|
| 1 | +// Module included in the following assembly: |
| 2 | +// |
| 3 | +// * release_notes/gitops-release-notes-1-16-0.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: REFERENCE |
| 6 | + |
| 7 | +[id="gitops-release-notes-1-16-0_{context}"] |
| 8 | += Release notes for {gitops-title} 1.16.0 |
| 9 | + |
| 10 | +{gitops-title} 1.16.0 is now available on {OCP} 4.12, 4.13, 4.14, 4.15, 4.16, 4.17, and 4.18. |
| 11 | + |
| 12 | +[id="errata-updates-1-16-0_{context}"] |
| 13 | +== Errata updates |
| 14 | + |
| 15 | +[id="RHEA-2025:3436-RHEA-2025:3412-gitops-1-16-0-security-update-advisory_{context}"] |
| 16 | +=== RHEA-2025:3436 and RHEA-2025:3412 - {gitops-title} 1.16.0 security update advisory |
| 17 | + |
| 18 | +Issued: 2025-03-30 |
| 19 | + |
| 20 | +The list of security fixes that are included in this release are documented in the following advisory: |
| 21 | + |
| 22 | +* link:https://access.redhat.com/errata/RHEA-2025:3436[RHEA-2025:3436] |
| 23 | +* link:https://access.redhat.com/errata/RHEA-2025:3412[RHEA-2025:3412] |
| 24 | + |
| 25 | +If you have installed the {gitops-title} Operator in the default namespace, run the following command to view the container images in this release: |
| 26 | + |
| 27 | +[source,terminal] |
| 28 | +---- |
| 29 | +$ oc describe deployment gitops-operator-controller-manager -n openshift-gitops-operator |
| 30 | +---- |
| 31 | + |
| 32 | +[id="new-features-1-16-0_{context}"] |
| 33 | +== New features |
| 34 | + |
| 35 | +* With this update, {gitops-title} is designed for environments running in Federal Information Processing Standards (FIPS) mode. When deployed on {OCP} configured for FIPS mode, the platform uses the Red Hat Enterprise Linux (RHEL) cryptographic libraries that have been submitted to National Institute of Standards and Technology (NIST) for FIPS validation. For more information about enabling {OCP} FIPS support, see the link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/installation_overview/installing-fips[{OCP} documentation]. link:https://issues.redhat.com/browse/GITOPS-6365[GITOPS-6365] |
| 36 | ++ |
| 37 | +[NOTE] |
| 38 | +==== |
| 39 | +When the {gitops-title} Operator is deployed on an {OCP} cluster configured for FIPS mode, Single Sign-on (SSO) configuration for Argo CD using Keycloak is not supported. |
| 40 | +==== |
| 41 | + |
| 42 | +* With this update, support is provided for masking sensitive annotations on `Secret` resources in the Argo CD user interface (UI) and command-line interface (CLI). A new configuration key, `resource.sensitive.mask.annotations`, has been introduced. This key accepts a comma-separated list of `.metadata.annotations` keys. The values associated with these keys are masked in the Argo CD UI and CLI, enhancing the security of sensitive information stored in annotations. link:https://issues.redhat.com/browse/GITOPS-5903[GITOPS-5903] |
| 43 | + |
| 44 | +* With this update, support is provided to configure the `respectRBAC` option, which controls how Argo CD watches resources on a cluster in a cluster-scoped installation. You can update `respectRBAC` configurations in the `ConfigMap` through an Argo CD resource, allowing for more flexible and granular control over resource viewing behavior. link:https://issues.redhat.com/browse/GITOPS-5212[GITOPS-5212] |
| 45 | + |
| 46 | +* With this update, you can view the cause of failure directly in the status of Argo CD resources. The error message is clearly provided in the resource status, reducing the need to analyze logs to identify the root cause of failures. link:https://issues.redhat.com/browse/GITOPS-5871[GITOPS-5871] |
| 47 | + |
| 48 | +* With this update, you can configure various policies for the ApplicationSet controller in the Argo CD Custom Resource (CR). These policies allow administrators to restrict the types of modifications that can be made to the managed Argo CD Application resources, offering enhanced control over resource management. For more information, see link:https://argocd-operator.readthedocs.io/en/latest/reference/applicationSet/#applicationset-controller-policies[ApplicationSet Controller policies]. link:https://issues.redhat.com/browse/GITOPS-5236[GITOPS-5236] |
| 49 | + |
| 50 | +* With this update, the *revision history* and *rollback* pages in Argo CD feature collapsible sections for application parameters. This change reduces the need to scroll through multiple lines of input parameters and you can navigate revision entries more efficiently. Important details such as the commit SHA, remain visible outside the collapsible sections, ensuring easy search and reference. This enhancement applies to single and multi-source applications, streamlining the user experience across application types. link:https://issues.redhat.com/browse/GITOPS-5082[GITOPS-5082] |
| 51 | + |
| 52 | +* With this update, the Argo CD Operator adds support for the `InstallationID` field in the Argo CD Spec type, enabling better management of multi-instance deployments. Use this feature to assign a unique identifier to each Argo CD instance, ensuring proper differentiation of applications with the same name across multiple instances. By setting an `InstallationID` field, you can prevent conflicts between applications and ensure accurate tracking of resources in multi-instance environments. link:https://issues.redhat.com/browse/GITOPS-5432[GITOPS-5432] |
| 53 | + |
| 54 | +* With this update, specifying the container image when configuring a sidecar container for a config management plugin is optional. If omitted, the image used by the repo server is automatically applied to the plugin. https://issues.redhat.com/browse/GITOPS-3372[GITOPS-3372] |
| 55 | + |
| 56 | +[id="fixed-issues-1-16-0_{context}"] |
| 57 | +== Fixed issues |
| 58 | + |
| 59 | +* Before this update, when installing a namespace-scoped instance of {gitops-shortname}, the `argocd-redis` `ServiceAccounts` were assigned the `nonroot-v2` `SecurityContextConstraints` (SCC), which provided more privileges than the standard `restricted-v2` SCC, which might lead to potential security risks. With this update, the namespace-scoped and cluster-scoped instances of {gitops-shortname} enforce the use of the `restricted-v2` SCC for the `argocd-redis` `ServiceAccounts`. This change enhances security compliance by minimizing unnecessary privileges. link:https://issues.redhat.com/browse/GITOPS-6236[GITOPS-6236] |
| 60 | + |
| 61 | +* Before this update, the on-deployed trigger in the Argo CD notification-controller could incorrectly send a success notification while the application was still in the `progressing` state. This issue arose from the way Argo CD handled application status updates. With this update, a new timestamp field, `status.health.lastTransitionTime`, has been introduced in the application status to address this issue. This field prevents false-positive alerts by capturing the last health status change and enabling the on-deployed trigger to send notifications only after a stable transition. link:https://issues.redhat.com/browse/GITOPS-3699[GITOPS-3699] |
| 62 | + |
| 63 | +* Before this update, during an upgrade, the `argocd-redis-ha-configmap`, `argocd-redis-ha-health-configmap`, and the Redis HA `StatefulSet` resources were not correctly updated. This led to Redis HA pods encountering an `AUTH` error. |
| 64 | +With this update, the {gitops-shortname} Operator correctly updates the Redis HA config maps and `StatefulSet` during an upgrade process. As a result, Redis HA pods are prevented from entering an `AUTH` error state post-upgrade. link:https://issues.redhat.com/browse/GITOPS-5975[GITOPS-5975] |
| 65 | + |
| 66 | +* Before this update, any changes to the `serviceAccountName` and `serviceAccount` fields in the Redis deployment were not reconciled by the {gitops-title} Operator. With this update, this issue is fixed by ensuring that any unintended changes to these fields are reset to their expected value, `<argocd-instance-name>-argocd-redis`. link:https://issues.redhat.com/browse/GITOPS-6032[GITOPS-6032] |
| 67 | + |
| 68 | +* Before this update, Argo CD relied solely on the `sub claim` for user identification, which could be non-deterministic with Dex and cause unexpected Role-Based Access Control (RBAC) policy failures. With this update, Argo CD identifies users in the following order: |
| 69 | ++ |
| 70 | +-- |
| 71 | +** Checks the `federated_claims.user_id` field when Dex is the identity provider. |
| 72 | +** If federated claims are unavailable or empty, it falls back to the sub claim. |
| 73 | +-- |
| 74 | ++ |
| 75 | +-- |
| 76 | +With this update, this issue is fixed. This change ensures RBAC policies are based on actual user identifiers, such as email addresses rather than encoded values. |
| 77 | +-- |
| 78 | ++ |
| 79 | +.Example |
| 80 | +---- |
| 81 | +Old method (encoded sub value): |
| 82 | +g, ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ, role:admin |
| 83 | +New method (actual user identifier): |
| 84 | +g, user@example.com, role:admin |
| 85 | +---- |
| 86 | ++ |
| 87 | +-- |
| 88 | +link:https://issues.redhat.com/browse/GITOPS-5812[GITOPS-5812] |
| 89 | +-- |
| 90 | + |
| 91 | +* Before this update, Argo CD components, such as, `server`, `repo-server`, and `application-controller` could crash when accessing the Redis instance due to network or DNS instabilities within the cluster. This issue stemmed from a race condition in the `go-redis` client library when multiple connections in a connection pool call the `dial hook` function. |
| 92 | +With this update, this issue is fixed. This update resolves the issue by integrating an updated `go-redis` client library that eliminates race conditions during `dial hook` function calls. It also improves the handling and recovery from network and DNS errors, ensuring greater stability for Argo CD components. link:https://issues.redhat.com/browse/GITOPS-6287[GITOPS-6287] |
| 93 | + |
| 94 | +* Before this update, upgrading the {gitops-title} Operator to v1.15.1 raised a health check error that prevented Red Hat Advanced Cluster Management (ACM) policies from syncing. This update fixes the issue by adding a missing nil check to `status.placement` for *Policy*. link:https://issues.redhat.com/browse/GITOPS-6500[GITOPS-6500] |
| 95 | + |
| 96 | +[id="known-issues-1-16-0_{context}"] |
| 97 | +== Known Issues |
| 98 | + |
| 99 | +* There is currently a known issue that assigns a lower `SecurityContextConstraints` (SCC) to Redis service account in {gitops-shortname} v1.16 after upgrading from {gitops-shortname} v1.15 to v1.16. The {gitops-shortname} Operator does not update the `securityContext` of the `redis-ha-server` StatefulSet, which causes the container's user to be statically set instead of being randomly assigned as required by the `restricted-v2` SCC. The `redis-ha-server` StatefulSet pods retain the old configurations and are not updated with the new settings. As a result, the new configuration of the StatefulSet is not applied correctly. |
| 100 | ++ |
| 101 | +Workaround: Manually delete the `redis-ha-server` StatefulSet to trigger the re-creation of the pods with the updated settings. link:https://issues.redhat.com/browse/GITOPS-6670[GITOPS-6670] |
0 commit comments