Bump github.com/argoproj/argo-cd/v2 from 2.4.0 to 2.4.1

[dependabot[bot]]

Bumps github.com/argoproj/argo-cd/v2 from 2.4.0 to 2.4.1.

Release notes

Sourced from github.com/argoproj/argo-cd/v2's releases.

v2.4.1

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.1/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.1/manifests/ha/install.yaml

Security fixes

• CRITICAL: External URLs for Deployments can include javascript (GHSA-h4w9-6x78-8vrj)
• HIGH: Insecure entropy in PKCE/Oauth2/OIDC params (GHSA-2m7h-86qq-fp4v)
• MODERATE: DoS through large directory app manifest files (GHSA-jhqp-vf4w-rpwq)
• MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server (GHSA-q4w5-4gq2-98vm)

Potentially-breaking changes

From the GHSA-2m7h-86qq-fp4v description:

The patch introduces a new reposerver.max.combined.directory.manifests.size config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.

If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.

Other

• test: directory app manifest generation (#9503)
• chore: Implement tests to validate aws auth retry (#9627)
• chore: Implement a retry in aws auth command (#9618)
• test: Remove temp directories from repo server tests (#9501)
• test: Make context tests idempodent (#9502)
• test: fix plugin var test for OSX (#9590)
• docs: Document how to deploy from the root of the git repository (#9632)
• docs: added environment variables documentation (#8680)

Changelog

Sourced from github.com/argoproj/argo-cd/v2's changelog.

Changelog

Commits

• 52e6025 Bump version to 2.4.1
• b121b89 Bump version to 2.4.1
• 12149c0 chore: fix docs gen
• 9d67469 Merge pull request from GHSA-jhqp-vf4w-rpwq
• 04c3053 Merge pull request from GHSA-q4w5-4gq2-98vm
• 17f7f4f Merge pull request from GHSA-2m7h-86qq-fp4v
• 8bc3ef6 Merge pull request from GHSA-h4w9-6x78-8vrj
• 8fe9a58 test: directory app manifest generation (#9503)
• 269c61a chore: Implement tests to validate aws auth retry (#9627)
• 9a08c12 chore: Implement a retry in aws auth command (#9618)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[prakarsh-dt]

@kartik-579 Can we do these suggested changes?

[dependabot[bot]]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.