Chapter 1. Red Hat OpenShift GitOps release notes

Issued: 2025-09-24

The list of enhancements that are included in this release are documented in the following advisory:

With this update, you can define local users in the Argo CD custom resource (CR) by using the GitOps Operator. The GitOps Operator can also automatically generate Argo CD API tokens for these users. For more information about managing and configuring local users in Argo CD, see "Managing local users in Argo CD" in the Additional Resources section.

GITOPS-1874

With this update, the NamespaceManagement CR enables tenants to let Argo CD manage its own namespaces without the cluster-admin access. Cluster administrators must first enable the feature in the Red Hat OpenShift GitOps Subscription resource and specify the allowed namespaces in the Argo CD CR. When a tenant creates a NamespaceManagement CR, the Red Hat OpenShift GitOps Operator configures the required Role and RoleBinding resources and updates Argo CD managed namespace list. This feature improves security by reducing elevated permissions, simplifies setup with automatic configuration, and ensures clean resource management by removing configurations when disabled.

GITOPS-4223

With this update, the Red Hat OpenShift GitOps Operator supports injecting additional volumes and volume mounts into the Dex container through the Argo CD CR. This enables advanced use cases such as mounting custom certificates, configuration fragments, or identity provider metadata required by Dex.

The following example shows how to mount a custom TLS certificate secret for Dex by configuring volumeMounts and volumes:

spec:
  sso:
    provider: dex
    dex:
      volumeMounts:
        - name: custom-cert
          mountPath: /etc/dex/ssl
          readOnly: true
      volumes:
        - name: custom-cert
          secret:
            secretName: dex-tls-secret

spec:
  sso:
    provider: dex
    dex:
      volumeMounts:
        - name: custom-cert
          mountPath: /etc/dex/ssl
          readOnly: true
      volumes:
        - name: custom-cert
          secret:
            secretName: dex-tls-secret

For more information, see "Additional Volume Mounts for Dex Container" in the Additional resources section.

GITOPS-5963

With this update, the Red Hat OpenShift GitOps Operator introduces a new boolean field named enabled under .spec.syncPolicy.automated in the Application CR. The field gives you control over enabling or disabling automated synchronization. The following key improvements are included in this feature:

With this update, the Red Hat OpenShift GitOps Operator adds support for the permanent and position properties within the .spec.banner field in the Argo CD CR. The following options provide more granular control over how banners are displayed in the Argo CD web UI.

With this update, the Red Hat OpenShift GitOps Operator upgrades the Kubernetes and Argo CD dependencies used in the GitOps backend. The newer versions address vulnerability alerts previously flagged by CVE scanners in older dependency versions, ensuring alignment with more recent and secure libraries.

GITOPS-6860

With this update, the Red Hat OpenShift GitOps Operator introduces a default resource.exclusions configuration, consistent with upstream Argo CD. By default, the Argo CD Application Controller excludes well-known, auto-generated, or frequently changing resources that are created by controllers. This behavior reduces unnecessary load. You can override or customize these exclusions in the Argo CD configuration if needed.

GITOPS-7434

Before this update, when the DISABLE_DEFAULT_ARGOCD_CONSOLELINK variable was set to true and the ConsoleLink resource did not exist, the Red Hat OpenShift GitOps Operator logged an error even though functionality was not affected. With this update, the Red Hat OpenShift GitOps Operator does not log an error in this scenario, preventing misleading error messages.

GITOPS-7331

Before this update, the Red Hat OpenShift GitOps Operator did not reconcile the Application controller role to manage custom resources introduced by new Operators. With this update, the Red Hat OpenShift GitOps Operator watches the admin cluster role and automatically updates the Application controller role with the required permissions. As a result, the Application controller can now manage custom resources in a managed namespace.

GITOPS-6367

There is currently a known issue affecting webhook-triggered syncs on Bitbucket mono-repositories that use the manifest-generate-paths annotation and have repository names containing uppercase letters. An underlying API call to detect file changes fails for these repositories, causing the system to ignore the specified paths. As a result, a sync operation is triggered on every change instead of only when the files defined in the annotation change.

Workaround: Ensure that your Bitbucket repository name only uses lowercase letters to enable path-based sync triggering.

GITOPS-7835

In Red Hat OpenShift GitOps 1.18, the support for Keycloak-based authentication is removed. As an alternative, you can migrate to Dex or configure a self-managed Red Hat Build of Keycloak (RHBK) instance. Dex is the default authentication provider in Red Hat OpenShift GitOps. It integrates with the OpenShift OAuth server, enabling users to log in to Argo CD with their existing OpenShift users and groups. For more information, see "Configuring SSO for Argo CD using Dex" in the Additional resources section.

If you still want to use Keycloak, you must deploy and manage the "Red Hat Build of Keycloak (RHBK)" instance and manually configure the integration in the Argo CD custom resource. For more information about configuring Argo CD with keycloak, see the upstream documentation for "Keycloak" in the Additional resources section.

GITOPS-7069