Argo
v3.3.7CI/CD & App DeliveryArgo CD v3.3.7 is a patch release fixing controller performance regressions, OIDC config handling, and several UI/security header issues.
securitySwagger UI endpoints now have clickjacking protection — upgrade if exposed
X-Frame-Options and Content-Security-Policy headers were missing from Swagger UI endpoints. If your Argo CD API server is reachable from browsers (even internally), those endpoints were frameable. Upgrade to 3.3.7 to close this. No config change needed post-upgrade.
enhancementUpgrade if you're seeing excessive reconciliation or controller CPU spikes
Two separate fixes address controller overhead: the parentUIDToChildren data structure change reduces memory churn on large clusters, and the informer resync fix stops unnecessary app refreshes that inflate API server load. If your controller is burning CPU or you're seeing constant reconcile loops, this patch is worth prioritizing.
breakingOIDC auth may behave differently after upgrade if config was stale
The fix ensures OIDC config reloads on server restart rather than using a cached/stale version. In practice this is a correctness fix, but if you've been working around stale OIDC behavior with manual pod restarts, verify SSO flows after upgrading to confirm expected behavior.
Key changes (5)
- Controller performance improved: switched parentUIDToChildren to map-of-sets and reduced secret deep copies/deserialization overhead
- OIDC config now properly refreshes on server restart — previously stale config could cause auth failures
- X-Frame-Options and CSP headers added to Swagger UI endpoints, closing a clickjacking exposure
- Prevented automatic refreshes triggered by informer resync and status updates, reducing unnecessary reconciliation churn
- Fixed repo-server crashes caused by symlink handling in copyutil and missing repo.insecure flag propagation to helm dependency build