2.14.7 and above#
The matchLabels
key in the Argo CD Application Controller is no longer hard-coded. Note that labels are immutable so caution should be exercised when making changes to this resource.
2.10.x to 2.11.0#
The application controller is now available as a StatefulSet
when the controller.enableStatefulSet
flag is set to true. Depending on your Helm deployment this may be a downtime or breaking change if enabled when using HA and will become the default in 3.x.
1.8.7 to 2.x.x#
controller.extraArgs
, repoServer.extraArgs
and server.extraArgs
are now arrays of strings instead of a map
What was
server:
extraArgs:
insecure: ""
is now
server:
extraArgs:
- --insecure