chore(deps): bump github.com/argoproj/argo-cd/v2 from 2.1.7 to 2.1.16

[dependabot]

Bumps github.com/argoproj/argo-cd/v2 from 2.1.7 to 2.1.16.

Release notes

Sourced from github.com/argoproj/argo-cd/v2's releases.

v2.1.16

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.1.16/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.1.16/manifests/ha/install.yaml

Security fixes

• CRITICAL: External URLs for Deployments can include javascript (GHSA-h4w9-6x78-8vrj)
• HIGH: Insecure entropy in PKCE/Oauth2/OIDC params (GHSA-2m7h-86qq-fp4v)
• MODERATE: DoS through large directory app manifest files (GHSA-jhqp-vf4w-rpwq)
• MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server (GHSA-q4w5-4gq2-98vm)

Note: This will be the last security fix release in the 2.1.x series. Please upgrade to a newer minor version to continue to get security fixes.

Potentially-breaking changes

From the GHSA-2m7h-86qq-fp4v description:

The patch introduces a new reposerver.max.combined.directory.manifests.size config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.

If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.

Bug fixes

• fix: missing Helm params (#9565) (#9566)

Other

• test: directory app manifest generation (#9503)
• test: fix erroneous test change
• chore: eliminate go-mpatch dependency (#9045)
• chore: Make unit tests run on platforms other than amd64 (#8995)
• chore: remove obsolete repo-server unit test (#9559)
• chore: upgrade golangci-lint to v1.46.2 (#9448)
• chore: update golangci-lint (#8988)
• test: fix ErrorContains (#9445)

v2.1.15

... (truncated)

Changelog

Sourced from github.com/argoproj/argo-cd/v2's changelog.

Changelog

v2.4.0 (Unreleased)

Web Terminal In Argo CD UI

Feature enables engineers to start a shell in the running application container without leaving the web interface. Just find the required Kubernetes Pod using the Application Details page, click on it and select the Terminal tab. The shell starts automatically and enables you to execute the required commands, and helps to troubleshoot the application state.

Access Control For Pod Logs & Web Terminal

Argo CD is used to manage the critical infrastructure of multiple organizations, which makes security the top priority of the project. We've listened to your feedback and introduced additional access control settings that control access to Kubernetes Pod logs and the new Web Terminal feature.

Known UI Issue for Pod Logs Access

Currently, upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.

OpenTelemetry Tracing Integration

The new feature allows emitting richer telemetry data that might make identifying performance bottlenecks easier. The new feature is available for argocd-server and argocd-repo-server components and can be enabled using the --otlp-address flag.

Power PC and IBM Z Support

The list of supported architectures has been expanded, and now includes IBM Z (s390x) and PowerPC (ppc64le). Starting with the v2.4 release the official quay.io repository is going to have images for amd64, arm64, ppc64le, and s390x architectures.

Other Notable Changes

Overall v2.4 release includes more than 300 hundred commits from nearly 90 contributors. Here is a short sample of the contributions:

• Enforce the deployment to remote clusters only
• Native support of GCP authentication for GKE
• Secured Redis connection
• ApplicationSet Gitea support

v2.3.3 (2022-03-29)

• fix: prevent excessive repo-server disk usage for large repos (#8845) (#8897)
• fix: Set QPS and burst rate for resource ops client (#8915)

v2.3.2 (2022-03-22)

• fix: application resource APIs must enforce project restrictions

v2.3.1 (2022-03-10)

... (truncated)

Commits

• 903db5f Bump version to 2.1.16
• 1d26f44 Bump version to 2.1.16
• e577e25 chore: fix docs gen
• a92a153 Merge pull request from GHSA-jhqp-vf4w-rpwq
• 45ddd05 Merge pull request from GHSA-q4w5-4gq2-98vm
• 947bdd9 Merge pull request from GHSA-2m7h-86qq-fp4v
• 4fd50ce Merge pull request from GHSA-h4w9-6x78-8vrj
• 3fab7de fix: missing Helm params (#9565) (#9566)
• 5e6b788 test: directory app manifest generation (#9503)
• 26ac321 test: fix erroneous test change
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.