fix: pass repo.insecure flag to helm dependency build (cherry-pick #27078 for 3.4) (#27082)

Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com>

VERSION

@@ -1 +1 @@
-3.4.0-rc3
+3.4.0-rc4

manifests/base/commit-server/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.4.0-rc3
+  newTag: v3.4.0-rc4

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.4.0-rc3
+  newTag: v3.4.0-rc4
 resources:
 - ./application-controller
 - ./dex

manifests/core-install-with-hydrator.yaml

@@ -31332,7 +31332,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -31473,7 +31473,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -31601,7 +31601,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -31910,7 +31910,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -31963,7 +31963,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -32366,7 +32366,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install.yaml

@@ -31300,7 +31300,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -31429,7 +31429,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -31738,7 +31738,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -31791,7 +31791,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -32194,7 +32194,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.4.0-rc3
+  newTag: v3.4.0-rc4

manifests/ha/base/kustomization.yaml

@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.4.0-rc3
+  newTag: v3.4.0-rc4
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/install-with-hydrator.yaml

@@ -32758,7 +32758,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -32899,7 +32899,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -33057,7 +33057,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -33159,7 +33159,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -33283,7 +33283,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -33618,7 +33618,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -33671,7 +33671,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -34100,7 +34100,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -34532,7 +34532,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/install.yaml

@@ -32728,7 +32728,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -32887,7 +32887,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -32989,7 +32989,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -33113,7 +33113,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -33448,7 +33448,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -33501,7 +33501,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -33930,7 +33930,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -34362,7 +34362,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install-with-hydrator.yaml

@@ -2005,7 +2005,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -2146,7 +2146,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2304,7 +2304,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -2406,7 +2406,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2530,7 +2530,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2865,7 +2865,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2918,7 +2918,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -3347,7 +3347,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3779,7 +3779,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install.yaml

@@ -1975,7 +1975,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -2134,7 +2134,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -2236,7 +2236,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2360,7 +2360,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2695,7 +2695,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2748,7 +2748,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -3177,7 +3177,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3609,7 +3609,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install-with-hydrator.yaml

@@ -31776,7 +31776,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -31917,7 +31917,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -32075,7 +32075,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -32177,7 +32177,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -32279,7 +32279,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -32588,7 +32588,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -32641,7 +32641,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -33068,7 +33068,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -33500,7 +33500,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install.yaml

@@ -31744,7 +31744,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -31903,7 +31903,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -32005,7 +32005,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -32107,7 +32107,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -32416,7 +32416,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -32469,7 +32469,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -32896,7 +32896,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -33328,7 +33328,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install-with-hydrator.yaml

@@ -1023,7 +1023,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1164,7 +1164,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1322,7 +1322,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1424,7 +1424,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1526,7 +1526,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1835,7 +1835,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1888,7 +1888,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2315,7 +2315,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2747,7 +2747,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -991,7 +991,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1150,7 +1150,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1252,7 +1252,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1354,7 +1354,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1663,7 +1663,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1716,7 +1716,7 @@ spec:
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2143,7 +2143,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2575,7 +2575,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.4.0-rc3
+        image: quay.io/argoproj/argocd:v3.4.0-rc4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

reposerver/repository/repository.go

@@ -1309,7 +1309,7 @@ func helmTemplate(appPath string, repoRoot string, env *v1alpha1.Env, q *apiclie
 		return nil, "", fmt.Errorf("error getting helm repos: %w", err)
 	}
 
-	h, err := helm.NewHelmApp(appPath, helmRepos, isLocal, version, proxy, q.Repo.NoProxy, passCredentials)
+	h, err := helm.NewHelmApp(appPath, helmRepos, isLocal, version, proxy, q.Repo.NoProxy, passCredentials, q.Repo.Insecure)
 	if err != nil {
 		return nil, "", fmt.Errorf("error initializing helm app object: %w", err)
 	}
@@ -2419,7 +2419,7 @@ func (s *Service) populateHelmAppDetails(res *apiclient.RepoAppDetailsResponse,
 	if err != nil {
 		return err
 	}
-	h, err := helm.NewHelmApp(appPath, helmRepos, false, version, q.Repo.Proxy, q.Repo.NoProxy, passCredentials)
+	h, err := helm.NewHelmApp(appPath, helmRepos, false, version, q.Repo.Proxy, q.Repo.NoProxy, passCredentials, q.Repo.Insecure)
 	if err != nil {
 		return err
 	}

util/helm/client.go

@@ -373,6 +373,7 @@ func (c *nativeHelmChart) loadRepoIndex(ctx context.Context, maxIndexSize int64)
 		Proxy:             proxy.GetCallback(c.proxy, c.noProxy),
 		TLSClientConfig:   tlsConf,
 		DisableKeepAlives: true,
+		ForceAttemptHTTP2: true,
 	}
 	client := http.Client{Transport: tr}
 	resp, err := client.Do(req)
@@ -492,6 +493,7 @@ func (c *nativeHelmChart) GetTags(chart string, noCache bool) ([]string, error)
 			Proxy:             proxy.GetCallback(c.proxy, c.noProxy),
 			TLSClientConfig:   tlsConf,
 			DisableKeepAlives: true,
+			ForceAttemptHTTP2: true,
 		}
 
 		// Wrap transport to add User-Agent header to all requests

util/helm/client_test.go

@@ -2,6 +2,7 @@ package helm
 
 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"math"
@@ -10,6 +11,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 	"testing"
 
@@ -574,6 +576,68 @@ func TestGetTagsCaching(t *testing.T) {
 	})
 }
 
+func TestGetTagsUsesHTTP2(t *testing.T) {
+	t.Run("should negotiate HTTP/2 when TLS is configured", func(t *testing.T) {
+		var requestProtos []string
+		server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			requestProtos = append(requestProtos, r.Proto)
+			t.Logf("called %s with proto %s", r.URL.Path, r.Proto)
+
+			responseTags := fakeTagsList{
+				Tags: []string{"1.0.0"},
+			}
+
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusOK)
+			require.NoError(t, json.NewEncoder(w).Encode(responseTags))
+		}))
+		// httptest.NewTLSServer only advertises http/1.1 in ALPN, so we must
+		// configure the server to also offer h2 for HTTP/2 negotiation to work.
+		server.TLS = &tls.Config{NextProtos: []string{"h2", "http/1.1"}}
+		server.StartTLS()
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, HelmCreds{InsecureSkipVerify: true}, true, "", "")
+
+		tags, err := client.GetTags("mychart", true)
+		require.NoError(t, err)
+		assert.Equal(t, []string{"1.0.0"}, tags)
+
+		// Verify that at least one request used HTTP/2. When ForceAttemptHTTP2 is
+		// not set on the Transport, Go's TLS stack won't negotiate h2 even though
+		// the server supports it, because a custom TLSClientConfig disables the
+		// automatic HTTP/2 setup.
+		require.NotEmpty(t, requestProtos, "expected at least one request to the server")
+		hasHTTP2 := slices.Contains(requestProtos, "HTTP/2.0")
+		assert.True(t, hasHTTP2, "expected at least one HTTP/2 request, but got protocols: %v", requestProtos)
+	})
+}
+
+func TestLoadRepoIndexUsesHTTP2(t *testing.T) {
+	t.Run("should negotiate HTTP/2 when fetching index", func(t *testing.T) {
+		var requestProto string
+		server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			requestProto = r.Proto
+			t.Logf("called %s with proto %s", r.URL.Path, r.Proto)
+
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write([]byte(`apiVersion: v1
+entries: {}
+`))
+		}))
+		server.TLS = &tls.Config{NextProtos: []string{"h2", "http/1.1"}}
+		server.StartTLS()
+		t.Cleanup(server.Close)
+
+		client := NewClient(server.URL, HelmCreds{InsecureSkipVerify: true}, false, "", "")
+
+		_, err := client.GetIndex(false, 10000)
+		require.NoError(t, err)
+
+		assert.Equal(t, "HTTP/2.0", requestProto, "expected HTTP/2 request for index fetch, but got %s", requestProto)
+	})
+}
+
 func TestUserAgentIsSet(t *testing.T) {
 	t.Run("Default User-Agent for traditional Helm repo", func(t *testing.T) {
 		// Create a test server that captures the User-Agent header

util/helm/cmd.go

@@ -327,8 +327,12 @@ func (c *Cmd) PullOCI(repo string, chart string, version string, destination str
 	return out, nil
 }
 
-func (c *Cmd) dependencyBuild() (string, error) {
-	out, _, err := c.run(context.Background(), "dependency", "build")
+func (c *Cmd) dependencyBuild(insecure bool) (string, error) {
+	args := []string{"dependency", "build"}
+	if insecure {
+		args = append(args, "--insecure-skip-tls-verify")
+	}
+	out, _, err := c.run(context.Background(), args...)
 	if err != nil {
 		return "", fmt.Errorf("failed to build dependencies: %w", err)
 	}

util/helm/cmd_test.go

@@ -135,6 +135,36 @@ func TestRegistryLogin(t *testing.T) {
 	}
 }
 
+func TestDependencyBuild(t *testing.T) {
+	tests := []struct {
+		name        string
+		insecure    bool
+		expectedOut string
+	}{
+		{
+			name:        "without insecure",
+			insecure:    false,
+			expectedOut: "helm dependency build",
+		},
+		{
+			name:        "with insecure",
+			insecure:    true,
+			expectedOut: "helm dependency build --insecure-skip-tls-verify",
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			c, err := newCmdWithVersion(".", false, "", "", func(cmd *exec.Cmd, _ func(_ string) string) (string, error) {
+				return strings.Join(cmd.Args, " "), nil
+			})
+			require.NoError(t, err)
+			out, err := c.dependencyBuild(tc.insecure)
+			require.NoError(t, err)
+			assert.Equal(t, tc.expectedOut, out)
+		})
+	}
+}
+
 func TestRegistryLogout(t *testing.T) {
 	tests := []struct {
 		name        string

util/helm/helm.go

@@ -43,20 +43,21 @@ type Helm interface {
 }
 
 // NewHelmApp create a new wrapper to run commands on the `helm` command-line tool.
-func NewHelmApp(workDir string, repos []HelmRepository, isLocal bool, version string, proxy string, noProxy string, passCredentials bool) (Helm, error) {
+func NewHelmApp(workDir string, repos []HelmRepository, isLocal bool, version string, proxy string, noProxy string, passCredentials bool, insecure bool) (Helm, error) {
 	cmd, err := NewCmd(workDir, version, proxy, noProxy)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create new helm command: %w", err)
 	}
 	cmd.IsLocal = isLocal
 
-	return &helm{repos: repos, cmd: *cmd, passCredentials: passCredentials}, nil
+	return &helm{repos: repos, cmd: *cmd, passCredentials: passCredentials, insecure: insecure}, nil
 }
 
 type helm struct {
 	cmd             Cmd
 	repos           []HelmRepository
 	passCredentials bool
+	insecure        bool
 }
 
 var _ Helm = &helm{}
@@ -108,7 +109,7 @@ func (h *helm) DependencyBuild() error {
 		}
 	}
 	h.repos = nil
-	_, err := h.cmd.dependencyBuild()
+	_, err := h.cmd.dependencyBuild(h.insecure)
 	if err != nil {
 		return fmt.Errorf("failed to build helm dependencies: %w", err)
 	}

util/helm/helm_test.go

@@ -25,7 +25,7 @@ func template(h Helm, opts *TemplateOpts) ([]*unstructured.Unstructured, error)
 }
 
 func TestHelmTemplateParams(t *testing.T) {
-	h, err := NewHelmApp("./testdata/minio", []HelmRepository{}, false, "", "", "", false)
+	h, err := NewHelmApp("./testdata/minio", []HelmRepository{}, false, "", "", "", false, false)
 	require.NoError(t, err)
 	opts := TemplateOpts{
 		Name: "test",
@@ -58,7 +58,7 @@ func TestHelmTemplateValues(t *testing.T) {
 	repoRoot := "./testdata/redis"
 	repoRootAbs, err := filepath.Abs(repoRoot)
 	require.NoError(t, err)
-	h, err := NewHelmApp(repoRootAbs, []HelmRepository{}, false, "", "", "", false)
+	h, err := NewHelmApp(repoRootAbs, []HelmRepository{}, false, "", "", "", false, false)
 	require.NoError(t, err)
 	valuesPath, _, err := path.ResolveValueFilePathOrUrl(repoRootAbs, repoRootAbs, "values-production.yaml", nil)
 	require.NoError(t, err)
@@ -84,7 +84,7 @@ func TestHelmGetParams(t *testing.T) {
 	repoRoot := "./testdata/redis"
 	repoRootAbs, err := filepath.Abs(repoRoot)
 	require.NoError(t, err)
-	h, err := NewHelmApp(repoRootAbs, nil, false, "", "", "", false)
+	h, err := NewHelmApp(repoRootAbs, nil, false, "", "", "", false, false)
 	require.NoError(t, err)
 	params, err := h.GetParameters(nil, repoRootAbs, repoRootAbs)
 	require.NoError(t, err)
@@ -97,7 +97,7 @@ func TestHelmGetParamsValueFiles(t *testing.T) {
 	repoRoot := "./testdata/redis"
 	repoRootAbs, err := filepath.Abs(repoRoot)
 	require.NoError(t, err)
-	h, err := NewHelmApp(repoRootAbs, nil, false, "", "", "", false)
+	h, err := NewHelmApp(repoRootAbs, nil, false, "", "", "", false, false)
 	require.NoError(t, err)
 	valuesPath, _, err := path.ResolveValueFilePathOrUrl(repoRootAbs, repoRootAbs, "values-production.yaml", nil)
 	require.NoError(t, err)
@@ -112,7 +112,7 @@ func TestHelmGetParamsValueFilesThatExist(t *testing.T) {
 	repoRoot := "./testdata/redis"
 	repoRootAbs, err := filepath.Abs(repoRoot)
 	require.NoError(t, err)
-	h, err := NewHelmApp(repoRootAbs, nil, false, "", "", "", false)
+	h, err := NewHelmApp(repoRootAbs, nil, false, "", "", "", false, false)
 	require.NoError(t, err)
 	valuesMissingPath, _, err := path.ResolveValueFilePathOrUrl(repoRootAbs, repoRootAbs, "values-missing.yaml", nil)
 	require.NoError(t, err)
@@ -126,7 +126,7 @@ func TestHelmGetParamsValueFilesThatExist(t *testing.T) {
 }
 
 func TestHelmTemplateReleaseNameOverwrite(t *testing.T) {
-	h, err := NewHelmApp("./testdata/redis", nil, false, "", "", "", false)
+	h, err := NewHelmApp("./testdata/redis", nil, false, "", "", "", false, false)
 	require.NoError(t, err)
 
 	objs, err := template(h, &TemplateOpts{Name: "my-release"})
@@ -144,7 +144,7 @@ func TestHelmTemplateReleaseNameOverwrite(t *testing.T) {
 }
 
 func TestHelmTemplateReleaseName(t *testing.T) {
-	h, err := NewHelmApp("./testdata/redis", nil, false, "", "", "", false)
+	h, err := NewHelmApp("./testdata/redis", nil, false, "", "", "", false, false)
 	require.NoError(t, err)
 	objs, err := template(h, &TemplateOpts{Name: "test"})
 	require.NoError(t, err)
@@ -206,7 +206,7 @@ func Test_flatVals(t *testing.T) {
 }
 
 func TestAPIVersions(t *testing.T) {
-	h, err := NewHelmApp("./testdata/api-versions", nil, false, "", "", "", false)
+	h, err := NewHelmApp("./testdata/api-versions", nil, false, "", "", "", false, false)
 	require.NoError(t, err)
 
 	objs, err := template(h, &TemplateOpts{})
@@ -221,7 +221,7 @@ func TestAPIVersions(t *testing.T) {
 }
 
 func TestKubeVersionWithSymbol(t *testing.T) {
-	h, err := NewHelmApp("./testdata/tests", nil, false, "", "", "", false)
+	h, err := NewHelmApp("./testdata/tests", nil, false, "", "", "", false, false)
 	require.NoError(t, err)
 
 	objs, err := template(h, &TemplateOpts{KubeVersion: "1.30.11+IKS"})
@@ -244,7 +244,7 @@ func TestKubeVersionWithSymbol(t *testing.T) {
 }
 
 func TestSkipCrds(t *testing.T) {
-	h, err := NewHelmApp("./testdata/crds", nil, false, "", "", "", false)
+	h, err := NewHelmApp("./testdata/crds", nil, false, "", "", "", false, false)
 	require.NoError(t, err)
 
 	objs, err := template(h, &TemplateOpts{SkipCrds: false})
@@ -261,7 +261,7 @@ func TestSkipCrds(t *testing.T) {
 }
 
 func TestSkipTests(t *testing.T) {
-	h, err := NewHelmApp("./testdata/tests", nil, false, "", "", "", false)
+	h, err := NewHelmApp("./testdata/tests", nil, false, "", "", "", false, false)
 	require.NoError(t, err)
 
 	objs, err := template(h, &TemplateOpts{SkipTests: false})

util/oci/client.go

@@ -143,6 +143,7 @@ func NewClientWithLock(repoURL string, creds Creds, repoLock sync.KeyLock, proxy
 			Proxy:             proxy.GetCallback(proxyURL, noProxy),
 			TLSClientConfig:   tlsConf,
 			DisableKeepAlives: true,
+			ForceAttemptHTTP2: true,
 		},
 		/*
 			CheckRedirect: func(req *http.Request, via []*http.Request) error {

util/oci/client_test.go

@@ -5,16 +5,22 @@ import (
 	"bytes"
 	"compress/gzip"
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
 	"os"
 	"path/filepath"
+	"slices"
 	"testing"
 
 	"github.com/opencontainers/go-digest"
 	"github.com/opencontainers/image-spec/specs-go"
 	imagev1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"oras.land/oras-go/v2"
 	"oras.land/oras-go/v2/content"
@@ -761,6 +767,38 @@ func Test_nativeOCIClient_ResolveRevision(t *testing.T) {
 	}
 }
 
+func TestNewClientUsesHTTP2(t *testing.T) {
+	t.Run("should negotiate HTTP/2 when TLS is configured", func(t *testing.T) {
+		var requestProtos []string
+		server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			requestProtos = append(requestProtos, r.Proto)
+			t.Logf("called %s with proto %s", r.URL.Path, r.Proto)
+			w.WriteHeader(http.StatusOK)
+		}))
+		// httptest.NewTLSServer only advertises http/1.1 in ALPN, so we must
+		// configure the server to also offer h2 for HTTP/2 negotiation to work.
+		server.TLS = &tls.Config{NextProtos: []string{"h2", "http/1.1"}}
+		server.StartTLS()
+		t.Cleanup(server.Close)
+
+		serverURL, err := url.Parse(server.URL)
+		require.NoError(t, err)
+
+		// NewClient expects oci://host/path format.
+		repoURL := "oci://" + serverURL.Host + "/myorg/myrepo"
+		client, err := NewClient(repoURL, Creds{InsecureSkipVerify: true}, "", "", nil,
+			WithEventHandlers(fakeEventHandlers(t, serverURL.Host+"/myorg/myrepo")))
+		require.NoError(t, err)
+
+		// TestRepo pings the registry's /v2/ endpoint, exercising the transport.
+		_, _ = client.TestRepo(t.Context())
+
+		require.NotEmpty(t, requestProtos, "expected at least one request to the server")
+		hasHTTP2 := slices.Contains(requestProtos, "HTTP/2.0")
+		assert.True(t, hasHTTP2, "expected at least one HTTP/2 request, but got protocols: %v", requestProtos)
+	})
+}
+
 func fakeEventHandlers(t *testing.T, repoURL string) EventHandlers {
 	t.Helper()
 	return EventHandlers{
@@ -772,6 +810,9 @@ func fakeEventHandlers(t *testing.T, repoURL string) EventHandlers {
 		OnGetTagsFail: func(repo string) func() {
 			return func() { require.Equal(t, repoURL, repo) }
 		},
+		OnTestRepoFail: func(repo string) func() {
+			return func() { require.Equal(t, repoURL, repo) }
+		},
 		OnExtractFail: func(repo string) func(revision string) {
 			return func(_ string) { require.Equal(t, repoURL, repo) }
 		},