argocd: update viaductoss/ksops Docker tag to v4.5.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
viaductoss/ksops	Kustomization	minor	v4.3.3 → v4.5.1

---

Release Notes

viaduct-ai/kustomize-sops (viaductoss/ksops)

v4.5.1

Compare Source

Upgrade Guide: v4.5.0 to v4.5.1

What changed

In v4.5.0, ksops install always copied both ksops and kustomize from hardcoded paths. This release makes two improvements based on community feedback (#​327):

1. ksops install now uses os.Executable() to resolve its own binary path instead of hardcoding /usr/local/bin/ksops. This makes the install command work regardless of where the binary is located.

2. Kustomize copying is now opt-in via --with-kustomize. Since ArgoCD already ships with kustomize, ksops install now only copies the ksops binary by default. Pass --with-kustomize to also copy kustomize.

How to upgrade

Add --with-kustomize to your ksops install command if you want to continue overriding ArgoCD's built-in kustomize (the previous default behavior).

Before:

initContainers:
  - name: install-ksops
    image: viaductoss/ksops:v4.5.0
    command: ["/usr/local/bin/ksops", "install", "/custom-tools"]
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools

After:

initContainers:
  - name: install-ksops
    image: viaductoss/ksops:v4.5.1
    command: ["/usr/local/bin/ksops", "install", "--with-kustomize", "/custom-tools"]
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools

If you don't need to override ArgoCD's kustomize, you can drop --with-kustomize and remove the kustomize volume mount:

initContainers:
  - name: install-ksops
    image: viaductoss/ksops:v4.5.1
    command: ["/usr/local/bin/ksops", "install", "/custom-tools"]
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools

Changelog

• fd75a70 fix: use os.Executable() for install and make kustomize opt-in (#​330)
• d9442dc v4.5.1

v4.5.0

Compare Source

Upgrade Guide: ArgoCD Init Container

What changed

Starting in v4.4.0, the ksops Docker image uses a distroless base image, which does not include /bin/sh, mv, or other shell utilities. This broke the documented ArgoCD init container pattern that relied on shell commands to copy binaries into a shared volume.

This release adds a built-in ksops install subcommand that copies the ksops and kustomize binaries to a target directory — no shell required.

How to upgrade

Replace the command and args in your init container. The volume mounts stay the same.

Before:

initContainers:

- name: install-ksops
  image: viaductoss/ksops:v4.4.0
  command: ["/bin/sh", "-c"]
  args:
  - echo "Installing KSOPS...";
    mv ksops /custom-tools/;
    mv kustomize /custom-tools/;
    echo "Done.";
    volumeMounts:
  - mountPath: /custom-tools
    name: custom-tools

After:

initContainers:

- name: install-ksops
  image: viaductoss/ksops:vX.Y.Z
  command: ["/usr/local/bin/ksops", "install", "/custom-tools"]
  volumeMounts:
  - mountPath: /custom-tools
    name: custom-tools

That's it. No other changes to your volumes, volume mounts, or container definitions are needed.

Affected configurations

This applies to all three documented ArgoCD integration methods:

• Strategic merge patch (argo-cd-repo-server-ksops-patch.yaml)
• ArgoCD CRD (OKD4/OCP4 kind: ArgoCD spec)
• Argo CD Helm chart (repoServer.initContainers values)

Workarounds no longer needed

If you were using any of these workarounds, you can remove them:

• Using alpine as the init container image to curl and extract the release tarball
• Building a custom container image that bundles ksops into the ArgoCD repo server
• Pinning to a version before v4.4.0

Changelog

• 92bc163 chore(deps): bump actions/checkout from 5 to 6 (#​307)
• 42d7795 chore(deps): bump actions/setup-go from 5 to 6 (#​302)
• cfb835c chore(deps): bump docker/login-action from 3 to 4 (#​315)
• a25bfcd chore(deps): bump docker/setup-buildx-action from 3 to 4 (#​316)
• 2aee20e chore(deps): bump docker/setup-qemu-action from 3 to 4 (#​317)
• 061495f chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#​309)
• 845389a chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#​325)
• d70b62e chore(deps): bump github.com/getsops/sops/v3 from 3.11.0 to 3.12.2 (#​319)
• 98fe884 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.1 to 4.1.4 (#​323)
• 80616de chore(deps): bump github/codeql-action from 3 to 4 (#​305)
• eb80fe6 chore(deps): bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.43.0 (#​326)
• dd0987e chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.45.0 (#​306)
• 31dfb4e chore(deps): bump google.golang.org/grpc from 1.75.1 to 1.79.3 (#​318)
• d4c8c13 chore(deps): bump goreleaser/goreleaser-action from 6 to 7 (#​312)
• dfeab3f chore: v4.5.0 (#​329)
• 8f3b8d1 feat: add ksops install subcommand for distroless compatibility (#​327)
• 50ad78f feat: concurrent secret decryption (#​328)
• 4345f5f fix: pin to 1.25.0
• 8624cb3 update(sops): 3.10.2 -> 3.11.0 (#​304)

v4.4.0

Compare Source

Changelog

• 970918f Bump sigs.k8s.io/kustomize/api from v0.16.0 to v0.19.0 (#​275)
• 97f66d0 Optimize Docker image (#​271)
• 18bcac8 Optimize and structure Makefile (#​274)
• d79a6f0 chore(deps): bump actions/checkout from 4 to 5 (#​293)
• bc46d4d chore(deps): bump github.com/cloudflare/circl from 1.4.0 to 1.6.1 (#​285)
• 1ced974 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#​280)
• 487dded chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#​282)
• 404363d chore(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 (#​281)
• fc21455 chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 (#​284)
• 167e8ab chore(deps): bump golang.org/x/oauth2 from 0.24.0 to 0.27.0 (#​287)
• 86c8643 chore(deps): bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0 (#​286)
• 844d8c2 chore(deps): bump sigs.k8s.io/yaml from 1.5.0 to 1.6.0 (#​288)
• 6f0e2a6 chore: update golang version to patch CVEs (#​296)
• ec19be6 fix(build): resolve kustomize installation failures during cross-compilation (#​299)
• 5890575 fix(cd): try use full path for checking kustomize installation
• 96fb5ef fix(ci): ensure go bin is part of PATH, add logging for debugging release CD
• c58ac0b update(sops): 3.9.2 -> 3.10.2 (#​297)
• 01bebbd v4.4.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Infro diff for 61ac9cf

argocd.hashbang.sh > argocd (0 files changed)

Details

time="2026-04-13T09:21:17Z" level=warning msg="Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web."
time="2026-04-13T09:21:31Z" level=warning msg="Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web."

===== apps/Deployment argocd/argocd-applicationset-controller ======
--- /tmp/argocd-diff795385652/argocd-applicationset-controller-live.yaml
+++ /tmp/argocd-diff795385652/argocd-applicationset-controller
@@ -579,7 +579,7 @@
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.4@sha256:9f68a9a360ff65aaca66dfccf675219be73f0ac8c5c96797b6cb7760ee1b9056
+        image: quay.io/argoproj/argocd:v3.3.6@sha256:16b92ba472fbb9287459cc52e0ecff07288dff461209955098edb56ce866fe49
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:

===== apps/Deployment argocd/argocd-dex-server ======
--- /tmp/argocd-diff2178462781/argocd-dex-server-live.yaml
+++ /tmp/argocd-diff2178462781/argocd-dex-server
@@ -358,7 +358,7 @@
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.3.4@sha256:9f68a9a360ff65aaca66dfccf675219be73f0ac8c5c96797b6cb7760ee1b9056
+        image: quay.io/argoproj/argocd:v3.3.6@sha256:16b92ba472fbb9287459cc52e0ecff07288dff461209955098edb56ce866fe49
         imagePullPolicy: Always
         name: copyutil
         resources: {}

===== apps/Deployment argocd/argocd-notifications-controller ======
--- /tmp/argocd-diff101284005/argocd-notifications-controller-live.yaml
+++ /tmp/argocd-diff101284005/argocd-notifications-controller
@@ -276,7 +276,7 @@
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.4@sha256:9f68a9a360ff65aaca66dfccf675219be73f0ac8c5c96797b6cb7760ee1b9056
+        image: quay.io/argoproj/argocd:v3.3.6@sha256:16b92ba472fbb9287459cc52e0ecff07288dff461209955098edb56ce866fe49
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3

===== apps/Deployment argocd/argocd-redis ======
--- /tmp/argocd-diff1689595769/argocd-redis-live.yaml
+++ /tmp/argocd-diff1689595769/argocd-redis
@@ -260,7 +260,7 @@
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.3.4@sha256:9f68a9a360ff65aaca66dfccf675219be73f0ac8c5c96797b6cb7760ee1b9056
+        image: quay.io/argoproj/argocd:v3.3.6@sha256:16b92ba472fbb9287459cc52e0ecff07288dff461209955098edb56ce866fe49
         imagePullPolicy: IfNotPresent
         name: secret-init
         resources: {}

===== apps/Deployment argocd/argocd-repo-server ======
--- /tmp/argocd-diff2086242297/argocd-repo-server-live.yaml
+++ /tmp/argocd-diff2086242297/argocd-repo-server
@@ -919,7 +919,7 @@
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.3.4@sha256:9f68a9a360ff65aaca66dfccf675219be73f0ac8c5c96797b6cb7760ee1b9056
+        image: quay.io/argoproj/argocd:v3.3.6@sha256:16b92ba472fbb9287459cc52e0ecff07288dff461209955098edb56ce866fe49
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -992,7 +992,7 @@
         env:
         - name: GNUPGHOME
           value: /gnupg-home/.gnupg
-        image: quay.io/argoproj/argocd:v3.3.4@sha256:9f68a9a360ff65aaca66dfccf675219be73f0ac8c5c96797b6cb7760ee1b9056
+        image: quay.io/argoproj/argocd:v3.3.6@sha256:16b92ba472fbb9287459cc52e0ecff07288dff461209955098edb56ce866fe49
         imagePullPolicy: IfNotPresent
         name: import-gpg-key
         resources: {}
@@ -1009,7 +1009,7 @@
         command:
         - /bin/sh
         - -c
-        image: viaductoss/ksops:v4.3.3@sha256:6b5ec4b6144307f78bcddffd8f09020482836eee34cf77bf4ce8614b0452a73c
+        image: viaductoss/ksops:v4.5.1@sha256:4def9fdd4e2f850265740ebe9592c5455d19b76891e88e602df8b52d74b95334
         imagePullPolicy: IfNotPresent
         name: install-ksops
         resources: {}
@@ -1024,7 +1024,7 @@
         command:
         - sh
         - -c
-        image: quay.io/argoproj/argocd:v3.3.4@sha256:9f68a9a360ff65aaca66dfccf675219be73f0ac8c5c96797b6cb7760ee1b9056
+        image: quay.io/argoproj/argocd:v3.3.6@sha256:16b92ba472fbb9287459cc52e0ecff07288dff461209955098edb56ce866fe49
         imagePullPolicy: IfNotPresent
         name: copyutil
         resources: {}

===== apps/Deployment argocd/argocd-server ======
--- /tmp/argocd-diff3094680809/argocd-server-live.yaml
+++ /tmp/argocd-diff3094680809/argocd-server
@@ -903,7 +903,7 @@
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.3.4@sha256:9f68a9a360ff65aaca66dfccf675219be73f0ac8c5c96797b6cb7760ee1b9056
+        image: quay.io/argoproj/argocd:v3.3.6@sha256:16b92ba472fbb9287459cc52e0ecff07288dff461209955098edb56ce866fe49
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3

===== apps/StatefulSet argocd/argocd-application-controller ======
--- /tmp/argocd-diff2284477288/argocd-application-controller-live.yaml
+++ /tmp/argocd-diff2284477288/argocd-application-controller
@@ -768,7 +768,7 @@
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.3.4@sha256:9f68a9a360ff65aaca66dfccf675219be73f0ac8c5c96797b6cb7760ee1b9056
+        image: quay.io/argoproj/argocd:v3.3.6@sha256:16b92ba472fbb9287459cc52e0ecff07288dff461209955098edb56ce866fe49
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

argocd.hashbang.sh > cloudnative-pg (0 files changed)

Details

time="2026-04-13T09:21:48Z" level=warning msg="Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web."
time="2026-04-13T09:21:57Z" level=warning msg="Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web."

===== coordination.k8s.io/Lease /db9c8771.cnpg.io ======
--- /tmp/argocd-diff2046140304/db9c8771.cnpg.io-live.yaml
+++ /tmp/argocd-diff2046140304/db9c8771.cnpg.io
@@ -0,0 +1,11 @@
+apiVersion: coordination.k8s.io/v1
+kind: Lease
+metadata:
+  annotations:
+    argocd.argoproj.io/tracking-id: cloudnative-pg:coordination.k8s.io/Lease:cloudnative-pg/db9c8771.cnpg.io
+  labels:
+    app.kubernetes.io/component: manager
+    app.kubernetes.io/instance: cloudnative-pg
+    app.kubernetes.io/name: cloudnative-pg
+  name: db9c8771.cnpg.io
+spec: {}

argocd.hashbang.sh > external-dns (0 files changed)

Details

time="2026-04-13T09:21:59Z" level=warning msg="Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web."
time="2026-04-13T09:22:03Z" level=warning msg="Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web."

===== apps/Deployment external-dns/external-dns ======
--- /tmp/argocd-diff722808063/external-dns-live.yaml
+++ /tmp/argocd-diff722808063/external-dns
@@ -172,11 +172,6 @@
         - --provider=aws
         - --txt-owner-id=digitalocean-hashbang
         - --txt-prefix=_owner.
-        - --source=crd
-        - --domain-filter=hashbang.sh
-        - --managed-record-types=A
-        - --managed-record-types=CNAME
-        - --managed-record-types=TXT
         env:
         - name: AWS_REGION
           value: us-west-2

argocd.hashbang.sh > keycloak (0 files changed)

Details

time="2026-04-13T09:22:19Z" level=warning msg="Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web."
time="2026-04-13T09:22:24Z" level=warning msg="Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web."

===== apps/Deployment keycloak/keycloak ======
--- /tmp/argocd-diff221047043/keycloak-live.yaml
+++ /tmp/argocd-diff221047043/keycloak
@@ -259,7 +259,7 @@
             name: keycloak-config-5k62mm682d
         - secretRef:
             name: keycloak-config-hmkt6446bt
-        image: quay.io/keycloak/keycloak:26.5.6@sha256:8d44614c74798322c4e07fbe0ecb15cfbb5879d69b484628555f58ade06f0d8c
+        image: quay.io/keycloak/keycloak:26.5.7@sha256:45ae20191531eb608ddb0b775d012b40d3e4f942697f3214694887dd7c108d13
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3

argocd.hashbang.sh > wkd (0 files changed)

Details

time="2026-04-13T09:22:50Z" level=warning msg="Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web."
time="2026-04-13T09:22:55Z" level=warning msg="Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web."

===== apps/Deployment wkd/wkd ======
--- /tmp/argocd-diff2033245851/wkd-live.yaml
+++ /tmp/argocd-diff2033245851/wkd
@@ -232,7 +232,7 @@
           value: enroll
         - name: FOLDER
           value: /tmp/keys
-        image: kiwigrid/k8s-sidecar:2.5.0@sha256:a6b3f707f883108376514489a94d6629109a327b2978e1d826cd104c4ca436df
+        image: kiwigrid/k8s-sidecar:2.5.4@sha256:6e9db2cd6630a663dfa9eec59916f8c289d1efa725a6e2d92ec1b5fef31bbd3d
         imagePullPolicy: IfNotPresent
         name: watcher
         resources: {}