Bump version to 2.11.2 (#18384 )

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: pasha-codefresh <39732895+pasha-codefresh@users.noreply.github.com>
fix: remove Egress NetworkPolicy for argocd-redis and argocd-redis-ha-haproxy (#18367 ) (#18372 )
2026-03-25 09:48:47 +01:00 · 2024-05-23 16:29:33 +03:00 · 2024-05-22 19:48:08 -04:00 · 2024-05-21 13:52:51 -04:00 · 2024-05-21 10:48:11 -07:00 · 2024-05-21 07:27:01 -10:00
58 changed files with 1383 additions and 255 deletions
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -114,7 +114,7 @@ changelog:
    exclude:
      - '^test:'
      - '^.*?Bump(\([[:word:]]+\))?.+$'
-      - '^.*?[Bot](\([[:word:]]+\))?.+$'
+      - '^.*?\[Bot\](\([[:word:]]+\))?.+$'


 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json
--- a/2
+++ b/2
@@ -1 +1 @@
-2.11.0
+2.11.2
--- a/cmd/argocd/commands/admin/admin.go
+++ b/cmd/argocd/commands/admin/admin.go
@@ -66,6 +66,7 @@ $ argocd admin initial-password reset
 	command.AddCommand(NewDashboardCommand(clientOpts))
 	command.AddCommand(NewNotificationsCommand())
 	command.AddCommand(NewInitialPasswordCommand())
+	command.AddCommand(NewRedisInitialPasswordCommand())

 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
 	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
--- a/cmd/argocd/commands/admin/redis_initial_password.go
+++ b/cmd/argocd/commands/admin/redis_initial_password.go
@@ -0,0 +1,98 @@
+package admin
+
+import (
+	"context"
+	"crypto/rand"
+	"fmt"
+	"math/big"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
+
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+)
+
+const defaulRedisInitialPasswordSecretName = "argocd-redis"
+const defaultResisInitialPasswordKey = "auth"
+
+func generateRandomPassword() (string, error) {
+	const initialPasswordLength = 16
+	const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-"
+	randBytes := make([]byte, initialPasswordLength)
+	for i := 0; i < initialPasswordLength; i++ {
+		num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters))))
+		if err != nil {
+			return "", err
+		}
+		randBytes[i] = letters[num.Int64()]
+	}
+	initialPassword := string(randBytes)
+	return initialPassword, nil
+}
+
+// NewRedisInitialPasswordCommand defines a new command to ensure Argo CD Redis password secret exists.
+func NewRedisInitialPasswordCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = cobra.Command{
+		Use:   "redis-initial-password",
+		Short: "Ensure the Redis password exists, creating a new one if necessary.",
+		Run: func(c *cobra.Command, args []string) {
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+
+			redisInitialPasswordSecretName := defaulRedisInitialPasswordSecretName
+			redisInitialPasswordKey := defaultResisInitialPasswordKey
+			fmt.Printf("Checking for initial Redis password in secret %s/%s at key %s. \n", namespace, redisInitialPasswordSecretName, redisInitialPasswordKey)
+
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			errors.CheckError(v1alpha1.SetK8SConfigDefaults(config))
+
+			kubeClientset := kubernetes.NewForConfigOrDie(config)
+
+			randomPassword, err := generateRandomPassword()
+			errors.CheckError(err)
+
+			data := map[string][]byte{
+				redisInitialPasswordKey: []byte(randomPassword),
+			}
+			secret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      redisInitialPasswordSecretName,
+					Namespace: namespace,
+				},
+				Data: data,
+				Type: corev1.SecretTypeOpaque,
+			}
+			_, err = kubeClientset.CoreV1().Secrets(namespace).Create(context.Background(), secret, metav1.CreateOptions{})
+			if err != nil && !apierr.IsAlreadyExists(err) {
+				errors.CheckError(err)
+			}
+
+			fmt.Println("Argo CD Redis secret state confirmed: secret name argocd-redis.")
+			secret, err = kubeClientset.CoreV1().Secrets(namespace).Get(context.Background(), redisInitialPasswordSecretName, v1.GetOptions{})
+			errors.CheckError(err)
+
+			if _, ok := secret.Data[redisInitialPasswordKey]; ok {
+				fmt.Println("Password secret is configured properly.")
+			} else {
+				err := fmt.Errorf("key %s doesn't exist in secret %s. \n", redisInitialPasswordKey, redisInitialPasswordSecretName)
+				errors.CheckError(err)
+			}
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+
+	return &command
+}
--- a/cmpserver/server.go
+++ b/cmpserver/server.go
@@ -46,13 +46,13 @@ func NewServer(initConstants plugin.CMPServerInitConstants) (*ArgoCDCMPServer, e

 	serverLog := log.NewEntry(log.StandardLogger())
 	streamInterceptors := []grpc.StreamServerInterceptor{
-		otelgrpc.StreamServerInterceptor(),
+		otelgrpc.StreamServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		grpc_logrus.StreamServerInterceptor(serverLog),
 		grpc_prometheus.StreamServerInterceptor,
 		grpc_util.PanicLoggerStreamServerInterceptor(serverLog),
 	}
 	unaryInterceptors := []grpc.UnaryServerInterceptor{
-		otelgrpc.UnaryServerInterceptor(),
+		otelgrpc.UnaryServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		grpc_logrus.UnaryServerInterceptor(serverLog),
 		grpc_prometheus.UnaryServerInterceptor,
 		grpc_util.PanicLoggerUnaryServerInterceptor(serverLog),
--- a/controller/appcontroller.go
+++ b/controller/appcontroller.go
@@ -1923,7 +1923,15 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 	} else {
 		ctrl.writeBackToInformer(updatedApp)
 	}
-	message := fmt.Sprintf("Initiated automated sync to '%s'", desiredCommitSHA)
+
+	var target string
+	if updatedApp.Spec.HasMultipleSources() {
+		target = strings.Join(desiredCommitSHAsMS, ", ")
+	} else {
+		target = desiredCommitSHA
+	}
+	message := fmt.Sprintf("Initiated automated sync to '%s'", target)
+
 	ctrl.auditLogger.LogAppEvent(app, argo.EventInfo{Reason: argo.EventReasonOperationStarted, Type: v1.EventTypeNormal}, message, "")
 	logCtx.Info(message)
 	return nil, setOpTime
--- a/controller/cache/cache.go
+++ b/controller/cache/cache.go
@@ -290,7 +290,8 @@ func isRootAppNode(r *clustercache.Resource) bool {
 }

 func getApp(r *clustercache.Resource, ns map[kube.ResourceKey]*clustercache.Resource) string {
-	return getAppRecursive(r, ns, map[kube.ResourceKey]bool{})
+	name, _ := getAppRecursive(r, ns, map[kube.ResourceKey]bool{})
+	return name
 }

 func ownerRefGV(ownerRef metav1.OwnerReference) schema.GroupVersion {
@@ -301,27 +302,31 @@ func ownerRefGV(ownerRef metav1.OwnerReference) schema.GroupVersion {
 	return gv
 }

-func getAppRecursive(r *clustercache.Resource, ns map[kube.ResourceKey]*clustercache.Resource, visited map[kube.ResourceKey]bool) string {
+func getAppRecursive(r *clustercache.Resource, ns map[kube.ResourceKey]*clustercache.Resource, visited map[kube.ResourceKey]bool) (string, bool) {
 	if !visited[r.ResourceKey()] {
 		visited[r.ResourceKey()] = true
 	} else {
 		log.Warnf("Circular dependency detected: %v.", visited)
-		return resInfo(r).AppName
+		return resInfo(r).AppName, false
 	}

 	if resInfo(r).AppName != "" {
-		return resInfo(r).AppName
+		return resInfo(r).AppName, true
 	}
 	for _, ownerRef := range r.OwnerRefs {
 		gv := ownerRefGV(ownerRef)
 		if parent, ok := ns[kube.NewResourceKey(gv.Group, ownerRef.Kind, r.Ref.Namespace, ownerRef.Name)]; ok {
-			app := getAppRecursive(parent, ns, visited)
-			if app != "" {
-				return app
+			visited_branch := make(map[kube.ResourceKey]bool, len(visited))
+			for k, v := range visited {
+				visited_branch[k] = v
+			}
+			app, ok := getAppRecursive(parent, ns, visited_branch)
+			if app != "" || !ok {
+				return app, ok
 			}
 		}
 	}
-	return ""
+	return "", true
 }

 var (
--- a/controller/cache/cache_test.go
+++ b/controller/cache/cache_test.go
@@ -18,6 +18,7 @@ import (
 	"github.com/argoproj/gitops-engine/pkg/cache"
 	"github.com/argoproj/gitops-engine/pkg/cache/mocks"
 	"github.com/argoproj/gitops-engine/pkg/health"
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/stretchr/testify/mock"
 	"k8s.io/client-go/kubernetes/fake"

@@ -319,6 +320,216 @@ func Test_asResourceNode_owner_refs(t *testing.T) {
 	assert.Equal(t, expected, resNode)
 }

+func Test_getAppRecursive(t *testing.T) {
+	for _, tt := range []struct {
+		name     string
+		r        *cache.Resource
+		ns       map[kube.ResourceKey]*cache.Resource
+		wantName string
+		wantOK   assert.BoolAssertionFunc
+	}{
+		{
+			name: "ok: cm1->app1",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "app1"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "app1"): {
+					Info: &ResourceInfo{
+						AppName: "app1",
+					},
+				},
+			},
+			wantName: "app1",
+			wantOK:   assert.True,
+		},
+		{
+			name: "ok: cm1->cm2->app1",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "cm2"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "cm2"): {
+					Ref: v1.ObjectReference{
+						Name: "cm2",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "app1"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "app1"): {
+					Info: &ResourceInfo{
+						AppName: "app1",
+					},
+				},
+			},
+			wantName: "app1",
+			wantOK:   assert.True,
+		},
+		{
+			name: "cm1->cm2->app1 & cm1->cm3->app1",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "cm2"},
+					{Name: "cm3"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "cm2"): {
+					Ref: v1.ObjectReference{
+						Name: "cm2",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "app1"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "cm3"): {
+					Ref: v1.ObjectReference{
+						Name: "cm3",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "app1"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "app1"): {
+					Info: &ResourceInfo{
+						AppName: "app1",
+					},
+				},
+			},
+			wantName: "app1",
+			wantOK:   assert.True,
+		},
+		{
+			// Nothing cycle.
+			// Issue #11699, fixed #12667.
+			name: "ok: cm1->cm2 & cm1->cm3->cm2 & cm1->cm3->app1",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "cm2"},
+					{Name: "cm3"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "cm2"): {
+					Ref: v1.ObjectReference{
+						Name: "cm2",
+					},
+				},
+				kube.NewResourceKey("", "", "", "cm3"): {
+					Ref: v1.ObjectReference{
+						Name: "cm3",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm2"},
+						{Name: "app1"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "app1"): {
+					Info: &ResourceInfo{
+						AppName: "app1",
+					},
+				},
+			},
+			wantName: "app1",
+			wantOK:   assert.True,
+		},
+		{
+			name: "cycle: cm1<->cm2",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "cm2"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "cm1"): {
+					Ref: v1.ObjectReference{
+						Name: "cm1",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm2"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "cm2"): {
+					Ref: v1.ObjectReference{
+						Name: "cm2",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm1"},
+					},
+				},
+			},
+			wantName: "",
+			wantOK:   assert.False,
+		},
+		{
+			name: "cycle: cm1->cm2->cm3->cm1",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "cm2"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "cm1"): {
+					Ref: v1.ObjectReference{
+						Name: "cm1",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm2"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "cm2"): {
+					Ref: v1.ObjectReference{
+						Name: "cm2",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm3"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "cm3"): {
+					Ref: v1.ObjectReference{
+						Name: "cm3",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm1"},
+					},
+				},
+			},
+			wantName: "",
+			wantOK:   assert.False,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			visited := map[kube.ResourceKey]bool{}
+			got, ok := getAppRecursive(tt.r, tt.ns, visited)
+			assert.Equal(t, tt.wantName, got)
+			tt.wantOK(t, ok)
+		})
+	}
+}
+
 func TestSkipResourceUpdate(t *testing.T) {
 	var (
 		hash1_x string = "x"
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -268,3 +268,45 @@ The most common instance of this error is with `env:` fields for `containers`.

 !!! note "Dynamic applications"
    It's possible that your application is being generated by a tool in which case the duplication might not be evident within the scope of a single file. If you have trouble debugging this problem, consider filing a ticket to the owner of the generator tool asking them to improve its validation and error reporting.
+
+## How to rotate Redis secret?
+* Delete `argocd-redis` secret in the namespace where Argo CD is installed. 
+```bash
+kubectl delete secret argocd-redis -n <argocd namesapce>
+```
+* If you are running Redis in HA mode, restart Redis in HA.
+```bash
+kubectl rollout restart deployment argocd-redis-ha-haproxy
+kubectl rollout restart statefulset argocd-redis-ha-server
+```
+* If you are running Redis in non-HA mode, restart Redis.
+```bash
+kubectl rollout restart deployment argocd-redis
+```
+* Restart other components.
+```bash
+kubectl rollout restart deployment argocd-server argocd-repo-server
+kubectl rollout restart statefulset argocd-application-controller
+```
+
+## How to turn off Redis auth if users really want to?
+
+Argo CD default installation is now configured automatically enable Redis authentication. 
+If for some reason authenticated Redis does not work for you and you want to use non-authenticated Redis, here are the steps:
+
+* You need to have your own Redis installation.
+* Configure Argo CD to use your own Redis instance. See this [doc](https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-cmd-params-cm-yaml/) for the Argo CD configuration.
+* If you already installed Redis shipped with Argo CD, you also need to clean up the existing components:
+  * When HA Redis is used:
+    * kubectl delete deployment argocd-redis-ha-haproxy
+    * kubectl delete statefulset argocd-redis-ha-server
+  * When non-HA Redis is used:
+    * kubectl delete deployment argocd-redis
+* Remove environment variable `REDIS_PASSWORD` from the following manifests
+    * Deployment: argocd-repo-server:
+    * Deployment: argocd-server
+    * StatefulSet: argocd-application-controller
+  
+## How do I provide my own Redis credentials?
+The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
+You can config your secret provider to generate Kubernetes secret accordingly.
--- a/docs/getting_started.md
+++ b/docs/getting_started.md
@@ -40,6 +40,9 @@ Do one of:

 Use `argocd login --core` to [configure](./user-guide/commands/argocd_login.md) CLI access and skip steps 3-5.

+!!! note
+    This default installation for Redis is using password authentication. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
+
 ## 2. Download Argo CD CLI

 Download the latest Argo CD version from [https://github.com/argoproj/argo-cd/releases/latest](https://github.com/argoproj/argo-cd/releases/latest). More detailed installation instructions can be found via the [CLI installation documentation](cli_installation.md).
--- a/docs/operator-manual/upgrading/2.10-2.11.md
+++ b/docs/operator-manual/upgrading/2.10-2.11.md
@@ -2,4 +2,57 @@

 ## initiatedBy added in Application CRD

-In order to address [argoproj/argo-cd#16612](https://github.com/argoproj/argo-cd/issues/16612), initiatedBy has been added in the Application CRD.
+In order to address [argoproj/argo-cd#16612](https://github.com/argoproj/argo-cd/issues/16612), initiatedBy has been added in the Application CRD.
+
+## Egress NetworkPolicy for `argocd-redis` and `argocd-redis-ha-haproxy`
+
+Starting with Argo CD 2.11.2, the NetworkPolicy for the `argocd-redis` and `argocd-redis-ha-haproxy` dropped Egress restrictions. This change was made
+to allow access to the Kubernetes API to create a secret to secure Redis access.
+
+To retain similar networking restrictions as before 2.11.2, you can add an Egress rule to allow access only to the
+Kubernetes API and access needed by Redis itself. The Egress rule for Kubernetes access will depend entirely on your
+Kubernetes setup. The access for Redis itself can be allowed by adding the following to the
+`argocd-redis-network-policy` NetworkPolicy:
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-network-policy
+spec:
+  policyTypes:
+  - Ingress
+  - Egress
+  egress:
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+```
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-ha-haproxy
+spec:
+  policyTypes:
+  - Ingress
+  - Egress
+  egress:
+  - ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+    to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+```
--- a/docs/operator-manual/upgrading/2.8-2.9.md
+++ b/docs/operator-manual/upgrading/2.8-2.9.md
@@ -3,3 +3,56 @@
 ## Upgraded Kustomize Version

 Note that bundled Kustomize version has been upgraded from 5.1.0 to 5.2.1.
+
+## Egress NetworkPolicy for `argocd-redis` and `argocd-redis-ha-haproxy`
+
+Starting with Argo CD 2.9.16, the NetworkPolicy for the `argocd-redis` and `argocd-redis-ha-haproxy` dropped Egress restrictions. This change was made
+to allow access to the Kubernetes API to create a secret to secure Redis access.
+
+To retain similar networking restrictions as before 2.9.16, you can add an Egress rule to allow access only to the
+Kubernetes API and access needed by Redis itself. The Egress rule for Kubernetes access will depend entirely on your
+Kubernetes setup. The access for Redis itself can be allowed by adding the following to the
+`argocd-redis-network-policy` NetworkPolicy:
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-network-policy
+spec:
+  policyTypes:
+  - Ingress
+  - Egress
+  egress:
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+```
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-ha-haproxy
+spec:
+  policyTypes:
+  - Ingress
+  - Egress
+  egress:
+  - ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+    to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+```
--- a/docs/operator-manual/upgrading/2.9-2.10.md
+++ b/docs/operator-manual/upgrading/2.9-2.10.md
@@ -14,3 +14,56 @@ before enabling `managedNamespaceMetadata` on an existing namespace.
 ## Upgraded Helm Version

 Note that bundled Helm version has been upgraded from 3.13.2 to 3.14.3.
+
+## Egress NetworkPolicy for `argocd-redis` and `argocd-redis-ha-haproxy`
+
+Starting with Argo CD 2.10.11, the NetworkPolicy for the `argocd-redis` and `argocd-redis-ha-haproxy` dropped Egress restrictions. This change was made
+to allow access to the Kubernetes API to create a secret to secure Redis access.
+
+To retain similar networking restrictions as before 2.10.11, you can add an Egress rule to allow access only to the
+Kubernetes API and access needed by Redis itself. The Egress rule for Kubernetes access will depend entirely on your
+Kubernetes setup. The access for Redis itself can be allowed by adding the following to the
+`argocd-redis-network-policy` NetworkPolicy:
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-network-policy
+spec:
+  policyTypes:
+  - Ingress
+  - Egress
+  egress:
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+```
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-ha-haproxy
+spec:
+  policyTypes:
+  - Ingress
+  - Egress
+  egress:
+  - ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+    to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+```
--- a/docs/operator-manual/upgrading/overview.md
+++ b/docs/operator-manual/upgrading/overview.md
@@ -37,6 +37,7 @@ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/<v

 <hr/>

+* [v2.10 to v2.11](./2.10-2.11.md)
 * [v2.9 to v2.10](./2.9-2.10.md)
 * [v2.8 to v2.9](./2.8-2.9.md)
 * [v2.7 to v2.8](./2.7-2.8.md)
--- a/docs/user-guide/commands/argocd_admin.md
+++ b/docs/user-guide/commands/argocd_admin.md
@@ -64,6 +64,7 @@ $ argocd admin initial-password reset
 * [argocd admin initial-password](argocd_admin_initial-password.md)	 - Prints initial password to log in to Argo CD for the first time
 * [argocd admin notifications](argocd_admin_notifications.md)	 - Set of CLI commands that helps manage notifications settings
 * [argocd admin proj](argocd_admin_proj.md)	 - Manage projects configuration
+* [argocd admin redis-initial-password](argocd_admin_redis-initial-password.md)	 - Ensure the Redis password exists, creating a new one if necessary.
 * [argocd admin repo](argocd_admin_repo.md)	 - Manage repositories configuration
 * [argocd admin settings](argocd_admin_settings.md)	 - Provides set of commands for settings validation and troubleshooting

--- a/docs/user-guide/commands/argocd_admin_redis-initial-password.md
+++ b/docs/user-guide/commands/argocd_admin_redis-initial-password.md
@@ -0,0 +1,67 @@
+# `argocd admin redis-initial-password` Command Reference
+
+## argocd admin redis-initial-password
+
+Ensure the Redis password exists, creating a new one if necessary.
+
+```
+argocd admin redis-initial-password [flags]
+```
+
+### Options
+
+```
+      --as string                      Username to impersonate for the operation
+      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --as-uid string                  UID to impersonate for the operation
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --client-certificate string      Path to a client certificate file for TLS
+      --client-key string              Path to a client key file for TLS
+      --cluster string                 The name of the kubeconfig cluster to use
+      --context string                 The name of the kubeconfig context to use
+      --disable-compression            If true, opt-out of response compression for all requests to the server
+  -h, --help                           help for redis-initial-password
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string              Path to a kube config. Only required if out-of-cluster
+  -n, --namespace string               If present, the namespace scope for this CLI request
+      --password string                Password for basic authentication to the API server
+      --proxy-url string               If provided, this URL will be used to connect via proxy
+      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --server string                  The address and port of the Kubernetes API server
+      --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --token string                   Bearer token for authentication to the API server
+      --user string                    The name of the kubeconfig user to use
+      --username string                Username for basic authentication to the API server
+```
+
+### Options inherited from parent commands
+
+```
+      --auth-token string               Authentication token
+      --client-crt string               Client certificate file
+      --client-crt-key string           Client certificate key file
+      --config string                   Path to Argo CD config (default "/home/user/.config/argocd/config")
+      --controller-name string          Name of the Argo CD Application controller; set this or the ARGOCD_APPLICATION_CONTROLLER_NAME environment variable when the controller's name label differs from the default, for example when installing via the Helm chart (default "argocd-application-controller")
+      --core                            If set to true then CLI talks directly to Kubernetes instead of talking to Argo CD API server
+      --grpc-web                        Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2.
+      --grpc-web-root-path string       Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2. Set web root.
+  -H, --header strings                  Sets additional header to all requests made by Argo CD CLI. (Can be repeated multiple times to add multiple headers, also supports comma separated headers)
+      --http-retry-max int              Maximum number of retries to establish http connection to Argo CD server
+      --insecure                        Skip server certificate and domain verification
+      --kube-context string             Directs the command to the given kube-context
+      --logformat string                Set the logging format. One of: text|json (default "text")
+      --loglevel string                 Set the logging level. One of: debug|info|warn|error (default "info")
+      --plaintext                       Disable TLS
+      --port-forward                    Connect to a random argocd-server port using port forwarding
+      --port-forward-namespace string   Namespace name which should be used for port forwarding
+      --redis-haproxy-name string       Name of the Redis HA Proxy; set this or the ARGOCD_REDIS_HAPROXY_NAME environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis-ha-haproxy")
+      --redis-name string               Name of the Redis deployment; set this or the ARGOCD_REDIS_NAME environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis")
+      --repo-server-name string         Name of the Argo CD Repo server; set this or the ARGOCD_REPO_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-repo-server")
+      --server-crt string               Server certificate file
+      --server-name string              Name of the Argo CD API server; set this or the ARGOCD_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-server")
+```
+
+### SEE ALSO
+
+* [argocd admin](argocd_admin.md)	 - Contains a set of commands useful for Argo CD administrators and requires direct Kubernetes access
+
--- a/docs/user-guide/sync-options.md
+++ b/docs/user-guide/sync-options.md
@@ -165,6 +165,21 @@ metadata:
    argocd.argoproj.io/sync-options: Replace=true
 ```

+## Force Sync
+
+For certain resources you might want to delete and recreate. e.g. job resources that should run every time when syncing.
+
+!!! warning
+      During the sync process, the resources will be synchronized using the 'kubectl delete/create' command.
+      This sync option has a destructive action, which could cause an outage for your application.
+
+In such cases you might use `Force=true` sync option in target resources annotation:
+```yaml
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
+```
+
 ## Server-Side Apply

 This option enables Kubernetes
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
 	github.com/alicebob/miniredis/v2 v2.30.4
 	github.com/antonmedv/expr v1.15.2
-	github.com/argoproj/gitops-engine v0.7.1-0.20240124052710-5fd9f449e757
+	github.com/argoproj/gitops-engine v0.7.1-0.20240416142647-fbecbb86e412
 	github.com/argoproj/notifications-engine v0.4.1-0.20240403133627-f48567108f01
 	github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1
 	github.com/aws/aws-sdk-go v1.50.8
@@ -41,7 +41,7 @@ require (
 	github.com/gogits/go-gogs-client v0.0.0-20200905025246-8bb8a50cb355
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/golang/protobuf v1.5.3
+	github.com/golang/protobuf v1.5.4
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-github/v35 v35.3.0
 	github.com/google/go-jsonnet v0.20.0
@@ -78,7 +78,7 @@ require (
 	github.com/valyala/fasttemplate v1.2.2
 	github.com/xanzy/go-gitlab v0.91.1
 	github.com/yuin/gopher-lua v1.1.0
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1
 	go.opentelemetry.io/otel v1.21.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0
 	go.opentelemetry.io/otel/sdk v1.21.0
@@ -89,7 +89,7 @@ require (
 	golang.org/x/term v0.17.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d
 	google.golang.org/grpc v1.59.0
-	google.golang.org/protobuf v1.31.0
+	google.golang.org/protobuf v1.33.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.26.11
@@ -297,7 +297,7 @@ replace (

 	github.com/go-telegram-bot-api/telegram-bot-api/v5 => github.com/OvyFlash/telegram-bot-api/v5 v5.0.0-20240108230938-63e5c59035bf

-	github.com/golang/protobuf => github.com/golang/protobuf v1.4.2
+	github.com/golang/protobuf => github.com/golang/protobuf v1.5.4
 	github.com/grpc-ecosystem/grpc-gateway => github.com/grpc-ecosystem/grpc-gateway v1.16.0

 	// Avoid  CVE-2023-46402
--- a/go.sum
+++ b/go.sum
@@ -696,8 +696,8 @@ github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
 github.com/appscode/go v0.0.0-20191119085241-0887d8ec2ecc/go.mod h1:OawnOmAL4ZX3YaPdN+8HTNwBveT1jMsqP74moa9XUbE=
-github.com/argoproj/gitops-engine v0.7.1-0.20240124052710-5fd9f449e757 h1:5fKAhTQcTBom0vin56cz/UTPx2GMuvdb+lJRAUOPbHA=
-github.com/argoproj/gitops-engine v0.7.1-0.20240124052710-5fd9f449e757/go.mod h1:gWE8uROi7hIkWGNAVM+8FWkMfo0vZ03SLx/aFw/DBzg=
+github.com/argoproj/gitops-engine v0.7.1-0.20240416142647-fbecbb86e412 h1:je2wJpWtaoS55mA5MBPCeDnKMeF42pkxO9Oa5KbWrdg=
+github.com/argoproj/gitops-engine v0.7.1-0.20240416142647-fbecbb86e412/go.mod h1:gWE8uROi7hIkWGNAVM+8FWkMfo0vZ03SLx/aFw/DBzg=
 github.com/argoproj/notifications-engine v0.4.1-0.20240403133627-f48567108f01 h1:/V8+HM0VPPTrdjTwUrkIj5a+SjaU//tJwfIXJ1QAOvg=
 github.com/argoproj/notifications-engine v0.4.1-0.20240403133627-f48567108f01/go.mod h1:N0A4sEws2soZjEpY4hgZpQS8mRIEw6otzwfkgc3g9uQ=
 github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1 h1:qsHwwOJ21K2Ao0xPju1sNuqphyMnMYkyB3ZLoLtxWpo=
@@ -1090,8 +1090,8 @@ github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71
 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
-github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
@@ -1746,8 +1746,8 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 h1:ZOLJc06r4CB42laIXg/7udr0pbZyuAihN10A/XuiQRY=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0/go.mod h1:5z+/ZWJQKXa9YT34fQNx5K8Hd1EoIhvtUygUQPqEOgQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 h1:SpGay3w+nEwMpfVnbqOLH5gY52/foP8RE8UzTZ1pdSE=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1/go.mod h1:4UoMYEZOC0yN/sPGH76KPkkU7zgiEWYWL9vwmbnTJPE=
 go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
 go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw=
@@ -2577,8 +2577,9 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
--- a/hack/installers/checksums/helm-v3.14.4-darwin-amd64.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.14.4-darwin-amd64.tar.gz.sha256
@@ -0,0 +1 @@
+73434aeac36ad068ce2e5582b8851a286dc628eae16494a26e2ad0b24a7199f9  helm-v3.14.4-darwin-amd64.tar.gz
--- a/hack/installers/checksums/helm-v3.14.4-darwin-arm64.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.14.4-darwin-arm64.tar.gz.sha256
@@ -0,0 +1 @@
+61e9c5455f06b2ad0a1280975bf65892e707adc19d766b0cf4e9006e3b7b4b6c  helm-v3.14.4-darwin-arm64.tar.gz
--- a/hack/installers/checksums/helm-v3.14.4-linux-amd64.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.14.4-linux-amd64.tar.gz.sha256
@@ -0,0 +1 @@
+a5844ef2c38ef6ddf3b5a8f7d91e7e0e8ebc39a38bb3fc8013d629c1ef29c259  helm-v3.14.4-linux-amd64.tar.gz
--- a/hack/installers/checksums/helm-v3.14.4-linux-arm64.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.14.4-linux-arm64.tar.gz.sha256
@@ -0,0 +1 @@
+113ccc53b7c57c2aba0cd0aa560b5500841b18b5210d78641acfddc53dac8ab2  helm-v3.14.4-linux-arm64.tar.gz
--- a/hack/installers/checksums/helm-v3.14.4-linux-ppc64le.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.14.4-linux-ppc64le.tar.gz.sha256
@@ -0,0 +1 @@
+d0d625b43f6650ad376428520b2238baa2400bfedb43b2e0f24ad7247f0f59b5  helm-v3.14.4-linux-ppc64le.tar.gz
--- a/hack/installers/checksums/helm-v3.14.4-linux-s390x.tar.gz.sha256
+++ b/hack/installers/checksums/helm-v3.14.4-linux-s390x.tar.gz.sha256
@@ -0,0 +1 @@
+a5750d0cb1ba34ce84ab3be6382a14617130661d15dd2aa1b36630b293437936  helm-v3.14.4-linux-s390x.tar.gz
--- a/hack/tool-versions.sh
+++ b/hack/tool-versions.sh
@@ -11,7 +11,7 @@
 # Use ./hack/installers/checksums/add-helm-checksums.sh and
 # add-kustomize-checksums.sh to help download checksums.
 ###############################################################################
-helm3_version=3.14.3
+helm3_version=3.14.4
 kubectl_version=1.17.8
 kubectx_version=0.6.3
 kustomize5_version=5.2.1
--- a/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml
+++ b/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml
@@ -20,6 +20,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-application-controller
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_RECONCILIATION_TIMEOUT
          valueFrom:
            configMapKeyRef:
--- a/manifests/base/application-controller/argocd-application-controller-statefulset.yaml
+++ b/manifests/base/application-controller/argocd-application-controller-statefulset.yaml
@@ -21,6 +21,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-application-controller
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_CONTROLLER_REPLICAS
          value: "1"
        - name: ARGOCD_RECONCILIATION_TIMEOUT
--- a/manifests/base/kustomization.yaml
+++ b/manifests/base/kustomization.yaml
@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v2.11.0
+  newTag: v2.11.2
 resources:
 - ./application-controller
 - ./dex
--- a/manifests/base/redis/argocd-redis-deployment.yaml
+++ b/manifests/base/redis/argocd-redis-deployment.yaml
@@ -15,6 +15,23 @@ spec:
      labels:
        app.kubernetes.io/name: argocd-redis
    spec:
+      initContainers:
+        - command:
+            - argocd
+            - admin
+            - redis-initial-password
+          image: quay.io/argoproj/argocd:latest
+          imagePullPolicy: IfNotPresent
+          name: secret-init
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
@@ -30,6 +47,13 @@ spec:
        - ""
        - "--appendonly"
        - "no"
+        - --requirepass $(REDIS_PASSWORD)
+        env:
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: auth
+                name: argocd-redis
        ports:
        - containerPort: 6379
        securityContext:
--- a/manifests/base/redis/argocd-redis-network-policy.yaml
+++ b/manifests/base/redis/argocd-redis-network-policy.yaml
@@ -8,7 +8,6 @@ spec:
      app.kubernetes.io/name: argocd-redis
  policyTypes:
  - Ingress
-  - Egress
  ingress:
  - from:
    - podSelector:
@@ -23,9 +22,3 @@ spec:
    ports:
    - protocol: TCP
      port: 6379
-  egress:
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
--- a/manifests/base/redis/argocd-redis-role.yaml
+++ b/manifests/base/redis/argocd-redis-role.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - argocd-redis
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
--- a/manifests/base/redis/argocd-redis-rolebinding.yaml
+++ b/manifests/base/redis/argocd-redis-rolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-redis
+subjects:
+  - kind: ServiceAccount
+    name: argocd-redis
--- a/manifests/base/redis/kustomization.yaml
+++ b/manifests/base/redis/kustomization.yaml
@@ -6,3 +6,5 @@ resources:
 - argocd-redis-sa.yaml
 - argocd-redis-service.yaml
 - argocd-redis-network-policy.yaml
+- argocd-redis-role.yaml
+- argocd-redis-rolebinding.yaml
--- a/manifests/base/repo-server/argocd-repo-server-deployment.yaml
+++ b/manifests/base/repo-server/argocd-repo-server-deployment.yaml
@@ -24,6 +24,11 @@ spec:
        args:
          - /usr/local/bin/argocd-repo-server
        env:
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: auth
+                name: argocd-redis
          - name: ARGOCD_RECONCILIATION_TIMEOUT
            valueFrom:
              configMapKeyRef:
--- a/manifests/base/server/argocd-server-deployment.yaml
+++ b/manifests/base/server/argocd-server-deployment.yaml
@@ -23,6 +23,11 @@ spec:
        args:
          - /usr/local/bin/argocd-server
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_SERVER_INSECURE
          valueFrom:
            configMapKeyRef:
--- a/manifests/core-install.yaml
+++ b/manifests/core-install.yaml
@@ -20816,6 +20816,30 @@ rules:
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-redis
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
@@ -20868,6 +20892,22 @@ subjects:
  name: argocd-applicationset-controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-redis
+subjects:
+- kind: ServiceAccount
+  name: argocd-redis
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
@@ -21184,7 +21224,7 @@ spec:
              key: applicationsetcontroller.enable.scm.providers
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -21279,6 +21319,13 @@ spec:
        - ""
        - --appendonly
        - "no"
+        - --requirepass $(REDIS_PASSWORD)
+        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: Always
        name: redis
@@ -21290,6 +21337,23 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+      initContainers:
+      - command:
+        - argocd
+        - admin
+        - redis-initial-password
+        image: quay.io/argoproj/argocd:v2.11.2
+        imagePullPolicy: IfNotPresent
+        name: secret-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
@@ -21334,6 +21398,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-repo-server
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_RECONCILIATION_TIMEOUT
          valueFrom:
            configMapKeyRef:
@@ -21514,7 +21583,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -21566,7 +21635,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -21651,6 +21720,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-application-controller
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_CONTROLLER_REPLICAS
          value: "1"
        - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -21833,7 +21907,7 @@ spec:
              key: controller.ignore.normalizer.jq.timeout
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
@@ -21915,12 +21989,6 @@ kind: NetworkPolicy
 metadata:
  name: argocd-redis-network-policy
 spec:
-  egress:
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
  ingress:
  - from:
    - podSelector:
@@ -21940,7 +22008,6 @@ spec:
      app.kubernetes.io/name: argocd-redis
  policyTypes:
  - Ingress
-  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
--- a/manifests/core-install/kustomization.yaml
+++ b/manifests/core-install/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v2.11.0
+  newTag: v2.11.2
--- a/manifests/ha/base/kustomization.yaml
+++ b/manifests/ha/base/kustomization.yaml
@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v2.11.0
+  newTag: v2.11.2
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller
--- a/manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml
+++ b/manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml
@@ -8,7 +8,6 @@ spec:
      app.kubernetes.io/name: argocd-redis-ha-haproxy
  policyTypes:
  - Ingress
-  - Egress
  ingress:
  - from:
    - podSelector:
@@ -25,18 +24,4 @@ spec:
      protocol: TCP
    - port: 26379
      protocol: TCP
-  egress:
-  - to:
-    - podSelector:
-        matchLabels:
-          app.kubernetes.io/name: argocd-redis-ha
-    ports:
-    - port: 6379
-      protocol: TCP
-    - port: 26379
-      protocol: TCP
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
+
--- a/manifests/ha/base/redis-ha/chart/requirements.lock
+++ b/manifests/ha/base/redis-ha/chart/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: redis-ha
  repository: https://dandydeveloper.github.io/charts
-  version: 4.22.3
-digest: sha256:ae773caf65b172bdd2216072c03ba76ef3c0383dbd1e2478934a67b9455f6a2e
-generated: "2022-11-02T16:57:25.047025473-07:00"
+  version: 4.26.6
+digest: sha256:c363f48ea8339c4bdb7c8a2cca62aa487b69d0a52a6fe6267fbbbbc07e468abd
+generated: "2024-04-10T11:02:32.957812-07:00"
--- a/manifests/ha/base/redis-ha/chart/requirements.yaml
+++ b/manifests/ha/base/redis-ha/chart/requirements.yaml
@@ -1,4 +1,4 @@
 dependencies:
 - name: redis-ha
-  version: 4.22.3
+  version: 4.26.6
  repository: https://dandydeveloper.github.io/charts
--- a/manifests/ha/base/redis-ha/chart/upstream.yaml
+++ b/manifests/ha/base/redis-ha/chart/upstream.yaml
@@ -9,8 +9,10 @@ metadata:
  labels:
    heritage: Helm
    release: argocd
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
    app: argocd-redis-ha
+secrets:
+- name: argocd-redis
 ---
 # Source: redis-ha/charts/redis-ha/templates/redis-haproxy-serviceaccount.yaml
 apiVersion: v1
@@ -21,7 +23,7 @@ metadata:
  labels:
    heritage: Helm
    release: argocd
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
    app: argocd-redis-ha
 ---
 # Source: redis-ha/charts/redis-ha/templates/redis-ha-configmap.yaml
@@ -33,7 +35,7 @@ metadata:
  labels:
    heritage: Helm
    release: argocd
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
    app: argocd-redis-ha
 data:
  redis.conf: |
@@ -50,6 +52,8 @@ data:
    rdbcompression yes
    repl-diskless-sync yes
    save ""
+    requirepass replace-default-auth
+    masterauth replace-default-auth

  sentinel.conf: |
    dir "/data"
@@ -59,6 +63,7 @@ data:
        sentinel failover-timeout argocd 180000
        maxclients 10000
        sentinel parallel-syncs argocd 5
+    sentinel auth-pass argocd replace-default-auth

  init.sh: |
    echo "$(date) Start..."
@@ -82,7 +87,7 @@ data:
    sentinel_get_master() {
    set +e
        if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
            grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
        else
            redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -191,9 +196,9 @@ data:
    redis_ping() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
        else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
        fi
    set -e
    }
@@ -226,7 +231,7 @@ data:

            if [ "$SENTINEL_PORT" -eq 0 ]; then
                echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                    echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                    echo "Setting defaults for this pod.."
                    setup_defaults
@@ -345,7 +350,7 @@ data:
    sentinel_get_master() {
    set +e
        if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
            grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
        else
            redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -454,9 +459,9 @@ data:
    redis_ping() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
        else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
        fi
    set -e
    }
@@ -489,7 +494,7 @@ data:

            if [ "$SENTINEL_PORT" -eq 0 ]; then
                echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                    echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                    echo "Setting defaults for this pod.."
                    setup_defaults
@@ -554,9 +559,9 @@ data:
    redis_role() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            ROLE=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
        else
-            ROLE=$(redis-cli  -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
        fi
    set -e
    }
@@ -564,9 +569,9 @@ data:
    identify_redis_master() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
        else
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
        fi
    set -e
    }
@@ -576,9 +581,9 @@ data:
        sh /readonly-config/init.sh

        if [ "$REDIS_PORT" -eq 0 ]; then
-            echo "shutdown" | redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key
        else
-            echo "shutdown" | redis-cli  -p "${REDIS_PORT}"
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}"
        fi
    set -e
    }
@@ -591,6 +596,7 @@ data:
        identify_announce_ip
    done

+    trap "exit 0" TERM
    while true; do
        sleep 60

@@ -674,6 +680,8 @@ data:
      mode tcp
      option tcp-check
      tcp-check connect
+      tcp-check send "AUTH ${AUTH}"\r\n
+      tcp-check expect string +OK
      tcp-check send PING\r\n
      tcp-check expect string +PONG
      tcp-check send info\ replication\r\n
@@ -730,6 +738,7 @@ data:
    get_redis_role() {
      is_master=$(
        redis-cli \
+          -a "${AUTH}" --no-auth-warning \
          -h localhost \
          -p 6379 \
          info | grep -c 'role:master' || true
@@ -766,12 +775,13 @@ metadata:
  labels:
    heritage: Helm
    release: argocd
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
    app: argocd-redis-ha
 data:
  redis_liveness.sh: |
    response=$(
      redis-cli \
+        -a "${AUTH}" --no-auth-warning \
        -h localhost \
        -p 6379 \
        ping
@@ -784,6 +794,7 @@ data:
  redis_readiness.sh: |
    response=$(
      redis-cli \
+        -a "${AUTH}" --no-auth-warning \
        -h localhost \
        -p 6379 \
        ping
@@ -816,7 +827,7 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
 rules:
 - apiGroups:
    - ""
@@ -835,7 +846,7 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
    component: argocd-redis-ha-haproxy
 rules:
 - apiGroups:
@@ -855,7 +866,7 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
 subjects:
 - kind: ServiceAccount
  name: argocd-redis-ha
@@ -874,7 +885,7 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
    component: argocd-redis-ha-haproxy
 subjects:
 - kind: ServiceAccount
@@ -894,9 +905,8 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
  publishNotReadyAddresses: true
  type: ClusterIP
@@ -924,9 +934,8 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
  publishNotReadyAddresses: true
  type: ClusterIP
@@ -954,9 +963,8 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
  publishNotReadyAddresses: true
  type: ClusterIP
@@ -984,7 +992,7 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
  annotations:
 spec:
  type: ClusterIP
@@ -1012,7 +1020,7 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
    component: argocd-redis-ha-haproxy
  annotations:
 spec:
@@ -1040,7 +1048,7 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
 spec:
  strategy:
    type: RollingUpdate
@@ -1056,12 +1064,11 @@ spec:
      labels:
        app: redis-ha-haproxy
        release: argocd
-        revision: "1"
      annotations:
        prometheus.io/port: "9101"
        prometheus.io/scrape: "true"
        prometheus.io/path: "/metrics"
-        checksum/config: 492a6adabb741e0cee39be9aa5155c41a4456629f862d0006a2d892dbecfbcae
+        checksum/config: e34e8124c38bcfd2f16e75620bbde30158686692b13bc449eecc44c51b207d54
    spec:
      # Needed when using unmodified rbac-setup.yml
      
@@ -1081,7 +1088,6 @@ spec:
                matchLabels:
                  app: redis-ha-haproxy
                  release: argocd
-                  revision: "1"
              topologyKey: kubernetes.io/hostname
      initContainers:
      - name: config-init
@@ -1119,6 +1125,12 @@ spec:
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              name: argocd-redis
+              key: auth
        livenessProbe:
          httpGet:
            path: /healthz
@@ -1167,7 +1179,7 @@ metadata:
    app: redis-ha
    heritage: "Helm"
    release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
  annotations:
    {}
 spec:
@@ -1183,7 +1195,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/init-config: 69130412bda04eacad3530cb7bcf26cf121401e725e15d0959dd71a7380afe75
+        checksum/init-config: 9d3c019a5ea1fd98ab5cde397d8eecd351da884f15e6ba346c607cb2446c2198
      labels:
        release: argocd
        app: redis-ha
@@ -1231,6 +1243,11 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              name: argocd-redis
+              key: auth
        volumeMounts:
        - name: config
          mountPath: /readonly-config
@@ -1244,9 +1261,9 @@ spec:
        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        command:
-        - redis-server
+          - redis-server
        args:
-        - /data/conf/redis.conf
+          - /data/conf/redis.conf
        securityContext: 
          allowPrivilegeEscalation: false
          capabilities:
@@ -1256,6 +1273,12 @@ spec:
          runAsUser: 1000
          seccompProfile:
            type: RuntimeDefault
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              name: argocd-redis
+              key: auth
        livenessProbe:
          initialDelaySeconds: 30
          periodSeconds: 15
@@ -1313,6 +1336,12 @@ spec:
          runAsUser: 1000
          seccompProfile:
            type: RuntimeDefault
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              name: argocd-redis
+              key: auth
        livenessProbe:
          initialDelaySeconds: 30
          periodSeconds: 15
@@ -1371,6 +1400,11 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              name: argocd-redis
+              key: auth
        resources:
          {}
        volumeMounts:
--- a/manifests/ha/base/redis-ha/chart/values.yaml
+++ b/manifests/ha/base/redis-ha/chart/values.yaml
@@ -1,4 +1,7 @@
 redis-ha:
+  auth: true
+  authKey: auth
+  existingSecret: argocd-redis
  persistentVolume:
    enabled: false
  redis:
@@ -11,6 +14,7 @@ redis-ha:
    IPv6:
      enabled: false
    image:
+      repository: haproxy
      tag: 2.6.14-alpine
    containerSecurityContext: null
    timeout:
@@ -20,6 +24,7 @@ redis-ha:
    metrics:
      enabled: true
  image:
+    repository: redis
    tag: 7.0.14-alpine
  containerSecurityContext: null
  sentinel:
--- a/manifests/ha/base/redis-ha/kustomization.yaml
+++ b/manifests/ha/base/redis-ha/kustomization.yaml
@@ -20,7 +20,7 @@ patches:
    kind: ConfigMap
    name: argocd-redis-ha-configmap
    namespace: argocd
-  path: overlays/remove-namespace.yaml  
+  path: overlays/remove-namespace.yaml
 - target:
    version: v1
    group: ""
@@ -34,28 +34,28 @@ patches:
    kind: ServiceAccount
    name: argocd-redis-ha-haproxy
    namespace: argocd
-  path: overlays/remove-namespace.yaml 
+  path: overlays/remove-namespace.yaml
 - target:
    group: rbac.authorization.k8s.io
    version: v1
    kind: Role
    name: argocd-redis-ha
    namespace: argocd
-  path: overlays/remove-namespace.yaml 
+  path: overlays/remove-namespace.yaml
 - target:
    group: rbac.authorization.k8s.io
    version: v1
    kind: Role
    name: argocd-redis-ha-haproxy
    namespace: argocd
-  path: overlays/remove-namespace.yaml 
+  path: overlays/remove-namespace.yaml
 - target:
    group: rbac.authorization.k8s.io
    version: v1
    kind: RoleBinding
    name: argocd-redis-ha
    namespace: argocd
-  path: overlays/remove-namespace.yaml      
+  path: overlays/remove-namespace.yaml
 - target:
    group: rbac.authorization.k8s.io
    version: v1
@@ -294,3 +294,15 @@ patches:
    kind: StatefulSet
    name: argocd-redis-ha-server
  path: overlays/statefulset-containers-securityContext.yaml
+- target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: Role
+      name: argocd-redis-ha-haproxy
+  path: overlays/haproxy-role.yaml
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: argocd-redis-ha-haproxy
+  path: overlays/deployment-initContainers.yaml
--- a/manifests/ha/base/redis-ha/overlays/deployment-initContainers.yaml
+++ b/manifests/ha/base/redis-ha/overlays/deployment-initContainers.yaml
@@ -0,0 +1,16 @@
+- op: add
+  path: /spec/template/spec/initContainers/0
+  value:
+    name: secret-init
+    command: [ 'argocd', 'admin', 'redis-initial-password' ]
+    image: quay.io/argoproj/argocd:latest
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
--- a/manifests/ha/base/redis-ha/overlays/haproxy-role.yaml
+++ b/manifests/ha/base/redis-ha/overlays/haproxy-role.yaml
@@ -0,0 +1,20 @@
+- op: add
+  path: /rules/0
+  value:
+    apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - argocd-redis
+    verbs:
+      - get
+- op: add
+  path: /rules/0
+  value:
+    apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
--- a/manifests/ha/install.yaml
+++ b/manifests/ha/install.yaml
@@ -20710,6 +20710,8 @@ metadata:
    app.kubernetes.io/name: argocd-redis-ha
    app.kubernetes.io/part-of: argocd
  name: argocd-redis-ha
+secrets:
+- name: argocd-redis
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -20940,6 +20942,20 @@ metadata:
    app.kubernetes.io/part-of: argocd
  name: argocd-redis-ha-haproxy
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-redis
+  resources:
+  - secrets
+  verbs:
+  - get
 - apiGroups:
  - ""
  resources:
@@ -21384,7 +21400,7 @@ data:
    sentinel_get_master() {
    set +e
        if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
            grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
        else
            redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -21493,9 +21509,9 @@ data:
    redis_ping() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
        else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
        fi
    set -e
    }
@@ -21528,7 +21544,7 @@ data:

            if [ "$SENTINEL_PORT" -eq 0 ]; then
                echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                    echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                    echo "Setting defaults for this pod.."
                    setup_defaults
@@ -21593,9 +21609,9 @@ data:
    redis_role() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            ROLE=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
        else
-            ROLE=$(redis-cli  -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
        fi
    set -e
    }
@@ -21603,9 +21619,9 @@ data:
    identify_redis_master() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
        else
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
        fi
    set -e
    }
@@ -21615,9 +21631,9 @@ data:
        sh /readonly-config/init.sh

        if [ "$REDIS_PORT" -eq 0 ]; then
-            echo "shutdown" | redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key
        else
-            echo "shutdown" | redis-cli  -p "${REDIS_PORT}"
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}"
        fi
    set -e
    }
@@ -21630,6 +21646,7 @@ data:
        identify_announce_ip
    done

+    trap "exit 0" TERM
    while true; do
        sleep 60

@@ -21672,9 +21689,10 @@ data:
    decide redis backend to use\n#master\nfrontend ft_redis_master\n  bind :6379 \n
    \ use_backend bk_redis_master\n# Check all redis servers to see if they think
    they are master\nbackend bk_redis_master\n  mode tcp\n  option tcp-check\n  tcp-check
-    connect\n  tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check
-    send info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check
-    send QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
+    connect\n  tcp-check send \"AUTH ${AUTH}\"\\r\\n\n  tcp-check expect string +OK\n
+    \ tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check send
+    info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check send
+    QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
    } { nbsrv(check_if_redis_is_master_0) ge 2 }\n  server R0 argocd-redis-ha-announce-0:6379
    check inter 3s fall 1 rise 1\n  use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1)
    ge 2 }\n  server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise
@@ -21737,7 +21755,7 @@ data:
    sentinel_get_master() {
    set +e
        if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
            grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
        else
            redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -21846,9 +21864,9 @@ data:
    redis_ping() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
        else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
        fi
    set -e
    }
@@ -21881,7 +21899,7 @@ data:

            if [ "$SENTINEL_PORT" -eq 0 ]; then
                echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                    echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                    echo "Setting defaults for this pod.."
                    setup_defaults
@@ -21989,6 +22007,8 @@ data:
    rdbcompression yes
    repl-diskless-sync yes
    save ""
+    requirepass replace-default-auth
+    masterauth replace-default-auth
  sentinel.conf: |
    dir "/data"
    port 26379
@@ -21997,10 +22017,12 @@ data:
        sentinel failover-timeout argocd 180000
        maxclients 10000
        sentinel parallel-syncs argocd 5
+    sentinel auth-pass argocd replace-default-auth
  trigger-failover-if-master.sh: |
    get_redis_role() {
      is_master=$(
        redis-cli \
+          -a "${AUTH}" --no-auth-warning \
          -h localhost \
          -p 6379 \
          info | grep -c 'role:master' || true
@@ -22040,6 +22062,7 @@ data:
  redis_liveness.sh: |
    response=$(
      redis-cli \
+        -a "${AUTH}" --no-auth-warning \
        -h localhost \
        -p 6379 \
        ping
@@ -22052,6 +22075,7 @@ data:
  redis_readiness.sh: |
    response=$(
      redis-cli \
+        -a "${AUTH}" --no-auth-warning \
        -h localhost \
        -p 6379 \
        ping
@@ -22240,8 +22264,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis-ha
@@ -22266,8 +22288,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis-ha
@@ -22292,8 +22312,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis-ha
@@ -22547,7 +22565,7 @@ spec:
              key: applicationsetcontroller.enable.scm.providers
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -22670,7 +22688,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -22752,7 +22770,7 @@ spec:
              key: notificationscontroller.selfservice.enabled
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -22810,7 +22828,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/config: 492a6adabb741e0cee39be9aa5155c41a4456629f862d0006a2d892dbecfbcae
+        checksum/config: e34e8124c38bcfd2f16e75620bbde30158686692b13bc449eecc44c51b207d54
        prometheus.io/path: /metrics
        prometheus.io/port: "9101"
        prometheus.io/scrape: "true"
@@ -22826,7 +22844,13 @@ spec:
                app.kubernetes.io/name: argocd-redis-ha-haproxy
            topologyKey: kubernetes.io/hostname
      containers:
-      - image: haproxy:2.6.14-alpine
+      - env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: haproxy:2.6.14-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
        livenessProbe:
@@ -22861,6 +22885,22 @@ spec:
        - mountPath: /run/haproxy
          name: shared-socket
      initContainers:
+      - command:
+        - argocd
+        - admin
+        - redis-initial-password
+        image: quay.io/argoproj/argocd:v2.11.2
+        imagePullPolicy: IfNotPresent
+        name: secret-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
      - args:
        - /readonly/haproxy_init.sh
        command:
@@ -22933,6 +22973,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-repo-server
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_RECONCILIATION_TIMEOUT
          valueFrom:
            configMapKeyRef:
@@ -23113,7 +23158,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -23165,7 +23210,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -23250,6 +23295,11 @@ spec:
        env:
        - name: ARGOCD_API_SERVER_REPLICAS
          value: "2"
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_SERVER_INSECURE
          valueFrom:
            configMapKeyRef:
@@ -23484,7 +23534,7 @@ spec:
              key: server.api.content.types
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -23596,6 +23646,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-application-controller
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_CONTROLLER_REPLICAS
          value: "1"
        - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -23778,7 +23833,7 @@ spec:
              key: controller.ignore.normalizer.jq.timeout
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
@@ -23838,7 +23893,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/init-config: 69130412bda04eacad3530cb7bcf26cf121401e725e15d0959dd71a7380afe75
+        checksum/init-config: 9d3c019a5ea1fd98ab5cde397d8eecd351da884f15e6ba346c607cb2446c2198
      labels:
        app.kubernetes.io/name: argocd-redis-ha
    spec:
@@ -23855,6 +23910,12 @@ spec:
        - /data/conf/redis.conf
        command:
        - redis-server
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        lifecycle:
@@ -23909,6 +23970,12 @@ spec:
        - /data/conf/sentinel.conf
        command:
        - redis-sentinel
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
@@ -23962,6 +24029,11 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        name: split-brain-fix
@@ -23992,6 +24064,11 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        name: config-init
@@ -24115,21 +24192,6 @@ kind: NetworkPolicy
 metadata:
  name: argocd-redis-ha-proxy-network-policy
 spec:
-  egress:
-  - ports:
-    - port: 6379
-      protocol: TCP
-    - port: 26379
-      protocol: TCP
-    to:
-    - podSelector:
-        matchLabels:
-          app.kubernetes.io/name: argocd-redis-ha
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
  ingress:
  - from:
    - podSelector:
@@ -24151,7 +24213,6 @@ spec:
      app.kubernetes.io/name: argocd-redis-ha-haproxy
  policyTypes:
  - Ingress
-  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
--- a/manifests/ha/namespace-install.yaml
+++ b/manifests/ha/namespace-install.yaml
@@ -43,6 +43,8 @@ metadata:
    app.kubernetes.io/name: argocd-redis-ha
    app.kubernetes.io/part-of: argocd
  name: argocd-redis-ha
+secrets:
+- name: argocd-redis
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -273,6 +275,20 @@ metadata:
    app.kubernetes.io/part-of: argocd
  name: argocd-redis-ha-haproxy
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-redis
+  resources:
+  - secrets
+  verbs:
+  - get
 - apiGroups:
  - ""
  resources:
@@ -505,7 +521,7 @@ data:
    sentinel_get_master() {
    set +e
        if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
            grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
        else
            redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -614,9 +630,9 @@ data:
    redis_ping() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
        else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
        fi
    set -e
    }
@@ -649,7 +665,7 @@ data:

            if [ "$SENTINEL_PORT" -eq 0 ]; then
                echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                    echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                    echo "Setting defaults for this pod.."
                    setup_defaults
@@ -714,9 +730,9 @@ data:
    redis_role() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            ROLE=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
        else
-            ROLE=$(redis-cli  -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
        fi
    set -e
    }
@@ -724,9 +740,9 @@ data:
    identify_redis_master() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
        else
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
        fi
    set -e
    }
@@ -736,9 +752,9 @@ data:
        sh /readonly-config/init.sh

        if [ "$REDIS_PORT" -eq 0 ]; then
-            echo "shutdown" | redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key
        else
-            echo "shutdown" | redis-cli  -p "${REDIS_PORT}"
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}"
        fi
    set -e
    }
@@ -751,6 +767,7 @@ data:
        identify_announce_ip
    done

+    trap "exit 0" TERM
    while true; do
        sleep 60

@@ -793,9 +810,10 @@ data:
    decide redis backend to use\n#master\nfrontend ft_redis_master\n  bind :6379 \n
    \ use_backend bk_redis_master\n# Check all redis servers to see if they think
    they are master\nbackend bk_redis_master\n  mode tcp\n  option tcp-check\n  tcp-check
-    connect\n  tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check
-    send info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check
-    send QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
+    connect\n  tcp-check send \"AUTH ${AUTH}\"\\r\\n\n  tcp-check expect string +OK\n
+    \ tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check send
+    info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check send
+    QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
    } { nbsrv(check_if_redis_is_master_0) ge 2 }\n  server R0 argocd-redis-ha-announce-0:6379
    check inter 3s fall 1 rise 1\n  use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1)
    ge 2 }\n  server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise
@@ -858,7 +876,7 @@ data:
    sentinel_get_master() {
    set +e
        if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
            grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
        else
            redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -967,9 +985,9 @@ data:
    redis_ping() {
    set +e
        if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
        else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
        fi
    set -e
    }
@@ -1002,7 +1020,7 @@ data:

            if [ "$SENTINEL_PORT" -eq 0 ]; then
                echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                    echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                    echo "Setting defaults for this pod.."
                    setup_defaults
@@ -1110,6 +1128,8 @@ data:
    rdbcompression yes
    repl-diskless-sync yes
    save ""
+    requirepass replace-default-auth
+    masterauth replace-default-auth
  sentinel.conf: |
    dir "/data"
    port 26379
@@ -1118,10 +1138,12 @@ data:
        sentinel failover-timeout argocd 180000
        maxclients 10000
        sentinel parallel-syncs argocd 5
+    sentinel auth-pass argocd replace-default-auth
  trigger-failover-if-master.sh: |
    get_redis_role() {
      is_master=$(
        redis-cli \
+          -a "${AUTH}" --no-auth-warning \
          -h localhost \
          -p 6379 \
          info | grep -c 'role:master' || true
@@ -1161,6 +1183,7 @@ data:
  redis_liveness.sh: |
    response=$(
      redis-cli \
+        -a "${AUTH}" --no-auth-warning \
        -h localhost \
        -p 6379 \
        ping
@@ -1173,6 +1196,7 @@ data:
  redis_readiness.sh: |
    response=$(
      redis-cli \
+        -a "${AUTH}" --no-auth-warning \
        -h localhost \
        -p 6379 \
        ping
@@ -1361,8 +1385,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis-ha
@@ -1387,8 +1409,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis-ha
@@ -1413,8 +1433,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis-ha
@@ -1668,7 +1686,7 @@ spec:
              key: applicationsetcontroller.enable.scm.providers
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -1791,7 +1809,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -1873,7 +1891,7 @@ spec:
              key: notificationscontroller.selfservice.enabled
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -1931,7 +1949,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/config: 492a6adabb741e0cee39be9aa5155c41a4456629f862d0006a2d892dbecfbcae
+        checksum/config: e34e8124c38bcfd2f16e75620bbde30158686692b13bc449eecc44c51b207d54
        prometheus.io/path: /metrics
        prometheus.io/port: "9101"
        prometheus.io/scrape: "true"
@@ -1947,7 +1965,13 @@ spec:
                app.kubernetes.io/name: argocd-redis-ha-haproxy
            topologyKey: kubernetes.io/hostname
      containers:
-      - image: haproxy:2.6.14-alpine
+      - env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: haproxy:2.6.14-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
        livenessProbe:
@@ -1982,6 +2006,22 @@ spec:
        - mountPath: /run/haproxy
          name: shared-socket
      initContainers:
+      - command:
+        - argocd
+        - admin
+        - redis-initial-password
+        image: quay.io/argoproj/argocd:v2.11.2
+        imagePullPolicy: IfNotPresent
+        name: secret-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
      - args:
        - /readonly/haproxy_init.sh
        command:
@@ -2054,6 +2094,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-repo-server
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_RECONCILIATION_TIMEOUT
          valueFrom:
            configMapKeyRef:
@@ -2234,7 +2279,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -2286,7 +2331,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -2371,6 +2416,11 @@ spec:
        env:
        - name: ARGOCD_API_SERVER_REPLICAS
          value: "2"
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_SERVER_INSECURE
          valueFrom:
            configMapKeyRef:
@@ -2605,7 +2655,7 @@ spec:
              key: server.api.content.types
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -2717,6 +2767,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-application-controller
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_CONTROLLER_REPLICAS
          value: "1"
        - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -2899,7 +2954,7 @@ spec:
              key: controller.ignore.normalizer.jq.timeout
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
@@ -2959,7 +3014,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/init-config: 69130412bda04eacad3530cb7bcf26cf121401e725e15d0959dd71a7380afe75
+        checksum/init-config: 9d3c019a5ea1fd98ab5cde397d8eecd351da884f15e6ba346c607cb2446c2198
      labels:
        app.kubernetes.io/name: argocd-redis-ha
    spec:
@@ -2976,6 +3031,12 @@ spec:
        - /data/conf/redis.conf
        command:
        - redis-server
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        lifecycle:
@@ -3030,6 +3091,12 @@ spec:
        - /data/conf/sentinel.conf
        command:
        - redis-sentinel
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
@@ -3083,6 +3150,11 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        name: split-brain-fix
@@ -3113,6 +3185,11 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        name: config-init
@@ -3236,21 +3313,6 @@ kind: NetworkPolicy
 metadata:
  name: argocd-redis-ha-proxy-network-policy
 spec:
-  egress:
-  - ports:
-    - port: 6379
-      protocol: TCP
-    - port: 26379
-      protocol: TCP
-    to:
-    - podSelector:
-        matchLabels:
-          app.kubernetes.io/name: argocd-redis-ha
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
  ingress:
  - from:
    - podSelector:
@@ -3272,7 +3334,6 @@ spec:
      app.kubernetes.io/name: argocd-redis-ha-haproxy
  policyTypes:
  - Ingress
-  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -20908,6 +20908,30 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-redis
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
  labels:
    app.kubernetes.io/component: server
@@ -21177,6 +21201,22 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-redis
+subjects:
+- kind: ServiceAccount
+  name: argocd-redis
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/component: server
@@ -21642,7 +21682,7 @@ spec:
              key: applicationsetcontroller.enable.scm.providers
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -21765,7 +21805,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -21847,7 +21887,7 @@ spec:
              key: notificationscontroller.selfservice.enabled
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -21924,6 +21964,13 @@ spec:
        - ""
        - --appendonly
        - "no"
+        - --requirepass $(REDIS_PASSWORD)
+        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: Always
        name: redis
@@ -21935,6 +21982,23 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+      initContainers:
+      - command:
+        - argocd
+        - admin
+        - redis-initial-password
+        image: quay.io/argoproj/argocd:v2.11.2
+        imagePullPolicy: IfNotPresent
+        name: secret-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
@@ -21979,6 +22043,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-repo-server
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_RECONCILIATION_TIMEOUT
          valueFrom:
            configMapKeyRef:
@@ -22159,7 +22228,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -22211,7 +22280,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -22294,6 +22363,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-server
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_SERVER_INSECURE
          valueFrom:
            configMapKeyRef:
@@ -22528,7 +22602,7 @@ spec:
              key: server.api.content.types
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -22640,6 +22714,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-application-controller
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_CONTROLLER_REPLICAS
          value: "1"
        - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -22822,7 +22901,7 @@ spec:
              key: controller.ignore.normalizer.jq.timeout
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
@@ -22951,12 +23030,6 @@ kind: NetworkPolicy
 metadata:
  name: argocd-redis-network-policy
 spec:
-  egress:
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
  ingress:
  - from:
    - podSelector:
@@ -22976,7 +23049,6 @@ spec:
      app.kubernetes.io/name: argocd-redis
  policyTypes:
  - Ingress
-  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
--- a/manifests/namespace-install.yaml
+++ b/manifests/namespace-install.yaml
@@ -241,6 +241,30 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-redis
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
  labels:
    app.kubernetes.io/component: server
@@ -349,6 +373,22 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-redis
+subjects:
+- kind: ServiceAccount
+  name: argocd-redis
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
  labels:
    app.kubernetes.io/component: server
@@ -763,7 +803,7 @@ spec:
              key: applicationsetcontroller.enable.scm.providers
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -886,7 +926,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -968,7 +1008,7 @@ spec:
              key: notificationscontroller.selfservice.enabled
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -1045,6 +1085,13 @@ spec:
        - ""
        - --appendonly
        - "no"
+        - --requirepass $(REDIS_PASSWORD)
+        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        image: redis:7.0.14-alpine
        imagePullPolicy: Always
        name: redis
@@ -1056,6 +1103,23 @@ spec:
            drop:
            - ALL
          readOnlyRootFilesystem: true
+      initContainers:
+      - command:
+        - argocd
+        - admin
+        - redis-initial-password
+        image: quay.io/argoproj/argocd:v2.11.2
+        imagePullPolicy: IfNotPresent
+        name: secret-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
@@ -1100,6 +1164,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-repo-server
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_RECONCILIATION_TIMEOUT
          valueFrom:
            configMapKeyRef:
@@ -1280,7 +1349,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -1332,7 +1401,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -1415,6 +1484,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-server
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_SERVER_INSECURE
          valueFrom:
            configMapKeyRef:
@@ -1649,7 +1723,7 @@ spec:
              key: server.api.content.types
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -1761,6 +1835,11 @@ spec:
      - args:
        - /usr/local/bin/argocd-application-controller
        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
        - name: ARGOCD_CONTROLLER_REPLICAS
          value: "1"
        - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -1943,7 +2022,7 @@ spec:
              key: controller.ignore.normalizer.jq.timeout
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.2
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
@@ -2072,12 +2151,6 @@ kind: NetworkPolicy
 metadata:
  name: argocd-redis-network-policy
 spec:
-  egress:
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
  ingress:
  - from:
    - podSelector:
@@ -2097,7 +2170,6 @@ spec:
      app.kubernetes.io/name: argocd-redis
  policyTypes:
  - Ingress
-  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
--- a/reposerver/repository/repository_test.go
+++ b/reposerver/repository/repository_test.go
@@ -205,7 +205,7 @@ func TestGenerateYamlManifestInDir(t *testing.T) {
 	}

 	// update this value if we add/remove manifests
-	const countOfManifests = 48
+	const countOfManifests = 50

 	res1, err := service.GenerateManifest(context.Background(), &q)

--- a/reposerver/server.go
+++ b/reposerver/server.go
@@ -70,13 +70,13 @@ func NewServer(metricsServer *metrics.MetricsServer, cache *reposervercache.Cach

 	serverLog := log.NewEntry(log.StandardLogger())
 	streamInterceptors := []grpc.StreamServerInterceptor{
-		otelgrpc.StreamServerInterceptor(),
+		otelgrpc.StreamServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		grpc_logrus.StreamServerInterceptor(serverLog),
 		grpc_prometheus.StreamServerInterceptor,
 		grpc_util.PanicLoggerStreamServerInterceptor(serverLog),
 	}
 	unaryInterceptors := []grpc.UnaryServerInterceptor{
-		otelgrpc.UnaryServerInterceptor(),
+		otelgrpc.UnaryServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		grpc_logrus.UnaryServerInterceptor(serverLog),
 		grpc_prometheus.UnaryServerInterceptor,
 		grpc_util.PanicLoggerUnaryServerInterceptor(serverLog),
--- a/server/application/application.go
+++ b/server/application/application.go
@@ -2139,7 +2139,12 @@ func (s *Server) resolveRevision(ctx context.Context, app *appv1.Application, sy

 	ambiguousRevision := getAmbiguousRevision(app, syncReq, sourceIndex)

-	repo, err := s.db.GetRepository(ctx, app.Spec.GetSource().RepoURL)
+	repoUrl := app.Spec.GetSource().RepoURL
+	if app.Spec.HasMultipleSources() {
+		repoUrl = app.Spec.Sources[sourceIndex].RepoURL
+	}
+
+	repo, err := s.db.GetRepository(ctx, repoUrl)
 	if err != nil {
 		return "", "", fmt.Errorf("error getting repository by URL: %w", err)
 	}
--- a/server/server.go
+++ b/server/server.go
@@ -771,7 +771,7 @@ func (a *ArgoCDServer) newGRPCServer() (*grpc.Server, application.AppResourceTre
 	// NOTE: notice we do not configure the gRPC server here with TLS (e.g. grpc.Creds(creds))
 	// This is because TLS handshaking occurs in cmux handling
 	sOpts = append(sOpts, grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(
-		otelgrpc.StreamServerInterceptor(),
+		otelgrpc.StreamServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		grpc_logrus.StreamServerInterceptor(a.log),
 		grpc_prometheus.StreamServerInterceptor,
 		grpc_auth.StreamServerInterceptor(a.Authenticate),
@@ -785,7 +785,7 @@ func (a *ArgoCDServer) newGRPCServer() (*grpc.Server, application.AppResourceTre
 	)))
 	sOpts = append(sOpts, grpc.UnaryInterceptor(grpc_middleware.ChainUnaryServer(
 		bug21955WorkaroundInterceptor,
-		otelgrpc.UnaryServerInterceptor(),
+		otelgrpc.UnaryServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		grpc_logrus.UnaryServerInterceptor(a.log),
 		grpc_prometheus.UnaryServerInterceptor,
 		grpc_auth.UnaryServerInterceptor(a.Authenticate),
--- a/test/e2e/sync_options_test.go
+++ b/test/e2e/sync_options_test.go
@@ -127,3 +127,22 @@ func TestSyncWithSkipHook(t *testing.T) {
 		Then().
 		Expect(SyncStatusIs(SyncStatusCodeOutOfSync))
 }
+
+func TestSyncWithForceReplace(t *testing.T) {
+	Given(t).
+		Path(guestbookPath).
+		When().
+		CreateApp().
+		Sync().
+		Then().
+		Expect(SyncStatusIs(SyncStatusCodeSynced)).
+		// app having `Replace=true` and `Force=true` annotation should sync succeed if change in immutable field
+		When().
+		PatchFile("guestbook-ui-deployment.yaml", `[{ "op": "add", "path": "/metadata/annotations", "value": { "argocd.argoproj.io/sync-options": "Force=true,Replace=true" }}]`).
+		PatchFile("guestbook-ui-deployment.yaml", `[{ "op": "add", "path": "/spec/selector/matchLabels/env", "value": "e2e" }, { "op": "add", "path": "/spec/template/metadata/labels/env", "value": "e2e" }]`).
+		PatchFile("guestbook-ui-deployment.yaml", `[{ "op": "replace", "path": "/spec/replicas", "value": 1 }]`).
+		Refresh(RefreshTypeNormal).
+		Sync().
+		Then().
+		Expect(SyncStatusIs(SyncStatusCodeSynced))
+}
--- a/ui/src/app/applications/components/application-status-panel/application-status-panel.tsx
+++ b/ui/src/app/applications/components/application-status-panel/application-status-panel.tsx
@@ -107,16 +107,20 @@ export const ApplicationStatusPanel = ({application, showDiff, showOperation, sh
                    <div className='application-status-panel__item-name' style={{marginBottom: '0.5em'}}>
                        {application.spec.syncPolicy?.automated ? 'Auto sync is enabled.' : 'Auto sync is not enabled.'}
                    </div>
-                    {application.status && application.status.sync && application.status.sync.revision && !application.spec.source.chart && (
-                        <div className='application-status-panel__item-name'>
-                            <RevisionMetadataPanel
-                                appName={application.metadata.name}
-                                appNamespace={application.metadata.namespace}
-                                type={source.chart && 'helm'}
-                                revision={application.status.sync.revision}
-                            />
-                        </div>
-                    )}
+                    {application.status &&
+                        application.status.sync &&
+                        (hasMultipleSources
+                            ? application.status.sync.revisions && application.status.sync.revisions[0] && application.spec.sources && !application.spec.sources[0].chart
+                            : application.status.sync.revision && !application.spec.source?.chart) && (
+                            <div className='application-status-panel__item-name'>
+                                <RevisionMetadataPanel
+                                    appName={application.metadata.name}
+                                    appNamespace={application.metadata.namespace}
+                                    type={source.chart && 'helm'}
+                                    revision={hasMultipleSources ? application.status.sync.revisions[0] : application.status.sync.revision}
+                                />
+                            </div>
+                        )}
                </React.Fragment>
            </div>
            {appOperationState && (
--- a/util/grpc/trace.go
+++ b/util/grpc/trace.go
@@ -17,8 +17,8 @@ var (
 // see https://github.com/open-telemetry/opentelemetry-go-contrib/issues/4226 for details
 func ensureInitialized() {
 	interceptorsInitialized.Do(func() {
-		otelUnaryInterceptor = otelgrpc.UnaryClientInterceptor()
-		otelStreamInterceptor = otelgrpc.StreamClientInterceptor()
+		otelUnaryInterceptor = otelgrpc.UnaryClientInterceptor()   //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
+		otelStreamInterceptor = otelgrpc.StreamClientInterceptor() //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 	})
 }
Author	SHA1	Message	Date
github-actions[bot]	25f7504ecc	Bump version to 2.11.2 (#18384 ) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: pasha-codefresh <39732895+pasha-codefresh@users.noreply.github.com>	2024-05-23 16:29:33 +03:00
gcp-cherry-pick-bot[bot]	2b463d4103	fix: remove Egress NetworkPolicy for argocd-redis and argocd-redis-ha-haproxy (#18367 ) (#18372 ) * fix: runing local failed * fix: Redis egress removal --------- Signed-off-by: xiaowu.zhu <xiaowu.zhu@daocloud.io> Signed-off-by: May Zhang <may_zhang@intuit.com> Co-authored-by: May Zhang <may_zhang@intuit.com> Co-authored-by: yyzxw <1020938856@qq.com>	2024-05-22 19:48:08 -04:00
Michael Crenshaw	9d58e7e330	fix: revert registry change (#18328 ) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>	2024-05-21 13:52:51 -04:00
gcp-cherry-pick-bot[bot]	212a6ed05a	fix(deps): upgrade otel dependency (#18285 ) (#18324 ) Signed-off-by: Justin Marquis <justin@akuity.io> Co-authored-by: Justin Marquis <76892343+34fathombelow@users.noreply.github.com> Co-authored-by: Soumya Ghosh Dastidar <44349253+gdsoumya@users.noreply.github.com>	2024-05-21 10:48:11 -07:00
Michael Crenshaw	140ffdda4d	docs: add v2.11 notes to upgrading page (#18333 ) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>	2024-05-21 07:27:01 -10:00
gcp-cherry-pick-bot[bot]	47e7470726	chore(ci): fix release notes (#18132 ) (#18330 ) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>	2024-05-21 12:53:13 -04:00
github-actions[bot]	9f40df0c29	Bump version to 2.11.1 (#18319 ) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: pasha-codefresh <39732895+pasha-codefresh@users.noreply.github.com>	2024-05-21 16:44:13 +03:00
Leonardo Luz Almeida	6ef7b62a0f	Merge pull request from GHSA-9766-5277-j5hr * fix: Enable Redis authentication in the default installation Signed-off-by: May Zhang <may_zhang@intuit.com> * chore: fix git_test unit test Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com> --------- Signed-off-by: May Zhang <may_zhang@intuit.com> Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com> Co-authored-by: May Zhang <may_zhang@intuit.com>	2024-05-21 16:23:09 +03:00
Leonardo Luz Almeida	f1a449e83e	Merge pull request from GHSA-9766-5277-j5hr * fix: Enable Redis authentication in the default installation Signed-off-by: May Zhang <may_zhang@intuit.com> * chore: fix git_test unit test Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com> --------- Signed-off-by: May Zhang <may_zhang@intuit.com> Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com> Co-authored-by: May Zhang <may_zhang@intuit.com>	2024-05-21 16:22:43 +03:00
Keith Chong	6530c6fede	fix: UI MultiSource - Helm Chart with values.yaml (#18188 ) (#18200 ) Signed-off-by: Keith Chong <kykchong@redhat.com>	2024-05-20 08:26:42 -04:00
gcp-cherry-pick-bot[bot]	786e141047	fix: copy visited map #11699 (#12667 ) (#18219 ) This commit fixed an issue #11699 that caused a warning even if the cycle didn't exist. Fix false cycle discovery by copying the visited resource map before recursively calling of getAppRecursive. Fixes #11699 Signed-off-by: Arata Furukawa <old.river.new@gmail.com> Co-authored-by: Arata Furukawa <old.river.new@gmail.com> Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com>	2024-05-20 13:28:17 +03:00
gcp-cherry-pick-bot[bot]	37dd289240	update resolveRevision to use the correct source for multi-source app (#18194 ) (#18202 ) Co-authored-by: Ishita Sequeira <46771830+ishitasequeira@users.noreply.github.com>	2024-05-20 11:15:55 +03:00
gcp-cherry-pick-bot[bot]	eee5c06eff	Fix logging hash with multiple sources (#18189 ) (#18193 ) Signed-off-by: onee-only <kimww0306@gmail.com> Co-authored-by: onee-only <kimww0306@gmail.com>	2024-05-20 11:14:34 +03:00
gcp-cherry-pick-bot[bot]	4621b3b528	chore(deps): upgrade helm to 3.14.4 (#18255 ) (#18286 ) * chore(deps): upgrade helm to 3.14.4 * place checksums where they belong --------- Signed-off-by: Justin Marquis <justin@akuity.io> Co-authored-by: Justin Marquis <76892343+34fathombelow@users.noreply.github.com> Co-authored-by: Dan Garfield <dan@codefresh.io>	2024-05-20 11:13:29 +03:00
Ishita Sequeira	faeede3dc3	chore(deps): cherry-pick bump protobuf #17788 (#18284 ) Signed-off-by: ishitasequeira <ishiseq29@gmail.com>	2024-05-20 10:14:30 +03:00
pasha-codefresh	dd4ee83442	chore: update gitops engine for force sync option (#5882 ) - 2.11 (#18125 ) Signed-off-by: pashakostohrys <pavel@codefresh.io> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com>	2024-05-08 18:08:25 +03:00
@@ -1 +1 @@
 .11.0
 .11.2
				`@@ -0,0 +1 @@`
				`73434aeac36ad068ce2e5582b8851a286dc628eae16494a26e2ad0b24a7199f9 helm-v3.14.4-darwin-amd64.tar.gz`
				`@@ -0,0 +1 @@`
				`61e9c5455f06b2ad0a1280975bf65892e707adc19d766b0cf4e9006e3b7b4b6c helm-v3.14.4-darwin-arm64.tar.gz`
				`@@ -0,0 +1 @@`
				`a5844ef2c38ef6ddf3b5a8f7d91e7e0e8ebc39a38bb3fc8013d629c1ef29c259 helm-v3.14.4-linux-amd64.tar.gz`
				`@@ -0,0 +1 @@`
				`113ccc53b7c57c2aba0cd0aa560b5500841b18b5210d78641acfddc53dac8ab2 helm-v3.14.4-linux-arm64.tar.gz`
				`@@ -0,0 +1 @@`
				`d0d625b43f6650ad376428520b2238baa2400bfedb43b2e0f24ad7247f0f59b5 helm-v3.14.4-linux-ppc64le.tar.gz`
				`@@ -0,0 +1 @@`
				`a5750d0cb1ba34ce84ab3be6382a14617130661d15dd2aa1b36630b293437936 helm-v3.14.4-linux-s390x.tar.gz`