Chapter 1. Red Hat OpenShift GitOps release notes
For additional information about the OpenShift GitOps lifecycle and supported platforms, refer to the OpenShift Operator Life Cycles and Red Hat OpenShift Container Platform Life Cycle Policy.
Release notes contain information about new and deprecated features, breaking changes, and known issues. The following release notes apply for the most recent OpenShift GitOps releases on OpenShift Container Platform.
Red Hat OpenShift GitOps is a declarative way to implement continuous deployment for cloud native applications. Red Hat OpenShift GitOps ensures consistency in applications when you deploy them to different clusters in different environments, such as development, staging, and production. Red Hat OpenShift GitOps helps you automate the following tasks:
- Ensure that the clusters have similar states for configuration, monitoring, and storage
- Recover or recreate clusters from a known state
- Apply or revert configuration changes to multiple OpenShift Container Platform clusters
- Associate templated configuration with different environments
- Promote applications across clusters, from staging to production
For an overview of Red Hat OpenShift GitOps, see About Red Hat OpenShift GitOps.
1.1. Compatibility and support matrix
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.
In the table, features are marked with the following statuses:
- TP: Technology Preview
- GA: General Availability
- NA: Not Applicable
-
In OpenShift Container Platform 4.13, the
stable
channel has been removed. Before upgrading to OpenShift Container Platform 4.13, if you are already on thestable
channel, choose the appropriate channel and switch to it. - The maintenance support for OpenShift Container Platform 4.12 on IBM Power has ended from 17 July 2024. If you are using Red Hat OpenShift GitOps on OpenShift Container Platform 4.12, upgrade to OpenShift Container Platform 4.13 or later.
OpenShift GitOps | Component Versions | OpenShift Versions | |||||||
---|---|---|---|---|---|---|---|---|---|
Version | kam | Argo CD CLI | Helm | Kustomize | Argo CD | Argo Rollouts | Dex | RH SSO | |
1.15.0 | NA | 2.13.1 TP | 3.15.4 GA | 5.4.3 GA | 2.13.1 GA | 1.7.2 TP | 2.41.1 GA | 7.6.0 GA | 4.14-4.17 |
1.14.0 | 0.0.51 TP | 2.12.3 TP | 3.15.2 GA | 5.4.2 GA | 2.12.3 GA | 1.7.1 GA | 2.39.1 GA | 7.6.0 GA | 4.12-4.17 |
1.13.0 | 0.0.51 TP | 2.11.3 TP | 3.14.4 GA | 5.2.1 GA | 2.11.3 GA | 1.6.6 GA | 2.37.0 GA | 7.6.0 GA | 4.12-4.16 |
-
Starting from Red Hat OpenShift GitOps 1.15, support is no longer provided for the Red Hat OpenShift GitOps Application Manager command-line interface (CLI),
kam
. - RH SSO is an abbreviation for Red Hat SSO.
1.1.1. Technology Preview features
The features mentioned in the following table are currently in Technology Preview (TP). These experimental features are not intended for production use.
Feature | TP in Red Hat OpenShift GitOps versions | GA in Red Hat OpenShift GitOps versions |
---|---|---|
The GitOps | 1.12.0 | NA |
Argo CD application sets in non-control plane namespaces | 1.12.0 | NA |
The | 1.10.0 | NA |
Dynamic scaling of shards | 1.10.0 | NA |
Argo Rollouts | 1.9.0 | 1.13.0 |
ApplicationSet Progressive Rollout Strategy | 1.8.0 | NA |
Multiple sources for an application | 1.8.0 | 1.15.0 |
Argo CD applications in non-control plane namespaces | 1.7.0 | 1.13.0 |
The Red Hat OpenShift GitOps Environments page in the Developer perspective of the OpenShift Container Platform web console | 1.1.0 | NA |
1.2. Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
1.3. Release notes for Red Hat OpenShift GitOps 1.15.0
Red Hat OpenShift GitOps 1.15.0 is now available on OpenShift Container Platform 4.14, 4.15, 4.16, and 4.17.
1.3.1. Errata updates
1.3.1.1. RHEA-2024:11002 - Red Hat OpenShift GitOps 1.15.0 security update advisory
Issued: 2024-12-12
The list of security fixes that are included in this release are documented in the following advisory:
If you have installed the Red Hat OpenShift GitOps Operator in the default namespace, run the following command to view the container images in this release:
$ oc describe deployment gitops-operator-controller-manager -n openshift-gitops-operator
1.3.2. New features
With this update, Red Hat OpenShift GitOps supports the addition of extra volumes and volume mounts to the
ApplicationSet
Controller components. You can configure these additional resources by specifying the.spec.applicationSet.volumes
and.spec.applicationSet.volumeMounts
fields in the Argo CD Custom Resource (CR). GITOPS-5739Example
apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: argocd-example spec: applicationSet: volumes: - name: <volume_name> 1 emptyDir: {} 2 volumeMounts: - name: <volume_name> 3 mountPath: <mount_path> 4
- 1
- Specifies the name of the
volume
for the Argo CDApplicationSet
Controller. - 2
- Specifies the
volume
type. It can be any Kubernetes supported volume type, such asemptyDir
,hostPath
,configMap
, and so on. - 3
- Specifies the name of the volume to be mounted, which must match the name of the
volume
defined in volumes. - 4
- Specifies the path inside the container where the volume will be mounted.
With this update, users can add custom labels and annotations to the server, repo-server, applicationset-controller, and application-controller pods. This enhancement improves observability for external systems that depend on resource labels or annotations for monitoring purposes. The following fields are introduced in the Argo CD CR to support this functionality:
-
.spec.server.labels
-
.spec.server.annotations
-
.spec.repo.labels
-
.spec.repo.annotations
-
.spec.controller.labels
-
.spec.controller.annotations
-
.spec. applicationSet.labels
-
.spec. applicationSet.annotations
For more information, see Custom Annotations and Labels. GITOPS-5674
-
Before this update, users could not configure some replicas for the Argo Rollouts controller by using the
RolloutManager
custom resource (CR). With this update, high availability (HA) support is introduced by adding a new.spec.ha
field to theRolloutManager
CR.When you enable high availability, the GitOps Operator automatically sets the number of replicas to 2, the leader election is activated, and default anti-affinity rules are applied to ensure redundancy and reliability. GITOPS-5622
- With this update, the Argo CD multi-source application functionality in GitOps Operator is promoted from Technology Preview (TP) to General Availability (GA). Use this feature to define and manage applications with multiple source repositories. GITOPS-5511
With this update, you can now use Kubernetes TLS-type secrets to configure custom TLS certificates for Routes in the Argo CD CR. Previously, TLS data had to be embedded directly in the Argo CD CR as plain text, which could pose security risks due to the sensitive nature of TLS information.
To enhance security, you must use Kubernetes secrets to manage TLS data. The following fields are introduced in the Argo CD CR to reference Kubernetes secrets of type
kubernetes.io/tls
containing TLS data:-
.spec.server.route.tls.externalCertificate
-
.spec.applicationSet.webhookServer.route.tls.externalCertificate
-
.spec.prometheus.route.tls.externalCertificate
-
.spec.grafana.route.tls.externalCertificate
For more information about configuring a route for custom TLS certificate, see examples in Custom TLS certificates for Routes. GITOPS-5232
-
-
With this update, Restricted pod security admission (PSA) labels are applied to the
openshift-gitops
namespace to ensure compliance with OpenShift Container Platform standards. If you are running additional workloads in theopenshift-gitops
namespace, ensure they comply with restricted PSA requirements. If compliance with restricted PSA is not feasible, use a user-defined, cluster-scoped Argo CD instance. In such instances, PSA labels are not applied or controlled by the GitOps Operator. GITOPS-5221 -
Before this update,
trafficmanagement
andmetric
plugins could not be configured by using theRolloutManager
CR in Argo Rollouts. With this update, you can now specifytrafficmanagement
andmetric
plugins in theRolloutManager
CR. The GitOps Operator automatically updates the config map when these plugin fields are added, modified, or removed. This enhancement allows users to managetrafficmanagement
andmetric
plugins natively through theRolloutManager
CR, eliminating the need for manual config map updates. GITOPS-4217 With this update, the Sources tab in the Details panel of a multi-source application now includes two new buttons:
- Add Source: Opens a new form-based panel for adding a new source entry. You can specify the repository URL and other source-specific details in this panel.
- Delete: Allows you to remove a specific source from the application.
With this update, users can now enable or disable the Argo Rollouts UI in Argo CD instances by setting a new boolean field,
enableRolloutsUI
, in the server component of the Argo CD CR. GITOPS-3604Example
apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: argocd spec: server: enableRolloutsUI: true 1
- 1
- Set this value to
true
to configure theenableRolloutsUI
field.
-
With this update, you can access documentation on configuring the
ApplicationSet
controller in the Argo CD CR to use different policies. For more information, see ApplicationSet Controller policies. GITOPS-5236
1.3.3. Fixed issues
- Before this update, when the desired state for an existing Ingress changed the host, the new host information was not applied. This update fixes the issue by adding Ingress checks to ensure the Ingress is updated when the host changes. If there is a change in the Ingress host, it will be correctly updated with the new value, ensuring that the desired state is reflected. GITOPS-5386
-
Before this update, when the desired state for the server service type changes, for example, from
ClusterIP
toNodePort
, the change was not applied automatically to the cluster without first deleting the resource. This update fixes the issue by adding a server service check to apply changes to the server service. If the desired state for the server service type changes, it is applied automatically to the cluster without deleting the resource. GITOPS-5385 -
Before this update, users were unable to set a custom image for the
ApplicationSet
Controller after specifying it in the Argo CD CR. This update fixes the issue by allowing users to set a custom image for theApplicationSet
Controller. GITOPS-5395 - Before this update, Argo CD was unable to retrieve the correct TLS certificate for Helm OCI registries if the URL contained a path or port number. This update fixes the issue by using a fix in upstream Argo CD that ensures the URL is correctly parsed, allowing Argo CD to retrieve and return a valid TLS certificate. GITOPS-5081
1.3.4. Deprecated and removed features
1.3.4.1. Removal of Red Hat OpenShift GitOps Application Manager CLI, kam
With this release, support for the Red Hat OpenShift GitOps Application Manager command-line interface (CLI),
kam
, has been removed. Thekam
component is no longer included in new installations, and all references have been removed from the Red Hat OpenShift GitOps documentation. GITOPS-4466To remove
kam
resources after an update, run the following command:$ oc delete deployment,service,route kam -n openshift-gitops
1.3.5. Breaking change
1.3.5.1. Updated OpenShift API schemas and insecureEdgeTerminationPolicy
field change
With this update, the OpenShift API schemas used by the Red Hat OpenShift GitOps Operator have been changed to include the latest fields from the Route API, resulting in a breaking change. If the following fields are configured with the Disable option in the Argo CD CR, they must be changed to None before updating to ensure compatibility with the new schema:
-
.spec.server.route.tls.insecureEdgeTerminationPolicy
-
.spec.applicationSet.webhookServer.route.tls.insecureEdgeTerminationPolicy
-
.spec.prometheus.route.tls.insecureEdgeTerminationPolicy
-
.spec.grafana.route.tls.insecureEdgeTerminationPolicy
-