v2.3.6
Quick Start
Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.3.6/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.3.6/manifests/ha/install.yaml
Security fixes
- HIGH: Certificate verification is skipped for connections to OIDC providers (GHSA-7943-82jg-wmw5)
- LOW: A leaked API server encryption key can allow XSS for SSO users (GHSA-pmjg-52h9-72qv)
Potentially-breaking changes
The fix for GHSA-7943-82jg-wmw5 enables TLS certificate validation by default for connections to OIDC providers. If
connections to your OIDC provider fails validation, SSO will be broken for your Argo CD instance. You should test 2.3.6
before upgrading it to production. From the new documentation:
By default, all connections made by the API server to OIDC providers (either external providers or the bundled Dex
instance) must pass certificate validation. These connections occur when getting the OIDC provider's well-known
configuration, when getting the OIDC provider's keys, and when exchanging an authorization code or verifying an ID
token as part of an OIDC login flow.Disabling certificate verification might make sense if:
- You are using the bundled Dex instance and your Argo CD instance has TLS configured with a self-signed certificate
and you understand and accept the risks of skipping OIDC provider cert verification.- You are using an external OIDC provider and that provider uses an invalid certificate and you cannot solve
the problem by settingoidcConfig.rootCA
and you understand and accept the risks of skipping OIDC provider cert
verification.If either of those two applies, then you can disable OIDC provider certificate verification by setting
oidc.tls.insecure.skip.verify
to"true"
in theargocd-cm
ConfigMap.
Bug fixes
- fix: webhook typo in case of error in GetManifests (#9671)