Skip to content

chore(deps): update dependency argoproj/argo-cd to v2.4.14

Renovate Bot requested to merge renovate/argoproj-argo-cd-2.x into master

This MR contains the following updates:

Package Type Update Change
argoproj/argo-cd Kustomization patch v2.4.12 -> v2.4.14

Release Notes

argoproj/argo-cd

v2.4.14

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.14/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.14/manifests/ha/install.yaml

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changes

Other

v2.4.13

Compare Source

Quick Start

Non-HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.13/manifests/install.yaml
HA:
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.13/manifests/ha/install.yaml
Security fixes

CVE-2022-39222 is a backchannel attack against the Dex OIDC provider. If you are impacted Argo CD, an attacker could use the process described in the vulnerability description to steal an Argo CD token from some Argo CD user. The attacker could then impersonate the targeted user and act with the victim's privileges.

Am I impacted?

This Dex vulnerability impacts Argo CD users who either 1) use the bundled Dex instance for OIDC or 2) use an external Dex instance running Dex <= 2.34.x.

If you do not use Dex, then you are not impacted.

Bundled Dex

To determine if you use the bundled Dex instance, run this command, replacing argocd with the namespace where your Argo CD instance is installed:

kubectl get cm -n argocd argocd-cm -ojson | jq '.data["dex.config"] != null'

If that command prints true, then you use the bundled Dex instance, and you should upgrade.

External Dex

To determine if you use an external Dex instance, run this command:

kubectl get cm -n argocd argocd-cm -ojson | jq '.data["oidc.config"]'

That will print your Argo CD instance's OIDC config. It might be obvious whether the OIDC provider is Dex (for example, the word dex might be in the URL). Or you might have to contact whoever manages the configured OIDC provider to ask.

You will also have to check with whoever manages the Dex instance to determine if it is still running a vulnerable version (<= 2.34.x).

How can I resolve the vulnerability as a user of the bundled Dex instance?

Upgrading Dex is the only way to resolve the vulnerability.

If you're using the manifests from the argo-cd repository to install Argo CD, the easiest way to resolve the vulnerability is to use the latest release's manifests, which point to the Dex 2.35.0 image. If you do not want to upgrade the full manifest, then you can manually change the Dex image tags in your deployed manifests to use a >= 2.35.0 tag.

If you're using the argo-helm argo-cd chart, you can either upgrade to 5.5.8 which points to the new Dex version, or you can set the dex.image.tag parameter to a >= 2.35.0 tag.

To confirm that you are using a patched version of Dex, use this command (replacing argocd with the namespace where your Argo CD instance is deployed):

kubectl get deployment -n argocd argocd-dex-server -ojson | jq '.spec.template.spec.containers[0].image'

The image tag should point to a Dex version >= 2.35.0.

Bug fixes
  • fix: fix subscription health check (#​10450)
  • fix: Fix a nil pointer crash for repo server (#​10696)
Other changes
  • docs: add note about multiple sync options on annotation (#​10739)
  • docs: fix broken links in faq.md (#​10744)
  • chore: upgrade Dex to 2.35.0 (#​10775)
  • docs: syncWindows in project.yaml (#​10591)
  • docs: Update Generators-Pull-Request.md (#​10643) (#​10642)
  • docs: fix typo in GitHub section (#​10723)
  • chore: upgrade dex to v2.32.1-distroless (#​10746)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot.

Edited by Renovate Bot

Merge request reports

Loading