Why ArgoCD v3.2.5 Is a Must‑Upgrade for Secure GitOps Pipelines

Background

On 2026‑01‑14 the ArgoCD community released version v3.2.5 , replacing the deprecated v3.2.4. The patch focuses on stability and security enhancements for the most popular GitOps platform in the Kubernetes ecosystem.

Why v3.2.5 Matters

v3.0 (early 2025): infrastructure improvements.

v3.1 (2025‑08): native OCI registry support and CLI plugins.

v3.2 (2025‑11): advanced features and security fixes.

v3.2.5 (2026‑01): critical stability fixes.

Key Changes in v3.2.5

1. Notifications Engine Update

Commit:

fafbd44

feat: cherry-pick to 3.2, update notifications engine to v0.5.1

The notifications engine is upgraded to v0.5.1, adding reliable delivery for Slack, Microsoft Teams, email, custom webhooks, PagerDuty, etc. The practical benefit is more dependable sync, health‑status, and deployment‑event notifications.

2. ApplicationSet Reconciliation Fix

Commit:

d7d9674

fix(appset): avoid reconciliation for appsets when updating cluster Secret outside allowed namespaces

When a cluster Secret is updated, ApplicationSets in non‑allowed namespaces no longer trigger unnecessary reconciliation, reducing CPU load, Kubernetes API traffic, and making behavior more predictable in multi‑tenant environments.

3. Error Message Improvements

Commit:

e6f5403

fix: show "please update resource spec" hint only when spec is expired

Error prompts become more precise and contextual, lowering operator confusion.

4. Dependency Updates

Key commits:

# Go bump to 1.25.5
chore(deps): bump go to 1.25.5
# expr bump to v1.17.7 (security)
chore(cherry-pick-3.2): bump expr to v1.17.7
# test against Kubernetes 1.34.2
ci: test against k8s 1.34.2

Compatibility is guaranteed for Kubernetes 1.32.x, 1.33.x, and 1.34.x.

Upgrade Options

Option 1 – Non‑HA (single instance)

# Create namespace if needed
kubectl create namespace argocd
# Apply v3.2.5 manifests
kubectl apply -n argocd -f \
  https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/install.yaml

Option 2 – HA installation

# Create namespace if needed
kubectl create namespace argocd
# Apply HA manifests
kubectl apply -n argocd -f \
  https://raw.githubusercontent.com/argoproj/argo-cd/v3.2.5/manifests/ha/install.yaml

Option 3 – Helm chart

# Add Helm repo
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
# Upgrade to latest version (9.3.2 contains ArgoCD v3.2.5)
helm upgrade argocd argo/argo-cd \
  --namespace argocd \
  --version 9.3.2 \
  --reuse-values

Security Verification

All ArgoCD images are signed with Cosign and include SLSA Level 3 provenance.

# Verify image signature
cosign verify \
  --certificate-identity-regexp "https://github.com/argoproj/argo-cd" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  quay.io/argoproj/argocd:v3.2.5
# Verify provenance attestation
cosign verify-attestation \
  --type slsaprovenance \
  --certificate-identity-regexp "https://github.com/argoproj/argo-cd" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  quay.io/argoproj/argocd:v3.2.5

Compatibility & Support

Supported architectures: amd64 , arm64 (Apple Silicon, AWS Graviton), ppc64le (IBM Power), s390x (IBM Z).

Supported Kubernetes platforms include GKE, EKS, AKS, OpenShift, Rancher, K3s/K0s, and vanilla Kubernetes.

Migrating from v2.x to v3.x

For users still on the EOL v2.14 (ended 2025‑11‑04), upgrading to v3.2.5 is critical for security.

1. Fine‑grained RBAC enabled by default

# v2.x: permission automatically applied to sub‑resources
p, dev-team, applications, update, default/*, allow
# v3.x: explicit permissions required
p, dev-team, applications, update, default/*, allow
p, dev-team, applications, update/*/Pod/*, default/*, allow
p, dev-team, applications, update/*/Deployment/*, default/*, allow

2. Annotation‑based resource tracking application.resourceTrackingMethod: annotation 3. RBAC for log access

# Explicit permission required
p, role:developers, logs, get, */*, allow

Roadmap

v3.3 (target GA 2026‑02‑02) is expected to bring further performance optimizations, new notification integrations, and UI/UX enhancements for the console.

Upgrade Checklist

Before upgrading

Review release notes.

Back up ConfigMaps, Secrets, and CRDs.

Test in a pre‑production environment.

Validate RBAC policies (especially when migrating from v2.x).

Check plugin compatibility.

Update internal documentation.

Communicate changes to the team.

After upgrading

Verify health of all applications.

Test manual sync operations.

Confirm notification delivery.

Monitor logs for 24–48 hours.

Review metrics dashboards.

Common Troubleshooting

Issue: ApplicationSets over‑reconcile

Symptoms: high CPU load, excessive Kubernetes API requests.

Solution: Upgrade to v3.2.5, which contains the fix.

# Check notifications controller version
kubectl get deployment argocd-notifications-controller \
  -n argocd -o yaml | grep image
# Expected image tag: v3.2.5

Issue: Notifications not delivered

Symptoms: sync events do not trigger alerts.

Solution: Ensure the notifications engine is at v0.5.1 and that the desired channels (Slack, Teams, email, webhook, PagerDuty, etc.) are correctly configured.

Issue: RBAC denies log access

Symptoms: users cannot view pod logs.

Solution: Add an explicit RBAC rule.

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
data:
  policy.csv: |
    p, role:developer, logs, get, */*, allow

Conclusion & Recommended Actions

ArgoCD v3.2.5 is a critical stability release; all production users should upgrade promptly. It fixes ApplicationSet bugs, updates core dependencies, and improves notification handling, reinforcing ArgoCD’s position as a reliable GitOps solution for Kubernetes.

If you are on v3.2.4 → upgrade immediately.

If you are on v3.0–v3.1 → plan upgrade within the next few weeks.

If you are on any v2.x (EOL) → perform an urgent upgrade.

Staying current is not just about new features—it is essential for security and supportability of your GitOps pipelines.