Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Release notes

Red Hat OpenShift GitOps 1.16

Highlights of what is new and what has changed with this OpenShift GitOps release

Red Hat OpenShift Documentation Team

Abstract

The release notes for OpenShift GitOps summarize all new features and enhancements, notable technical changes, major corrections from the previous version, and any known bugs upon general availability.

Chapter 1. Red Hat OpenShift GitOps release notes

Note

For additional information about the OpenShift GitOps lifecycle and supported platforms, refer to the OpenShift Operator Life Cycles and Red Hat OpenShift Container Platform Life Cycle Policy.

Release notes contain information about new and deprecated features, breaking changes, and known issues. The following release notes apply for the most recent OpenShift GitOps releases on OpenShift Container Platform.

Red Hat OpenShift GitOps is a declarative way to implement continuous deployment for cloud native applications. Red Hat OpenShift GitOps ensures consistency in applications when you deploy them to different clusters in different environments, such as development, staging, and production. Red Hat OpenShift GitOps helps you automate the following tasks:

  • Ensure that the clusters have similar states for configuration, monitoring, and storage
  • Recover or recreate clusters from a known state
  • Apply or revert configuration changes to multiple OpenShift Container Platform clusters
  • Associate templated configuration with different environments
  • Promote applications across clusters, from staging to production

For an overview of Red Hat OpenShift GitOps, see About Red Hat OpenShift GitOps.

1.1. Compatibility and support matrix

Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.

In the table, features are marked with the following statuses:

  • TP: Technology Preview
  • GA: General Availability
  • NA: Not Applicable
Important
  • In OpenShift Container Platform 4.13, the stable channel has been removed. Before upgrading to OpenShift Container Platform 4.13, if you are already on the stable channel, choose the appropriate channel and switch to it.
  • The maintenance support for OpenShift Container Platform 4.12 on IBM Power has ended from 17 July 2024. If you are using Red Hat OpenShift GitOps on OpenShift Container Platform 4.12, upgrade to OpenShift Container Platform 4.13 or later.
OpenShift GitOpsComponent VersionsOpenShift Versions

Version

kam

Argo CD CLI

Helm

Kustomize

Argo CD

Argo Rollouts

Dex

RH SSO

 

1.16.0

NA

2.14.7 TP

3.16.4 GA

5.4.3 GA

2.14.4 GA

1.8.0 GA

2.41.1 GA

7.6.0 GA

4.12-4.18

1.15.0

NA

2.13.1 TP

3.15.4 GA

5.4.3 GA

2.13.1 GA

1.7.2 GA

2.41.1 GA

7.6.0 GA

4.14-4.17

1.14.0

0.0.51 TP

2.12.3 TP

3.15.2 GA

5.4.2 GA

2.12.3 GA

1.7.1 GA

2.39.1 GA

7.6.0 GA

4.12-4.17

Important
  • Starting from Red Hat OpenShift GitOps 1.15, support is no longer provided for the Red Hat OpenShift GitOps Application Manager command-line interface (CLI), kam.
  • RH SSO is an abbreviation for Red Hat SSO.

1.1.1. Technology Preview features

The features mentioned in the following table are currently in Technology Preview (TP). These experimental features are not intended for production use.

Table 1.1. Technology Preview tracker
FeatureTP in Red Hat OpenShift GitOps versionsGA in Red Hat OpenShift GitOps versions

The GitOps argocd CLI tool

1.12.0

NA

Argo CD application sets in non-control plane namespaces

1.12.0

NA

The round-robin cluster sharding algorithm

1.10.0

NA

Dynamic scaling of shards

1.10.0

NA

Argo Rollouts

1.9.0

1.13.0

ApplicationSet Progressive Rollout Strategy

1.8.0

NA

Multiple sources for an application

1.8.0

NA

Argo CD applications in non-control plane namespaces

1.7.0

1.13.0

The Red Hat OpenShift GitOps Environments page in the Developer perspective of the OpenShift Container Platform web console 

1.1.0

NA

1.2. Release notes for Red Hat OpenShift GitOps 1.16.1

Red Hat OpenShift GitOps 1.16.1 is now available on OpenShift Container Platform 4.12, 4.14, 4.15, 4.16, 4.17, and 4.18.

1.2.1. Errata updates

1.2.1.1. RHSA-2025:8278 - Red Hat OpenShift GitOps 1.16.1 security update advisory

Issued: 2025-06-28

The list of security fixes that are included in this release is documented in the following advisory:

If you have installed the Red Hat OpenShift GitOps Operator in the default namespace, run the following command to view the container images in this release:

Copy to Clipboard Toggle word wrap 
$ oc describe deployment gitops-operator-controller-manager -n openshift-gitops-operator

1.3. Release notes for Red Hat OpenShift GitOps 1.16.0

Red Hat OpenShift GitOps 1.16.0 is now available on OpenShift Container Platform 4.12, 4.14, 4.15, 4.16, 4.17, and 4.18.

1.3.1. Errata updates

1.3.1.1. RHEA-2025:3436 and RHEA-2025:3412 - Red Hat OpenShift GitOps 1.16.0 security update advisory

Issued: 2025-03-30

The list of security fixes that are included in this release are documented in the following advisory:

If you have installed the Red Hat OpenShift GitOps Operator in the default namespace, run the following command to view the container images in this release:

Copy to Clipboard Toggle word wrap 
$ oc describe deployment gitops-operator-controller-manager -n openshift-gitops-operator

1.3.2. New features

  • With this update, Red Hat OpenShift GitOps is designed for environments running in Federal Information Processing Standards (FIPS) mode. When deployed on OpenShift Container Platform configured for FIPS mode, the platform uses the Red Hat Enterprise Linux (RHEL) cryptographic libraries that have been submitted to National Institute of Standards and Technology (NIST) for FIPS validation. For more information about enabling OpenShift Container Platform FIPS support, see the OpenShift Container Platform documentation. GITOPS-6365

    Note

    When the Red Hat OpenShift GitOps Operator is deployed on an OpenShift Container Platform cluster configured for FIPS mode, Single Sign-on (SSO) configuration for Argo CD using Keycloak is not supported.

  • With this update, support is provided for masking sensitive annotations on Secret resources in the Argo CD user interface (UI) and command-line interface (CLI). A new configuration key, resource.sensitive.mask.annotations, has been introduced. This key accepts a comma-separated list of .metadata.annotations keys. The values associated with these keys are masked in the Argo CD UI and CLI, enhancing the security of sensitive information stored in annotations. GITOPS-5903
  • With this update, support is provided to configure the respectRBAC option, which controls how Argo CD watches resources on a cluster in a cluster-scoped installation. You can update respectRBAC configurations in the ConfigMap through an Argo CD resource, allowing for more flexible and granular control over resource viewing behavior. GITOPS-5212
  • With this update, you can view the cause of failure directly in the status of Argo CD resources. The error message is clearly provided in the resource status, reducing the need to analyze logs to identify the root cause of failures. GITOPS-5871
  • With this update, you can configure various policies for the ApplicationSet controller in the Argo CD Custom Resource (CR). These policies allow administrators to restrict the types of modifications that can be made to the managed Argo CD Application resources, offering enhanced control over resource management. For more information, see ApplicationSet Controller policies. GITOPS-5236
  • With this update, the revision history and rollback pages in Argo CD feature collapsible sections for application parameters. This change reduces the need to scroll through multiple lines of input parameters and you can navigate revision entries more efficiently. Important details such as the commit SHA, remain visible outside the collapsible sections, ensuring easy search and reference. This enhancement applies to single and multi-source applications, streamlining the user experience across application types. GITOPS-5082
  • With this update, the Argo CD Operator adds support for the InstallationID field in the Argo CD Spec type, enabling better management of multi-instance deployments. Use this feature to assign a unique identifier to each Argo CD instance, ensuring proper differentiation of applications with the same name across multiple instances. By setting an InstallationID field, you can prevent conflicts between applications and ensure accurate tracking of resources in multi-instance environments. GITOPS-5432
  • With this update, specifying the container image when configuring a sidecar container for a config management plugin is optional. If omitted, the image used by the repo server is automatically applied to the plugin. GITOPS-3372

1.3.3. Fixed issues

  • Before this update, when installing a namespace-scoped instance of GitOps, the argocd-redis ServiceAccounts were assigned the nonroot-v2 SecurityContextConstraints (SCC), which provided more privileges than the standard restricted-v2 SCC, which might lead to potential security risks. With this update, the namespace-scoped and cluster-scoped instances of GitOps enforce the use of the restricted-v2 SCC for the argocd-redis ServiceAccounts. This change enhances security compliance by minimizing unnecessary privileges. GITOPS-6236
  • Before this update, the on-deployed trigger in the Argo CD notification-controller could incorrectly send a success notification while the application was still in the progressing state. This issue arose from the way Argo CD handled application status updates. With this update, a new timestamp field, status.health.lastTransitionTime, has been introduced in the application status to address this issue. This field prevents false-positive alerts by capturing the last health status change and enabling the on-deployed trigger to send notifications only after a stable transition. GITOPS-3699
  • Before this update, during an upgrade, the argocd-redis-ha-configmap, argocd-redis-ha-health-configmap, and the Redis HA StatefulSet resources were not correctly updated. This led to Redis HA pods encountering an AUTH error. With this update, the GitOps Operator correctly updates the Redis HA config maps and StatefulSet during an upgrade process. As a result, Redis HA pods are prevented from entering an AUTH error state post-upgrade. GITOPS-5975
  • Before this update, any changes to the serviceAccountName and serviceAccount fields in the Redis deployment were not reconciled by the Red Hat OpenShift GitOps Operator. With this update, this issue is fixed by ensuring that any unintended changes to these fields are reset to their expected value, <argocd-instance-name>-argocd-redis. GITOPS-6032

  • Before this update, Argo CD relied solely on the sub claim for user identification, which could be non-deterministic with Dex and cause unexpected Role-Based Access Control (RBAC) policy failures. With this update, Argo CD identifies users in the following order:

    • Checks the federated_claims.user_id field when Dex is the identity provider.
    • If federated claims are unavailable or empty, it falls back to the sub claim.

    With this update, this issue is fixed. This change ensures RBAC policies are based on actual user identifiers, such as email addresses rather than encoded values.

    Example

    Copy to Clipboard Toggle word wrap 
    Old method (encoded sub value):
g, ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ, role:admin
New method (actual user identifier):
g, user@example.com, role:admin

    GITOPS-5812

  • Before this update, Argo CD components, such as, server, repo-server, and application-controller could crash when accessing the Redis instance due to network or DNS instabilities within the cluster. This issue stemmed from a race condition in the go-redis client library when multiple connections in a connection pool call the dial hook function. With this update, this issue is fixed. This update resolves the issue by integrating an updated go-redis client library that eliminates race conditions during dial hook function calls. It also improves the handling and recovery from network and DNS errors, ensuring greater stability for Argo CD components. GITOPS-6287
  • Before this update, upgrading the Red Hat OpenShift GitOps Operator to v1.15.1 raised a health check error that prevented Red Hat Advanced Cluster Management (ACM) policies from syncing. This update fixes the issue by adding a missing nil check to status.placement for Policy. GITOPS-6500

1.3.4. Known Issues

  • There is currently a known issue that assigns a lower SecurityContextConstraints (SCC) to Redis service account in GitOps v1.16 after upgrading from GitOps v1.15 to v1.16. The GitOps Operator does not update the securityContext of the redis-ha-server StatefulSet, which causes the container’s user to be statically set instead of being randomly assigned as required by the restricted-v2 SCC. The redis-ha-server StatefulSet pods retain the old configurations and are not updated with the new settings. As a result, the new configuration of the StatefulSet is not applied correctly.

    Workaround: Manually delete the redis-ha-server StatefulSet to trigger the re-creation of the pods with the updated settings. GITOPS-6670

1.3.5. Deprecated and removed features

1.3.5.1. Deprecation of .spec.initialRepositories & .spec.repositoryCredentials fields in Argo CD
  • In Red Hat OpenShift GitOps v1.16, the .spec.initialRepositories and .spec.repositoryCredentials fields in Argo CD CR are deprecated. These fields will no longer be supported by Red Hat OpenShift GitOps Operator and the Argo CD CR in a future release. Update your configurations to remove dependencies on these fields. Use the Argo CD web UI or CLI to add or modify repositories. GITOPS-5961

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.