github.com/argoproj/argo-cd/v2@v2.10.9/docs/operator-manual/upgrading/2.6-2.7.md (about) 1 # v2.6 to 2.7 2 3 ## Configure RBAC to account for new `extensions` resource 4 5 2.7 introduces the new [Proxy Extensions][1] feature with a new `extensions` 6 [RBAC resource][2]. 7 8 When you upgrade to 2.7, RBAC policies with `*` in the *resource* 9 field and `*` in the action field, it will automatically grant the 10 `extensions` privilege. 11 12 The Proxy Extension feature is disabled by default, however it is 13 recommended to check your RBAC configurations to enforce the least 14 necessary privileges. 15 16 Example 17 Old: 18 19 ```csv 20 p, role:org-admin, *, *, *, allow 21 ``` 22 23 New: 24 25 ```csv 26 p, role:org-admin, clusters, create, my-proj/*, allow 27 p, role:org-admin, projects, create, my-proj/*, allow 28 p, role:org-admin, applications, create, my-proj/*, allow 29 p, role:org-admin, repositories, create, my-proj/*, allow 30 p, role:org-admin, certificates, create, my-proj/*, allow 31 p, role:org-admin, accounts, create, my-proj/*, allow 32 p, role:org-admin, gpgkeys, create, my-proj/*, allow 33 # If you don't want to grant the new permission, don't include the following line 34 p, role:org-admin, extensions, invoke, my-proj/*, allow 35 ``` 36 37 ## Upgraded Helm Version 38 39 Note that bundled Helm version has been upgraded from 3.10.3 to 3.11.2. 40 41 ## Upgraded Kustomize Version 42 43 Note that bundled Kustomize version has been upgraded from 4.5.7 to 5.0.1. 44 45 ## Notifications: `^` behavior change in Sprig's semver functions 46 Argo CD 2.7 upgrades Sprig templating specifically within Argo CD notifications to v3. That upgrade includes an upgrade of [Masterminds/semver](https://github.com/Masterminds/semver/releases) to v3. 47 48 Masterminds/semver v3 changed the behavior of the `^` prefix in semantic version constraints. If you are using sprig template functions in your notifications templates which include references to [Sprig's semver functions](https://masterminds.github.io/sprig/semver.html) and use the `^` prefix, read the [Masterminds/semver changelog](https://github.com/Masterminds/semver/releases/tag/v3.0.0) to understand how your notifications' behavior may change. 49 50 ## Tini as entrypoint 51 52 The manifests are now using [`tini` as entrypoint][3], instead of `entrypoint.sh`. Until 2.8, `entrypoint.sh` is retained for upgrade compatibility. This means that the deployment manifests have to be updated after upgrading to 2.7, and before upgrading to 2.8 later. In case the manifests are updated before moving to 2.8, the containers will not be able to start. 53 54 [1]: ../../developer-guide/extensions/proxy-extensions.md 55 [2]: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#the-extensions-resource 56 [3]: https://github.com/argoproj/argo-cd/pull/12707 57 58 59 ## Deep Links template updates 60 61 Deep Links now allow you to access other values like `cluster`, `project`, `application` and `resource` in the url and condition templates for specific categories of links. 62 The templating syntax has also been updated to be prefixed with the type of resource you want to access for example previously if you had a `resource.links` config like : 63 ```yaml 64 resource.links: | 65 - url: https://mycompany.splunk.com?search={{.metadata.name}} 66 title: Splunk 67 if: kind == "Pod" || kind == "Deployment" 68 ``` 69 This would become : 70 ```yaml 71 resource.links: | 72 - url: https://mycompany.splunk.com?search={{.resource.metadata.name}}&env={{.project.metadata.label.env}} 73 title: Splunk 74 if: resource.kind == "Pod" || resource.kind == "Deployment" 75 ``` 76 77 Read the full [documentation](../deep_links.md) to see all possible combinations of values accessible fo each category of links. 78 79 ## Support of `helm.sh/resource-policy` annotation 80 81 Argo CD now supports the `helm.sh/resource-policy` annotation to control the deletion of resources. The behavior is the same as the behavior of 82 `argocd.argoproj.io/sync-options: Delete=false` annotation: if the annotation is present and set to `keep`, the resource will not be deleted 83 when the application is deleted. 84 85 ## Check your Kustomize patches for `--redis` changes 86 87 Starting in Argo CD 2.7, the install manifests no longer pass the Redis server name via `--redis`. 88 89 If your environment uses Kustomize JSON patches to modify the Redis server name, the patch might break when you upgrade 90 to the 2.7 manifests. If it does, you can remove the patch and instead set the Redis server name via the `redis.server` 91 field in the argocd-cmd-params-cm ConfigMap. That value will be passed to the necessary components via `valueFrom` 92 environment variables. 93 94 ## `argocd applicationset` CLI incompatibilities for ApplicationSets with list generators 95 96 If you are running Argo CD v2.7.0-2.7.2 server-side, then CLI versions outside that range will incorrectly handle list 97 generators. That is because the gRPC interface for those versions used the `elements` field number for the new 98 `elementsYaml` field. 99 100 If you are running the Argo CD CLI versions v2.7.0-2.7.2 with a server-side version of v2.7.3 or later, then the CLI 101 will send the contents of the `elements` field to the server, which will interpret it as the `elementsYaml` field. This 102 will cause the ApplicationSet to fail at runtime with an error similar to this: 103 104 ``` 105 error unmarshling decoded ElementsYaml error converting YAML to JSON: yaml: control characters are not allowed 106 ``` 107 108 Be sure to use CLI version v2.7.3 or later with server-side version v2.7.3 or later.