github.com/argoproj/argo-cd/v3@v3.2.1/docs/operator-manual/upgrading/3.0-3.1.md (about)

     1  # v3.0 to 3.1
     2  
     3  ## Symlink protection in API `--staticassets` directory
     4  
     5  The `--staticassets` directory in the API server (`/app/shared` by default) is now protected against out-of-bounds
     6  symlinks. This is to help protect against symlink attacks. If you have any symlinks in your `--staticassets` directory
     7  to a location outside the directory, they will return a 500 error starting with 3.1.
     8  
     9  ## v1 Actions API Deprecated
    10  
    11  The `/api/v1/applications/{name}/resource/actions` endpoint is deprecated in favor of `/api/v1/applications/{name}/resource/actions/v2`.
    12  
    13  This endpoint allows API users to run a custom resource action on a specific resource in an application.
    14  
    15  The old endpoint accepted various parameters as query parameters. The POST body was the action name.
    16  
    17  The new endpoint accepts all parameters as part of the POST body as a JSON object. The new endpoint also supports a new
    18  `resourceActionParameters` field to parameterize action runs.
    19  
    20  The old endpoint will be removed in a future release, so users should migrate to the new endpoint as soon as possible.
    21  API clients will just need to change the endpoint URL and switch query string parameters to a JSON body.
    22  
    23  If the old endpoint is used, the API will log a warning message:
    24  
    25  > RunResourceAction was called. RunResourceAction is deprecated and will be removed in a future release. Use RunResourceActionV2 instead.
    26  
    27  The CLI will fall back to the old endpoint if the new one is not available. If it falls back, it will log a warning message:
    28  
    29  > RunResourceActionV2 is not supported by the server, falling back to RunResourceAction.
    30  
    31  ## OpenID Connect authorization code flow with PKCE is now handled by the server instead of the UI
    32  
    33  Previously, when PKCE was enabled, the authorization code flow (the process which happens when you log in to Argo CD using OpenID Connect) was handled by the UI, whereas this flow was handled by the server if PKCE was not enabled. The server now always handles this flow, PKCE being enabled or not.
    34  
    35  ### Detection
    36  
    37  To check whether PKCE is used or not, run the following command:
    38  
    39  ```shell
    40  kubectl get cm argocd-cm -n argocd -o=jsonpath="{.data.oidc\.config}" | grep enablePKCEAuthentication
    41  ```
    42  
    43  If it returns `"enablePKCEAuthentication": true`, then PKCE is used.
    44  
    45  ### Remediation
    46  
    47  On your identity provider, ensure that the OIDC client used for Argo CD has the `/auth/callback` endpoint of your Argo CD URL (e.g. https://argocd.example.com/auth/callback) in the redirect URIs.
    48  
    49  ## Helm Upgraded to 3.18.4
    50  
    51  Argo CD v3.1 upgrades the bundled Helm version to 3.18.4. There are no breaking changes in Helm 3.18 according to the
    52  [release notes](https://github.com/helm/helm/releases/tag/v3.18.0).
    53  
    54  ## Kustomize Upgraded to 5.7.0
    55  
    56  Argo CD v3.1 upgrades the bundled Kustomize version to 5.7.0. There are no breaking changes in Kustomize 5.7 according
    57  to the [release notes](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv5.7.0).
    58  
    59  ## Breaking Changes
    60  
    61  ## Sanitized project API response
    62  
    63  Due to security reasons ([GHSA-786q-9hcg-v9ff](https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff)),
    64  the project API response was sanitized to remove sensitive information. This includes
    65  credentials of project-scoped repositories and clusters.