Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 1. Red Hat OpenShift GitOps release notes
Release notes contain information about new and deprecated features, breaking changes, fixed issues, and known issues. The following release notes apply to the most recent OpenShift GitOps releases on OpenShift Container Platform.
Red Hat OpenShift GitOps is a declarative way to implement continuous deployment for cloud native applications. Red Hat OpenShift GitOps ensures consistency in applications when you deploy them to different clusters in different environments, such as development, staging, and production. Red Hat OpenShift GitOps helps you automate the following tasks:
- Ensure that the clusters have similar states for configuration, monitoring, and storage.
- Recover or recreate clusters from a known state.
- Apply or revert configuration changes to multiple OpenShift Container Platform clusters.
- Associate templated configuration with different environments.
- Promote applications across clusters, from staging to production.
For an overview of Red Hat OpenShift GitOps, see About Red Hat OpenShift GitOps.
For additional information about the OpenShift GitOps lifecycle and supported platforms, refer to the OpenShift Operator Life Cycles and Red Hat OpenShift Container Platform Life Cycle Policy.
1.1. Compatibility and support matrix
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.
In the table, features are marked with the following statuses:
- TP: Technology Preview
- GA: General Availability
- NA: Not Applicable
-
In OpenShift Container Platform 4.13, the
stablechannel has been removed. Before upgrading to OpenShift Container Platform 4.13, if you are already on thestablechannel, choose the appropriate channel and switch to it. - The maintenance support for OpenShift Container Platform 4.12 on IBM Power has ended from 17 July 2024. If you are using Red Hat OpenShift GitOps on OpenShift Container Platform 4.12, upgrade to OpenShift Container Platform 4.13 or later.
| GitOps | Argo CD CLI | Helm | Kustomize | Argo CD | Argo Rollouts | Dex | Argo CD Agent | OpenShift Container Platform |
|---|---|---|---|---|---|---|---|---|
| 1.21.0 | 3.4.3 TP | 3.19.4 GA | 5.8.1 GA | 3.3.2 GA | 1.9.0 GA | 2.45.0 GA | 0.9.0 GA | 4.14, 4.16-4.22 |
| 1.20.0 | 3.3.2 TP | 3.19.4 GA | 5.8.1 GA | 3.3.2 GA | 1.8.4 GA | 2.43.1 GA | 0.7.0 GA | 4.14, 4.16-4.21 |
| 1.19.0 | 3.1.9 TP | 3.18.4 GA | 5.7.0 GA | 3.1.9 GA | 1.8.3 GA | 2.43.0 GA | 0.5.3 GA | 4.14, 4.16-4.21 |
- Starting from Red Hat OpenShift GitOps 1.18, support is no longer provided for Keycloak-based authentication. As an alternative, you can migrate to Dex or configure a self-managed Red Hat Build of Keycloak (RHBK) instance.
1.1.1. Technology Preview features
The features mentioned in the following table are currently in Technology Preview (TP). These experimental features are not intended for production use.
| Feature | TP in Red Hat OpenShift GitOps versions | GA in Red Hat OpenShift GitOps versions |
|---|---|---|
| Argo CD Agent | 1.17.0 | 1.19.0 |
|
The GitOps | 1.12.0 | 1.21.0 |
| Argo CD application sets in non-control plane namespaces | 1.12.0 | NA |
|
The | 1.10.0 | NA |
| Dynamic scaling of shards | 1.10.0 | NA |
| Argo Rollouts | 1.9.0 | 1.13.0 |
| ApplicationSet Progressive Sync Strategy | 1.8.0 | NA |
| Multiple sources for an application | 1.8.0 | 1.15.0 |
| Argo CD applications in non-control plane namespaces | 1.7.0 | 1.13.0 |
| The Red Hat OpenShift GitOps Environments page in the Developer perspective of the OpenShift Container Platform web console | 1.1.0 | NA |
The ApplicationSet Progressive Sync Strategy feature name aligns with the upstream naming convention and replaces the earlier name, ApplicationSet Progressive Rollout Strategy, used in previous Red Hat OpenShift GitOps versions. The functionality remains unchanged.
1.2. Release notes for Red Hat OpenShift GitOps 1.21.0
Red Hat OpenShift GitOps 1.21.0 is available on OpenShift Container Platform 4.14, 4.16, 4.17, 4.18, 4.19, 4.20, 4.21, and 4.22.
1.2.1. Errata updates
- RHEA-2026:28967 - Red Hat OpenShift GitOps 1.21.0 enhancement update advisory
Issued: 2026-06-24
The enhancements included in this release are documented in the following advisory:
If you installed the Red Hat OpenShift GitOps Operator in the default namespace, run the following command to view the container images in this release:
$ oc describe deployment gitops-operator-controller-manager -n openshift-gitops-operator1.2.2. New features
- Argo CD Image Updater (General Availability)
With this update, Argo CD Image Updater is generally available. It updates container images automatically for Kubernetes workloads managed by Argo CD. It tracks image versions in applications. You can define these versions in
ImageUpdatercustom resources (CR). It updates images using parameter overrides through the Argo CD API or the Git write-back method. The Image Updater supports applications built with Kustomize or Helm.- Argo CD CLI (General Availability)
With this update, the Argo CD CLI is generally available. It provides a stable command-line interface for managing Argo CD applications and related resources. Use the CLI to perform common GitOps operations.
- GitOps Console Plugin resource pages (Technology Preview)
With this update, the GitOps Console Plugin adds Technology Preview support for Argo CD and Argo Rollouts. You can view Applications, ApplicationSets, AppProjects, and Rollouts directly from the OpenShift Container Platform. This feature requires OpenShift Container Platform 4.19 or later.
This feature includes:
- List and details pages for Argo CD and Argo Rollouts resources
- Filters for health and sync status
- Visual views for Applications and ApplicationSets
- Rollout topology in the OpenShift Console Topology view
- YAML templates for creating resources
- Links between the OpenShift Console and the Argo CD UI
Views for sync history, events, resources, generators, revisions, and project policies
These updates help you manage GitOps resources from a single interface and reduce the need to switch between tools.
ImportantThe GitOps Console Plugin resource pages feature is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
- Hybrid architecture for Argo CD Agent (Technology Preview)
With this update, you can run Argo CD Agent with your existing Argo CD deployment. This enables gradual adoption of the agent pull model without replacing the existing push-based architecture. Traditional applications continue to use the Application Controller on the control plane. Agent applications are synced to the workload clusters via the agent pull model. Both appear in the same UI. Label selectors and the
argocd.argoproj.io/skip-reconcileannotation enforce isolation between them.ImportantThe Argo CD Agent hybrid architecture feature is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
- Declarative management for Git webhook secrets
With this update, the Argo CD Operator supports declarative management of Git webhook secrets through the
spec.webhookSecretsfield in the Argo CD custom resource (CR). You can configure webhook secrets for GitHub, GitLab, Bitbucket Cloud, Bitbucket Server, Gogs, and Azure DevOps directly within the CR. This feature allows you to reference external Kubernetes secrets containing webhook credentials rather than manually editing the operator-managedargocd-secretconfiguration.This enhancement enables full integration with external secret management tools, such as the External Secrets Operator or Sealed Secrets, allowing webhook secrets to be managed alongside Argo CD configurations in a version-controlled, declarative workflow. This prevents the storage of sensitive tokens in GitOps repositories and eliminates manual updates to operator-managed resources, reducing reconciliation conflicts. This feature is fully backward compatible, and existing manual configurations continue to function without modification.
- Pull Request workflow support for Image Updater
With this update, Argo CD Image Updater adds a Pull Request workflow for the Git write-back method. Before this update, image update commits were pushed directly to the tracking branch, which did not work with protected branches and skipped review processes. The Image Updater can now open a pull request to the base branch instead of pushing directly, allowing image updates to go through a review and approval workflow.
- Namespace-scoped operation for Image Updater
With this update, Argo CD Image Updater defaults to namespace-scoped operation. Before this update, the Image Updater required cluster-wide RBAC permissions by default. This was restrictive in multitenant environments where cluster-scoped access is limited. By default, the controller watches only the namespace where it is installed and includes namespace-scoped Role and RoleBinding manifests. This default behavior is configurable. You can configure the controller to watch a specific set of namespaces or the entire cluster by adjusting the RBAC configuration.
- TLS encryption for Image Updater webhook server
With this update, the Argo CD Image Updater webhook server runs with TLS enabled by default. Before this update, the webhook server accepted registry notifications over plain HTTP. It had no TLS encryption or configuration options. This allowed webhook payloads to transmit in cleartext. This included shared secrets used for payload validation. The webhook server now uses TLS 1.3 for both the minimum and maximum protocol versions by default. These TLS options are configurable. This ensures secure transmission of webhook notifications from container registries.
- Alibaba Cloud Container Registry webhook support for Image Updater
With this update, Argo CD Image Updater adds native webhook support for Alibaba Cloud Container Registry (ACR). Before this update, the Image Updater had no webhook support for ACR and required polling to detect new image versions. A dedicated Aliyun ACR webhook handler enables the controller to respond to push events in real time.
- Image Updater status subresource for monitoring and observability
With this update, each
ImageUpdaterCR maintains a status subresource that reflects the overall state of the resource. This includes the number of matched applications, managed images, timestamps, conditions, and a list of image updates from the most recent update cycle. You can check the state of yourImageUpdaterresources with CLI commands:$ oc get imageupdater -n openshift-gitopsYou can also view the complete status by examining the
ImageUpdaterCR in the cluster.- ServiceMonitor resources for Argo CD Agent
With this update, ServiceMonitor resources are available for Argo CD Agent Principal and Agent components. This enables Prometheus to scrape metrics through Monitoring. Metrics now appear in Console dashboards.
- End-to-end TLS encryption for Redis traffic in Argo CD Agent and Principal
With this update, the Argo CD Agent and Principal components support end-to-end TLS encryption for Redis traffic. The Redis proxy accepts TLS connections from Argo CD components like
argocd-serverandargocd-repo-server. It uses TLS when connecting to the localargocd-redisinstance. Configure this feature using new CLI flags and environment variables. These include--redis-tls-enabled, proxy server certificate, and key paths, or related Kubernetes secrets. You can configure the upstream CA using a file path, a Kubernetes secret, or an insecure mode for testing only. The Kubernetes and Helm installation manifests include optional Redis TLS settings. TLS is disabled by default. Theprincipal.redis.tls.enabledandagent.redis.tls.enabledfields default tofalse. This ensures that existing deployments continue to work until you enable the feature and provide certificates.- Repository credential sync for Argo CD Agent
With this update, Argo CD Agent syncs credentials to managed agents. It supports per-repository secrets and URL-prefix templates. Both are scoped by AppProject.
- Redis credentials distribution using volume mounts
With this update, username and password for the operator-managed Redis or Redis HA are injected using volume mounts. This security hardening reduces the risk of accidental credential exposure.
- Per-component Prometheus metrics configuration
With this update, you can configure the
intervalandscrapeTimeoutfields for Argo CD component ServiceMonitors. This gives you control over metric collection intervals and timeouts for each Argo CD component.- Automatic cleanup of legacy KAM resources
With this update, Red Hat OpenShift GitOps cleans up old KAM (Application Manager CLI) resources automatically. Before this update, you had to remove KAM components manually when upgrading from older versions. These resources often stayed in clusters after upgrades. This caused stale deployments, wasted resources, and security scan alerts. The Red Hat OpenShift GitOps Operator removes these resources automatically.
1.2.3. Fixed issues
- Dex service account authentication security tokens
Before this update, the Dex service account used non-expiring security tokens. This created security risks from long-lived credentials. With this update, the service account uses expiring tokens. This improves authentication security for the Dex server in Red Hat OpenShift GitOps.
- SSH handshake timeout errors with GitHub App authentication behind firewalls
Before this update, users with GitHub App authentication behind restrictive firewalls saw vague timeout errors. This happened because Post-Quantum Cryptography (PQC) algorithms generate larger SSH handshake packets. Some firewalls silently drop these packets. PQC algorithms are enabled by default starting in Argo CD 2.4.12. Suricata 7, which AWS Network Firewall uses, drops such large SSH packets. With this update, individual timeouts are used. Error messages now explicitly identify SSH handshake timeouts instead of generic timeout errors. This helps cluster operators quickly isolate and debug network path issues.
To avoid timeout errors when using GitHub App authentication behind network firewalls, disable the PQC algorithm for SSH handshake.
- AppProject routing for destination-based mapping
Before this update, the principal required the agent name to match both
.spec.destinations[].nameand.spec.sourceNamespacesin an AppProject when using destination-based mapping. This was inconsistent with how Applications are routed in destination-based mapping. With this update, the principal checks only.spec.destinations[].namefor routing when destination-based mapping is enabled. AppProjects are now correctly distributed to managed agents based solely on the destination name.
1.2.4. Known issues
- Web-based CLI terminal does not work without additional RBAC permissions
When the web-based CLI terminal feature is enabled by setting the
spec.webTerminalEnabledfield, the Terminal tab appears on the application details page for a pod, but command input does not work. Theopenshift-gitops-argocd-serverservice account does not have permission to createpods/execresources, which the web terminal requires to attach to running pods and execute commands.To work around this issue, create a
ClusterRoleandClusterRoleBindingthat grants the Argo CD server service accountpods/execaccess.Example:
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: terminal-tmp rules: - verbs: - create apiGroups: - '' resources: - pods/exec --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: terminal-tmp subjects: - kind: ServiceAccount name: openshift-gitops-argocd-server namespace: openshift-gitops roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: terminal-tmpApply the manifest with
oc apply -f. If your Argo CD instance is not the default deployment inopenshift-gitops, update the service account name and namespace in theClusterRoleBindingaccordingly.- Goroutine leak in Image Updater with Git write-back method
With this update, the Argo CD Image Updater might have a goroutine leak when using the
gitwrite-back method under heavy load. This happens when you have many applications and short poll intervals. The leak causes Git operations to fail with this error:error: cannot fork() for remote-https: Resource temporarily unavailable.To mitigate this issue, apply one of the following workarounds:
Increase the reconciliation interval to slow the leak by setting the environment variable in the ArgoCD custom resource:
spec: imageUpdater: env: - name: IMAGE_UPDATER_INTERVAL value: 15mImplement a periodic restart of the deployment:
$ oc rollout restart deployment/argocd-image-updater-controllerIncrease pod PID limits.
1.2.5. Breaking changes
- ApplicationSet tokenRef strict mode enabled by default
With this update, the Red Hat OpenShift GitOps Operator enables ApplicationSet
tokenRefstrict mode by default. This happens when.spec.applicationSet.sourceNamespaceson the Argo CD custom resource includes at least one cluster namespace. This change affects ApplicationSet SCM Provider and Pull Request generators. Secrets used by these generators throughtokenRefmust have this label:argocd.argoproj.io/secret-type: scm-creds.If you use SCM Provider or Pull Request generators with unlabeled secrets, do one of the following before upgrading:
-
Recommended: Label your secrets with
argocd.argoproj.io/secret-type: scm-creds Not recommended for production environments: Temporarily disable strict mode by setting the following configuration in the ArgoCD custom resource:
spec: cmdParams: applicationsetcontroller.enable.tokenref.strict.mode: "false"
-
Recommended: Label your secrets with
- ImageUpdater spec.namespace field removed
With this update, the
spec.namespacefield has been removed from the ImageUpdater API. Any CR that includesspec.namespacewill fail validation. The controller uses the ImageUpdater CR’smetadata.namespaceto determine which namespace to search for applications.
1.2.6. Deprecated and removed features
- Deprecated logformat field for ApplicationSet and Notifications components
With this update, the
logformatfield name is now consistent across Argo CD components. Before this update, theapplicationSetandnotificationscomponents used the lowercaselogformatfield. Components such asserver,repo-server, andapplication-controllerused the camelCaselogFormatfield.Use the camelCase
logFormatfield forapplicationSetandnotifications. The lowercaselogformatfield is deprecated but still works for backward compatibility. The Red Hat OpenShift GitOps Operator uses the lowercaselogformatfield if the camelCaselogFormatfield is not set. You can update your custom resource specifications to use the camelCaselogFormatfield. The deprecated lowercaselogformatfield might be removed in a future release.- Deprecated dynamic shard scaling feature
With this update, the dynamic shard scaling feature in the Red Hat OpenShift GitOps Operator is deprecated. This includes the
.spec.controller.sharding.dynamicScalingEnabledfield in the Argo CD custom resource. For more information about sharding clusters, see the Additional resources section.- Migrated kube-rbac-proxy dependency
With this update, the deprecated
kube-rbac-proxyimage is no longer used. The Red Hat OpenShift GitOps Operator uses theWithAuthenticationAndAuthorizationfunction fromcontroller-runtimefor authentication and authorization. As a result, Operator deployments now run with a single container instead of two.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}