RHDEVDOCS-7136: Content creation for GitOps 1.18.3 RN #105022
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@Dhruv-Soni11: This pull request references RHDEVDOCS-7136 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/M
|
🤖 Tue Jan 20 07:24:39 - Prow CI generated the docs preview: |
|
@Dhruv-Soni11: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@Dhruv-Soni11: This pull request references RHDEVDOCS-7136 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| [IMPORTANT] | ||
| ==== | ||
| After completing the upgrade, run the `audit-operator-roles.sh` audit script to review namespace-scoped access created by the {gitops-title} Operator. The script identifies `Role` and `RoleBinding` objects that grant cross-namespace access when the _Applications in any namespace_ feature or _ApplicationSets in any namespace_ feature is enabled using the Argo CD custom resource (CR) (`.spec.sourceNamespaces` and `.spec.applicationSet.sourceNamespaces`). These features are disabled by default. The script scans all namespaces and reports `Role`/`RoleBinding` combinations that meet the following conditions: | ||
| * Grant access to the `argoproj.io/Application` resource | ||
| * Are labeled with `app.kubernetes.io/part-of=argocd` | ||
| * Bind to a service account in a different namespace, resulting in cross-namespace access | ||
| Review the script output to ensure that cross-namespace access is limited to the intended namespaces only. | ||
| For more information about the script, see link:https://github.com/redhat-developer/gitops-operator/blob/master/scripts/audit-namespace-roles/audit-operator-roles.sh[Audit Operator script]. | ||
| For more information about the steps to execute the script, see link:https://github.com/redhat-developer/gitops-operator/blob/master/scripts/audit-namespace-roles/README.md[Audit Operator script readme]. | ||
| ==== |
There was a problem hiding this comment.
This note is not required for the new version.
varshab1210
left a comment
varshab1210
left a comment
There was a problem hiding this comment.
I think we need entry for https://issues.redhat.com/browse/GITOPS-8591, https://issues.redhat.com/browse/GITOPS-7992
| == Fixed issues | ||
|
|
||
| Reconciliation timeout configuration mapping fix:: | ||
| Before this update, reconciliation timeout values configured in the `extraConfig` field were not correctly mapped to the Operator's environment variables, particularly when `timeout.reconciliation` was set to 0. With this update, the `timeout.reconciliation` field is explicitly mapped to the appropriate environment variable in the Operator's deployment logic, ensuring that the Operator correctly recognizes and applies user-defined timeouts for consistent control over sync cycles. |
There was a problem hiding this comment.
| Before this update, reconciliation timeout values configured in the `extraConfig` field were not correctly mapped to the Operator's environment variables, particularly when `timeout.reconciliation` was set to 0. With this update, the `timeout.reconciliation` field is explicitly mapped to the appropriate environment variable in the Operator's deployment logic, ensuring that the Operator correctly recognizes and applies user-defined timeouts for consistent control over sync cycles. | |
| Before this update, reconciliation timeout values configured in the `extraConfig` field were not correctly mapped to the Operator's environment variables. With this update, the `timeout.reconciliation` field is explicitly mapped to the appropriate environment variable in the Operator's deployment logic, ensuring that the Operator correctly recognizes and applies user-defined timeouts for consistent control over sync cycles. |
|
|
||
| [IMPORTANT] | ||
| ==== | ||
| After completing the upgrade, run the `audit-operator-roles.sh` audit script to review namespace-scoped access created by the {gitops-title} Operator. The script identifies `Role` and `RoleBinding` objects that grant cross-namespace access when the _Applications in any namespace_ feature or _ApplicationSets in any namespace_ feature is enabled using the Argo CD custom resource (CR) (`.spec.sourceNamespaces` and `.spec.applicationSet.sourceNamespaces`). These features are disabled by default. The script scans all namespaces and reports `Role`/`RoleBinding` combinations that meet the following conditions: |
There was a problem hiding this comment.
This was added for 1.18.2, is it required with 1.18.3 as well?
cc: @svghadi
https://issues.redhat.com/browse/GITOPS-8225 depends on which version the user is upgrading from. We introduced 3 replicas for haproxy in 1.17.0 |
| [id="RHSA-XXXX:NNNN-gitops-1-18-3-security-update-advisory_{context}"] | ||
| === RHSA-XXXX:NNNN - {gitops-title} 1.18.3 security update advisory | ||
|
|
||
| Issued: 2025-XX-NN |
There was a problem hiding this comment.
| Issued: 2025-XX-NN | |
| Issued: 2026-XX-NN |
|
@varshab1210 @svghadi, Fixed all your suggestions in this PR: #105113. @Dhruv-Soni11, Please feel free to close the PR when you are back. Thanks |
6 participants
Version(s):
None for CP
Issue:
https://issues.redhat.com/browse/RHDEVDOCS-7136
Link to docs preview:
Release notes for Red Hat OpenShift GitOps 1.18.3
QE review:
SME review:
QE review:
Peer review:
Additional information: