Bump version to 3.3.4 on release-3.3 branch (#26854)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: reggie-k <19544836+reggie-k@users.noreply.github.com>

VERSION

@@ -1 +1 @@
-3.3.3
+3.3.4

docs/operator-manual/applicationset/Generators-Cluster.md

@@ -152,14 +152,14 @@ spec:
   - clusters:
       selector:
         matchLabels:
-          argocd.argoproj.io/kubernetes-version: 1.28
+          argocd.argoproj.io/kubernetes-version: v1.28.1
         # matchExpressions are also supported.
         #matchExpressions:
         #  - key: argocd.argoproj.io/kubernetes-version
         #    operator: In
         #    values:
-        #      - "1.27"
-        #      - "1.28"
+        #      - "v1.27.1"
+        #      - "v1.28.1"
 ```
 
 ### Pass additional key-value pairs via `values` field

docs/operator-manual/upgrading/3.2-3.3.md

@@ -73,6 +73,26 @@ This design change improves repository cleanliness, reduces unnecessary commit n
   Review your automation workflows and repository maintenance scripts to ensure that old or unwanted files in application paths are cleaned up if necessary. Consider implementing a periodic manual or automated cleanup procedure if your use case requires it.
 - For more details on current behavior, see the [Source Hydrator user guide](../../user-guide/source-hydrator.md).
 
+### Cluster version format change
+
+**New behavior:**
+
+3.3.3 now stores the cluster version in a more detailed format, `vMajor.Minor.Patch` compared to the previous format `Major.Minor`. 
+
+This change is aligning how ArgoCD interprets K8s cluster version with how Helm `3.19.0` and above interprets it.    
+
+This change makes it easier to compare versions and to support future features. It also allows for more accurate version comparisons and better compatibility with future Kubernetes releases. 
+
+
+**Impact:**
+
+Application Sets with Cluster Generators, that fetch clusters based on their Kubernetes version and use `argocd.argoproj.io/auto-label-cluster-info` on the cluster secret, need to be updated to use `argocd.argoproj.io/kubernetes-version` with the `vMajor.Minor.Patch` format instead of the previous `Major.Minor` format. 
+More details [here](../applicationset/Generators-Cluster.md#fetch-clusters-based-on-their-k8s-version).
+
+Additionally, API, UI and CLI commands that retrieve cluster information now return the version in the `vMajor.Minor.Patch` format.
+
+The env variable $KUBE_VERSION that is used with Argo CD CMP Plugins remains unchanged and returns the version in `Major.Minor.Patch` format, so CMP Plugins are not impacted.
+
 ### Anonymous call to Settings API returns fewer fields
 
 The Settings API now returns less information when accessed anonymously.
@@ -92,8 +112,7 @@ removed in a future release.
 
 ## Helm Upgraded to 3.19.4
 
-Argo CD v3.3 upgrades the bundled Helm version to 3.19.4. There are no breaking changes in Helm 3.19.4 according to the
-[release notes](https://github.com/helm/helm/releases/tag/v3.19.0).
+Argo CD v3.3 upgrades the bundled Helm version to 3.19.4. This Helm release interprets K8s version in a semantic version format of `vMajor.Minor.Patch`, instead of the previous `vMajor.Minor` format. This led to a breaking change in Argo CD described [above](#cluster-version-format-change).
 
 ## Kustomize Upgraded to 5.8.1
 

go.mod

@@ -90,9 +90,9 @@ require (
 	github.com/yuin/gopher-lua v1.1.1
 	gitlab.com/gitlab-org/api/client-go v1.8.1
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0
-	go.opentelemetry.io/otel v1.38.0
+	go.opentelemetry.io/otel v1.40.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0
-	go.opentelemetry.io/otel/sdk v1.38.0
+	go.opentelemetry.io/otel/sdk v1.40.0
 	golang.org/x/crypto v0.46.0
 	golang.org/x/net v0.48.0
 	golang.org/x/oauth2 v0.34.0
@@ -275,13 +275,13 @@ require (
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
-	go.opentelemetry.io/otel/metric v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.7.1 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.30.0 // indirect
-	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect
 	golang.org/x/tools/go/expect v0.1.1-deprecated // indirect

go.sum

@@ -940,20 +940,20 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.6
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.63.0/go.mod h1:fvPi2qXDqFs8M4B4fmJhE92TyQs9Ydjlg3RvfUp+NbQ=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 h1:CV7UdSGJt/Ao6Gp4CXckLxVRRsRgDHoI8XjbL3PDl8s=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0/go.mod h1:FRmFuRJfag1IZ2dPkHnEoSFVgTVPUd2qf5Vi69hLb8I=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
+go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
+go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
+go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
+go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
+go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
+go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
+go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
+go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
 go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
 go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -1222,8 +1222,8 @@ golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20250710130107-8d8967aff50b/go.mod h1:4ZwOYna0/zsOKwuR5X/m0QFOJpSZvAxFfkQT+Erd9D4=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

hack/installers/checksums/git-lfs-linux-ppc64le-v3.7.1.tar.gz.sha256

@@ -0,0 +1 @@
+100fbefdd86722dafd56737121510289ece9574c7bb8ec01b4633f8892acc427  git-lfs-linux-ppc64le-v3.7.1.tar.gz

hack/installers/checksums/git-lfs-linux-s390x-v3.7.1.tar.gz.sha256

@@ -0,0 +1 @@
+d4b68db5d7cc34395b8d6c392326aeff98a297bde2053625560df6c76eb97c69  git-lfs-linux-s390x-v3.7.1.tar.gz

manifests/base/commit-server/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.3.3
+  newTag: v3.3.4

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.3.3
+  newTag: v3.3.4
 resources:
 - ./application-controller
 - ./dex

manifests/core-install-with-hydrator.yaml

@@ -31273,7 +31273,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -31408,7 +31408,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -31536,7 +31536,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -31833,7 +31833,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -31886,7 +31886,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -32234,7 +32234,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install.yaml

@@ -31241,7 +31241,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -31370,7 +31370,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -31667,7 +31667,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -31720,7 +31720,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -32068,7 +32068,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.3.3
+  newTag: v3.3.4

manifests/ha/base/kustomization.yaml

@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.3.3
+  newTag: v3.3.4
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/install-with-hydrator.yaml

@@ -32639,7 +32639,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -32774,7 +32774,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -32925,7 +32925,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -33021,7 +33021,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -33145,7 +33145,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -33468,7 +33468,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -33521,7 +33521,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -33895,7 +33895,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -34279,7 +34279,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/install.yaml

@@ -32609,7 +32609,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -32761,7 +32761,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -32857,7 +32857,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -32981,7 +32981,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -33304,7 +33304,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -33357,7 +33357,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -33731,7 +33731,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -34115,7 +34115,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install-with-hydrator.yaml

@@ -1897,7 +1897,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -2032,7 +2032,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2183,7 +2183,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -2279,7 +2279,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2403,7 +2403,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2726,7 +2726,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2779,7 +2779,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -3153,7 +3153,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3537,7 +3537,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install.yaml

@@ -1867,7 +1867,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -2019,7 +2019,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -2115,7 +2115,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2239,7 +2239,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2562,7 +2562,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2615,7 +2615,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2989,7 +2989,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3373,7 +3373,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install-with-hydrator.yaml

@@ -31717,7 +31717,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -31852,7 +31852,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -32003,7 +32003,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -32099,7 +32099,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -32201,7 +32201,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -32498,7 +32498,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -32551,7 +32551,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -32923,7 +32923,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -33307,7 +33307,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install.yaml

@@ -31685,7 +31685,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -31837,7 +31837,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -31933,7 +31933,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -32035,7 +32035,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -32332,7 +32332,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -32385,7 +32385,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -32757,7 +32757,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -33141,7 +33141,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install-with-hydrator.yaml

@@ -975,7 +975,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1110,7 +1110,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1261,7 +1261,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1357,7 +1357,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1459,7 +1459,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1756,7 +1756,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1809,7 +1809,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2181,7 +2181,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2565,7 +2565,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -943,7 +943,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1095,7 +1095,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1191,7 +1191,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1293,7 +1293,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1590,7 +1590,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1643,7 +1643,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2015,7 +2015,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2399,7 +2399,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.3
+        image: quay.io/argoproj/argocd:v3.3.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

server/server.go

@@ -1570,14 +1570,15 @@ func (server *ArgoCDServer) getClaims(ctx context.Context) (jwt.Claims, string,
 	}
 
 	finalClaims := claims
-	if server.settings.IsSSOConfigured() {
+	oidcConfig := server.settings.OIDCConfig()
+	if oidcConfig != nil || server.settings.IsDexConfigured() {
 		updatedClaims, err := server.ssoClientApp.SetGroupsFromUserInfo(ctx, claims, util_session.SessionManagerClaimsIssuer)
 		if err != nil {
 			return claims, "", status.Errorf(codes.Unauthenticated, "invalid session: %v", err)
 		}
 		finalClaims = updatedClaims
 		// OIDC tokens are automatically refreshed here prior to expiration
-		refreshedToken, err := server.ssoClientApp.CheckAndRefreshToken(ctx, updatedClaims, server.settings.OIDCRefreshTokenThreshold)
+		refreshedToken, err := server.ssoClientApp.CheckAndRefreshToken(ctx, updatedClaims, server.settings.RefreshTokenThresholdWithConfig(oidcConfig))
 		if err != nil {
 			log.Errorf("error checking and refreshing token: %v", err)
 		}

util/oidc/oidc.go

@@ -187,7 +187,7 @@ func NewClientApp(settings *settings.ArgoCDSettings, dexServerAddr string, dexTL
 		encryptionKey:            encryptionKey,
 		clientCache:              cacheClient,
 		azure:                    azureApp{mtx: &sync.RWMutex{}},
-		refreshTokenThreshold:    settings.OIDCRefreshTokenThreshold,
+		refreshTokenThreshold:    settings.RefreshTokenThreshold(),
 	}
 	log.Infof("Creating client app (%s)", a.clientID)
 	u, err := url.Parse(settings.URL)

util/settings/settings.go

@@ -136,9 +136,6 @@ type ArgoCDSettings struct {
 	// token verification to pass despite the OIDC provider having an invalid certificate. Only set to `true` if you
 	// understand the risks.
 	OIDCTLSInsecureSkipVerify bool `json:"oidcTLSInsecureSkipVerify"`
-	// OIDCRefreshTokenThreshold sets the threshold for preemptive server-side token refresh.  If set to 0, tokens
-	// will not be refreshed and will expire before client is redirected to login.
-	OIDCRefreshTokenThreshold time.Duration `json:"oidcRefreshTokenThreshold,omitempty"`
 	// AppsInAnyNamespaceEnabled indicates whether applications are allowed to be created in any namespace
 	AppsInAnyNamespaceEnabled bool `json:"appsInAnyNamespaceEnabled"`
 	// ExtensionConfig configurations related to ArgoCD proxy extensions. The keys are the extension name.
@@ -1464,7 +1461,6 @@ func getDownloadBinaryUrlsFromConfigMap(argoCDCM *corev1.ConfigMap) map[string]s
 func updateSettingsFromConfigMap(settings *ArgoCDSettings, argoCDCM *corev1.ConfigMap) {
 	settings.DexConfig = argoCDCM.Data[settingDexConfigKey]
 	settings.OIDCConfigRAW = argoCDCM.Data[settingsOIDCConfigKey]
-	settings.OIDCRefreshTokenThreshold = settings.RefreshTokenThreshold()
 	settings.KustomizeBuildOptions = argoCDCM.Data[kustomizeBuildOptionsKey]
 	settings.StatusBadgeEnabled = argoCDCM.Data[statusBadgeEnabledKey] == "true"
 	settings.StatusBadgeRootUrl = argoCDCM.Data[statusBadgeRootURLKey]
@@ -1917,7 +1913,12 @@ func (a *ArgoCDSettings) UserInfoCacheExpiration() time.Duration {
 
 // RefreshTokenThreshold returns the duration before token expiration that a token should be refreshed by the server
 func (a *ArgoCDSettings) RefreshTokenThreshold() time.Duration {
-	if oidcConfig := a.OIDCConfig(); oidcConfig != nil && oidcConfig.RefreshTokenThreshold != "" {
+	return a.RefreshTokenThresholdWithConfig(a.OIDCConfig())
+}
+
+// RefreshTokenThresholdWithConfig takes oidcConfig as param and returns the duration before token expiration that a token should be refreshed by the server
+func (a *ArgoCDSettings) RefreshTokenThresholdWithConfig(oidcConfig *OIDCConfig) time.Duration {
+	if oidcConfig != nil && oidcConfig.RefreshTokenThreshold != "" {
 		refreshTokenThreshold, err := time.ParseDuration(oidcConfig.RefreshTokenThreshold)
 		if err != nil {
 			log.Warnf("Failed to parse 'oidc.config.refreshTokenThreshold' key: %v", err)