feat: disable gRPC service config DNS TXT lookups by default (#26077)

Signed-off-by: Valentin Stoican <vstoican@ripe.net>
Co-authored-by: Valentin Stoican <vstoican@ripe.net>

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -102,6 +102,10 @@ data:
   # will increase the speed at which Argo CD becomes aware of external cluster state. A higher value will reduce cluster
   # cache lock contention and better handle high-churn clusters.
   controller.cluster.cache.events.processing.interval: "100ms"
+  # Enable gRPC service config lookups via DNS TXT records (default "false"). By default, gRPC DNS TXT lookups for
+  # _grpc_config.<hostname> are disabled to prevent excessive DNS queries that can cause timeouts in dual-stack environments.
+  # See https://github.com/argoproj/argo-cd/issues/24991
+  controller.grpc.enable.txt.service.config: "false"
 
   ## Server properties
   # Listen on given address for incoming connections (default "0.0.0.0")
@@ -168,6 +172,10 @@ data:
   server.enable.proxy.extension: "false"
   # Enables profile endpoint on the internal metrics port
   server.profile.enabled: "false"
+  # Enable gRPC service config lookups via DNS TXT records (default "false"). By default, gRPC DNS TXT lookups for
+  # _grpc_config.<hostname> are disabled to prevent excessive DNS queries that can cause timeouts in dual-stack environments.
+  # See https://github.com/argoproj/argo-cd/issues/24991
+  server.grpc.enable.txt.service.config: "false"
 
   ## Repo-server properties
   # Listen on given address for incoming connections (default "0.0.0.0")
@@ -225,6 +233,10 @@ data:
   reposerver.enable.builtin.git.config: "true"
   # Include hidden directories from Git
   reposerver.include.hidden.directories: "false"
+  # Enable gRPC service config lookups via DNS TXT records (default "false"). By default, gRPC DNS TXT lookups for
+  # _grpc_config.<hostname> are disabled to prevent excessive DNS queries that can cause timeouts in dual-stack environments.
+  # See https://github.com/argoproj/argo-cd/issues/24991
+  reposerver.grpc.enable.txt.service.config: "false"
 
   ## Commit-server properties
   # Listen on given address for incoming connections (default "0.0.0.0")
@@ -235,6 +247,10 @@ data:
   commitserver.log.level: "info"
   # Listen on given address for metrics (default "0.0.0.0")
   commitserver.metrics.listen.address: "0.0.0.0"
+  # Enable gRPC service config lookups via DNS TXT records (default "false"). By default, gRPC DNS TXT lookups for
+  # _grpc_config.<hostname> are disabled to prevent excessive DNS queries that can cause timeouts in dual-stack environments.
+  # See https://github.com/argoproj/argo-cd/issues/24991
+  commitserver.grpc.enable.txt.service.config: "false"
 
   # Set the logging format. One of: json|text (default "json")
   dexserver.log.format: "json"
@@ -300,6 +316,10 @@ data:
   applicationsetcontroller.status.max.resources.count: "5000"
   # Enables profile endpoint on the internal metrics port
   applicationsetcontroller.profile.enabled: "false"
+  # Enable gRPC service config lookups via DNS TXT records (default "false"). By default, gRPC DNS TXT lookups for
+  # _grpc_config.<hostname> are disabled to prevent excessive DNS queries that can cause timeouts in dual-stack environments.
+  # See https://github.com/argoproj/argo-cd/issues/24991
+  applicationsetcontroller.grpc.enable.txt.service.config: "false"
 
   ## Argo CD Notifications Controller Properties
   # Set the logging level. One of: debug|info|warn|error (default "info")

docs/operator-manual/upgrading/3.3-3.4.md

@@ -17,3 +17,37 @@ The behavior of Application health status has changed to be more consistent and
 - Applications with some missing resources will now show the health of their existing resources (e.g., `Healthy`, `Progressing`, `Degraded`) instead of `Missing`
 - Automation relying on the Application Health status to detect missing resources should now check the Sync status for `OutOfSync` instead, and optionally inspect individual resource health if needed.
 - Users can now distinguish between an Application that has never been synced (all resources missing = `Missing` health) vs. an Application with some resources deleted (shows health of remaining resources)
+
+## gRPC Service Config DNS Lookups Disabled by Default
+
+ArgoCD components now disable gRPC service config lookups via DNS TXT records by default to prevent excessive DNS queries and timeouts in dual-stack (IPv4+IPv6) Kubernetes environments.
+
+**Background:**
+
+gRPC clients by default attempt to discover service configuration by querying DNS TXT records for `_grpc_config.<hostname>`. In dual-stack environments, these lookups can result in excessive DNS queries and timeouts, causing repo-server crashes and sync failures.
+
+**New behavior:**
+
+- The environment variable `GRPC_ENABLE_TXT_SERVICE_CONFIG` is now set to `false` by default for all ArgoCD components
+- This prevents gRPC from attempting DNS TXT record lookups for service configuration
+- Most users do not use DNS TXT records for gRPC service configuration
+
+**Impact:**
+
+- **Positive**: Eliminates excessive DNS queries in dual-stack environments, preventing timeouts and improving reliability
+- **Minimal**: The vast majority of users do not use DNS TXT records for gRPC service configuration and will see no functional change
+- **Re-enablement**: Users who do rely on gRPC service config via DNS TXT records can re-enable this feature by setting the parameter `controller.grpc.enable.txt.service.config: "true"` in the `argocd-cmd-params-cm` ConfigMap
+
+**Example to re-enable (if needed):**
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+  namespace: argocd
+data:
+  controller.grpc.enable.txt.service.config: "true"
+```
+
+**Related Issue**: https://github.com/argoproj/argo-cd/issues/24991