From Argo CD 2.12, there have been some changes to the use of cluster secrets where a project
is a non-empty value.
Previously, an Application
or ApplicationSet
would use any cluster secret matching the URL of the repoUrl
field.
From 2.12, we now check to see whether the project field of an application also matches the project field of the cluster
secret. What this means is that if you have a cluster secret scoped to project-a
, an application scoped to project-b
can no longer make use of the secret. If you have a cluster secret that's intended to be used by applications in multiple
projects, you need to unset the project
field.
This also applies when using the Git generator in applicationsets; since an applicationset is not scoped to a particular
project any cluster secrets it makes use of also needs to be globally scoped (i.e. any secret needs to have an unset
project
).
Note that bundled Helm version has been upgraded from 3.14.4 to 3.15.2.
Argo CD 2.12 upgraded its upstream redis-ha Helm chart version from 4.22.3 to 4.26.6.
As part of the upgrade, the image registry for redis
and haproxy
was changed from DockerHub to ECR.
Make sure that the registry change will work for your environment. One example of a problem would be that your environment can use Cosign to verify the image signature for DockerHub but not for ECR. You would need to make sure your Image Validation policy includes the AWS ECR as an approved registry. Please validate that the registry change is acceptable before upgrading.
If you are using server-side apply with multiple field managers to manage a single selector
or labelSelector
field
in an ApplicationSet, that field management must be changed to be atomic starting with 2.12.
Argo CD 2.12 upgraded its controller-gen version from 0.4.1 to 0.14.0. As part of that change, several ApplicationSet
CRD fields now have x-kubernetes-map-type: atomic
.
Each of the affected fields is a label selector with two child keys: matchLabels
and matchExpressions
.
Prior to this change, two field managers could manage the matchLabels
and matchExpressions
fields independently.
Starting with the 2.12 CRD, a single field manager must manage both of those fields. This behavior is in line with the
upstream behavior of the label selector struct.
See the Kubernetes server-side apply merge strategy docs for more information about the fields' behavior.
The affected ApplicationSet fields are the following (jq selector syntax):
.spec.generators[].selector
.spec.generators[].cluster.selector
.spec.generators[].clusterDecisionResource.labelSelector
.spec.generators[].matrix.generators[].selector
.spec.generators[].merge.generators[].selector