Releases: codefresh-io/gitops-runtime-helm
0.27.0
Installation
To get Helm chart for this release run:
helm pull oci://quay.io/codefresh/gitops-runtime --version 0.27.0Breaking Changes
Argo Rollouts Removed
Argo Rollouts controller has been removed from the gitops-runtime helm chart (#1051). If you depend on Argo Rollouts, you will need to install it separately.
Argo Events Removed
Argo Events controller has been removed from the gitops-runtime helm chart (#1057). If you depend on Argo Events, you will need to install it separately.
Runtime Redis Disabled by Default
Redis is now disabled by default (#927). Set redis-ha.enabled: true if needed.
What's New
Enhanced Runtime Uninstallation & Cleanup
We have significantly improved the uninstallation process to ensure a "zero-footprint" state:
- Shared Configuration Cleanup - The uninstallation now includes the ability to clean up the desired state stored in the Internal Shared Configuration Repository
- Cluster Hygiene - Improved command execution ensures that no stale runtime components or orphan resources remain on your cluster
ArgoCD Sync & Deletion Guardrails
The App-proxy now supports native ArgoCD resource annotations for Confirmation on Delete and Prune. This acts as a safety gate, requiring manual confirmation in the UI before a sync operation can delete or prune a specific resource (#1046).
- Sync Options - Prune Confirmation support
- Application Deletion - Added support for confirmation prompts before deleting an entire application
Improved Installation Wizard
The newest runtime installation flow features a drastically improved UX and ease of use.
- Expanded Git Support - Full support for Bitbucket, Bitbucket Server, and GitLab is now integrated into the streamlined installation wizard
Other Improvements
- Run without Redis - The runtime can now operate without Redis configured, providing more flexible deployment options (#919)
- MRC change revisions annotations - New support for MRC change revisions annotations in cf-argocd-extras (#1005)
- Event-reporter enhancements - Added deleted field to app event payload for better tracking (#1039)
- Checksum annotations - Config changes now trigger proper pod restarts (#938)
- Namespace-scoped Argo Workflows - Argo Workflows now runs namespace-scoped by default (#920)
Bug Fixes
- Fixed transient error handling on app sync failure (#922)
- Fixed issue where simple runtime applications ended up being out-of-sync
- Removed git commit statuses from gitops-operator (#940)
Security
0.26.7
Installation
To get Helm chart for this release run:
helm pull oci://quay.io/codefresh/gitops-runtime --version 0.26.7Chart changes
- enrichment-images: fixed security vulnerabilities CVE-2025-15284, CVE-2025-14104, CVE-2025-66382, CVE-2025-13836 and CVE-2025-13837
0.26.6
Installation
To get Helm chart for this release run:
helm pull oci://quay.io/codefresh/gitops-runtime --version 0.26.6Chart changes
- updated argo-cd to 3.2.3 (#1036)
- app-proxy: fixed security vulnerabilities CVE-2025-61729 and CVE-2025-61727 (#1048)
- app-proxy-init: fixed security vulnerabilities CVE-2016-2781 and CVE-2024-10041 (#1048)
- cf-argocd-extras: fixed security vulnerabilities CVE-2025-58181, CVE-2025-13281, CVE-2025-61727 and CVE-2025-61729 (#1033)
- kubectl: fixed security vulnerabilities CVE-2025-47912, CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189 and CVE-2025-61723 for redis-secret-init job (#1040)
- sealed-secrets-controller: fixed security vulnerabilities CVE-2025-47912, CVE-2025-58181, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61727 and CVE-2025-61729 (#1038)
0.26.5
Installation
To get Helm chart for this release run:
helm pull oci://quay.io/codefresh/gitops-runtime --version 0.26.5Chart changes
- fix(codefresh-gitops-operator): security vulnerability CVE-2025-66626 (#1026)
0.26.4
Installation
To get Helm chart for this release run:
helm pull oci://quay.io/codefresh/gitops-runtime --version 0.26.4Chart changes
- fix(codefresh-tunnel-client): security vulnerabilities CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, CVE-2025-46394, CVE-2024-58251 (#1025)
- chore: update argocd to v3.2.2 (#1020)
0.26.3
Installation
To get Helm chart for this release run:
helm pull oci://quay.io/codefresh/gitops-runtime --version 0.26.3Chart changes
- fix: security fixes for enrichment images (CVE-2025-64756, CVE-2025-65945, CVE-2025-66031, CVE-2025-12816, CVE-2025-8291, CVE-2025-6075, CVE-2025-12084) (#1012)
- fix: cap-app-proxy SA should get argo-server Role to handle Workflow resources (#1009)
- updated nats-server-config-reloader (#1004)
app-proxy changes
update image to 5f0a3d5
- feat: simplify clusters add/remove logic (#1001)
0.26.2
0.26.1
Installation
To get Helm chart for this release run:
helm pull oci://quay.io/codefresh/gitops-runtime --version 0.26.1Chart changes
- chore(CR-31388): updated gitops-operator with security fixes (#983)
- chore: security fixes for k8s client in Argo Rollouts v1.7.2 (#987)
- updated cli-v2 for fixing CVE-2024-25621 "github.com/containerd/containerd" (#994)
- chore(CR-31776): updated cap-app-proxy (#985)
0.26.0
Installation
To install this version of the gitops-runtime Helm chart, use the following command:
helm upgrade --install oci://quay.io/codefresh/gitops-runtime:0.26.0 ...⚠️ Important Upgrade Instructions
Breaking Changes
This release includes several breaking changes that require action before upgrading:
1. OSS Argo CD Migration (#823)
This release migrates from Codefresh-specific Argo CD to Open Source Software (OSS) Argo CD. Codefresh-specific Argo CD values have been removed.
Action Required:
- Review your Argo CD configuration and ensure compatibility with OSS Argo CD
- Remove any Codefresh-specific Argo CD customizations from your values files
- Verify that your Argo CD version meets the new requirements (see Argo CD Version Requirements below)
2. Argo CD Configuration Path Changes (#768)
The Argo CD authentication configuration path has changed.
Before:
global:
external-argo-cd:
auth:
type: password
username: "admin"
password: ""After:
global:
integrations:
argo-cd:
server:
auth:
type: password
username: "admin"
password: ""Action Required:
- Update your values files to use the new path:
global.integrations.argo-cd.server.auth - Migrate all authentication settings (username, password, token, etc.) to the new location
3. Sources-Server Renamed to Argo-Gateway (#744)
The sources-server component has been renamed to argo-gateway.
Before:
cf-argocd-extras:
sourcesServer:
image:
repository: ...After:
argo-gateway:
image:
repository: ...Action Required:
- Update any custom configurations referencing
cf-argocd-extras.sourcesServerto useargo-gatewayinstead - Review service names and selectors if you have any automation or monitoring that references the old component name
4. Argo Rollouts Disabled by Default (#917)
Argo Rollouts is now disabled by default. If you were relying on Argo Rollouts being enabled, you must explicitly enable it.
Action Required:
- If you use Argo Rollouts, add
argo-rollouts.enabled: trueto your values file to re-enable it for now - Verify that your workflows and applications that depend on Argo Rollouts continue to function correctly
- Important: Customers using Argo Rollouts should prepare to migrate to their own Argo Rollouts installation in the near future, as Argo Rollouts will be removed from this chart in a future release (this will be a breaking change)
5. Argo Events Deprecation (#744)
Argo Events is being deprecated and removed. All Argo Events resources (EventBus, EventSource, Sensor) have been removed from this release. Only the Argo Events controller remains temporarily to facilitate cleanup of existing resources.
Action Required:
- If you have any custom EventBus, EventSource, or Sensor resources, migrate them before upgrading
- The Argo Events controller will be completely removed in the next release
- Event reporting functionality has been replaced by new components (runtime-event-reporter and cluster-event-reporter)
6. Namespace-scoped Argo Workflows (#917)
Argo Workflows has transitioned to namespace-scoped installation to avoid conflicts with other cluster instances. Argo Workflows now operates only within the namespace of the Helm release.
Action Required:
- If you have workflows or applications that rely on cluster-scoped Argo Workflows behavior, review and update them to work with namespace-scoped installation
- Ensure that all Argo Workflows resources are created in the correct namespace
- If you have multiple Argo Workflows instances in your cluster, verify they are properly isolated by namespace
7. ACR (Application Change Revision) Controller Support Removed
ACR Controller used to enable precise sync detection for monorepo apps.
ACR Controller support has been removed in this release. This affects customers who rely on ACR Controller functionality.
Action Required:
- If you are using ACR Controller, be aware that it is not available in this release
- If your Argo CD Notifications use ACR Controller-based configuration (such as
changeRevisionin the Notifications trigger or template), replace it with a configuration based on on-deployed trigger example to restore OSS Argo CD Notifications functionality - Note: Precise sync detection for monorepo apps functionality will be restored in a future release
Important Notices
Argo CD Version Requirements (#941)
This release requires Argo CD version 3.0.x or 3.1.x or 3.2.x (version constraint: >=3.0 <=3.2).
Action Required:
- Verify your Argo CD version meets this requirement before upgrading
- If using an external Argo CD installation, ensure it is running a compatible version
- The installation will validate the Argo CD version automatically during upgrade
Multi-Runtime Installation
If you plan to use multi-runtime installation, ensure all runtimes in your cluster are configured with global.runtime.singleNamespace=true. Multi-runtime installation is not supported if you have existing runtimes without this setting.
For detailed instructions on installing GitOps Runtimes in namespace scope, see the Install GitOps Runtime in namespace scope documentation.
Git-Source Finalizers Removed
Git-source finalizers have been removed from newly created git-sources to prevent cascading deletion issues that could result in unintended deletion of Argo CD applications.
Action Required:
- Important: If you have existing git-sources with finalizers, you are strongly encouraged to manually remove the finalizers from all existing git-sources
- New git-sources created after upgrading to 0.26.0 will not include finalizers
- This change prevents cascading deletion scenarios where deleting a git-source could inadvertently delete associated Argo CD applications
Chart Changes
This release includes the following notable changes:
Features
-
Multi-runtime Installation Support (#939, #946)
- Added support for installing and managing multiple GitOps runtimes within a single cluster. See the Install GitOps Runtime in namespace scope documentation for details.
-
Checksum Annotations (#942)
- Added checksum annotations to improve change detection and ensure proper resource updates.
-
Namespace-scoped Argo Workflows (#917)
- Enabled namespace-scoped Argo Workflows support for improved isolation and resource management.
-
Telemetry Configuration (#848)
- Added support for telemetry configuration to enable better observability and monitoring.
Major Changes
-
ACR Controller Support Removed
- ACR Controller support has been temporarily removed in this release. Support will be restored in a future release.
-
Argo Events Deprecation (#744)
- Argo Events resources (EventBus, EventSource, Sensor) have been removed. The controller remains temporarily for cleanup and will be removed in the next release.
-
Event Reporter Refactoring (#744)
- Replaced argo-events runtime and cluster event-reporters with new dedicated event-reporter components (runtime-event-reporter and cluster-event-reporter), and renamed sources-server to argo-gateway for clearer naming conventions.
Improvements
-
App-Proxy Enhancements (#956, #943, #932, #737, #902, #901, #878, #804, #802, #795, #760)
- Ensured default-git-source exists on every app-proxy restart
- Updated autoDetectArgoCd to use new values structure
- Added branch data to pull request information
- Fixed git-source permissions calculation for fine-grained tokens
- Improved git process management to prevent PID exhaustion and zombie processes
- Added timeout mechanisms to prevent git process accumulation
- Enhanced applicationLogs subscription to support apps in non-controller namespaces
- Improved deployment resilience and status update locking
-
GitOps Operator Updates (#666)
- Added support for v2 promotions
- Updated dependencies including cloudflare/circl
-
CF-ArgoCD-Extras Improvements (#930, #845, #819)
- Fixed incorrect attribute keys for resources
- Unified values between runtime and cluster event reporters
- Removed sharding logic from event-reporter
-
Argo CD Compatibility (#941)
- Updated version constraint requirements for improved Argo CD compatibility
-
Installer Updates (#849, #697)
- Updated CLI v2 and kubectl to latest versions
Security
- Security Vulnerability Fixes (#702, #725, #730, #716, #788)
- Fixed security vulnerabilities in app-proxy, cf-argocd-extras, argo-rollouts, argo-events, argo-workflows, and enrichment images