UNCLASSIFIED - NO CUI

Remove Argo CD upgrade job sidecar shutdown

Dax McDonaldrequested to merge
301-remove-quitquitquit-sidecar-termination-curl into main

General MR

Summary

  • Keeps the Argo CD CRD ownership upgrade job rendered.
  • Removes obsolete Istio sidecar readiness wait and /quitquitquit shutdown logic from the upgrade job because the platform is moving to native sidecars.
  • Bumps the package version to 9.5.11-bb.1 and updates release docs.

Relevant logs/screenshots 

helm lint chart
helm unittest chart -f 'unittests/**/*_test.yaml'

helm template argocd chart --namespace argocd --set istio.enabled=true --set istio.ambient.enabled=true --show-only templates/bigbang/upgrade-job.yaml
helm template argocd chart --namespace argocd --set istio.enabled=true --set istio.ambient.enabled=false --show-only templates/bigbang/upgrade-job.yaml
rg -n "quitquitquit|localhost:15020|localhost:15021|Waiting for Istio sidecar" chart/templates tests
Live cluster details 
Thu May  7 08:41:28 MST 2026
NAME     STATUS   AGE   LABELS
argocd   Active   13h   app.kubernetes.io/component=core,app.kubernetes.io/instance=bigbang,app.kubernetes.io/managed-by=Helm,app.kubernetes.io/name=argocd,app.kubernetes.io/part-of=bigbang,app.kubernetes.io/version=3.23.0,helm.sh/chart=bigbang-3.23.0,istio.io/dataplane-mode=ambient,kubernetes.io/metadata.name=argocd
NAME            READY   STATUS    RESTARTS   AGE   IP           NODE                   NOMINATED NODE   READINESS GATES
ztunnel-fcmp7   1/1     Running   0          13h   10.42.1.9    k3d-bb-helm-server-0   <none>           <none>
ztunnel-jx96v   1/1     Running   0          13h   10.42.0.15   k3d-bb-helm-agent-0    <none>           <none>
NAME             DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
istio-cni-node   2         2         2       2            2           kubernetes.io/os=linux   13h
argocd-argocd-application-controller-0	enabled	application-controller
argocd-argocd-applicationset-controller-6f85cd4655-hvt5k	enabled	applicationset-controller
argocd-argocd-dex-server-558f769fbf-pjwwh	enabled	dex-server
argocd-argocd-notifications-controller-545dcd8786-fsxwr	enabled	notifications-controller
argocd-argocd-repo-server-844c59765d-bl2pj	enabled	repo-server
argocd-argocd-server-7998f967cc-m2xgh	enabled	server
redis-bb-master-0	enabled	redis
redis-bb-replicas-0	enabled	redis
NAME                                                           READY   STATUS    RESTARTS   AGE
pod/argocd-argocd-application-controller-0                     1/1     Running   0          13h
pod/argocd-argocd-applicationset-controller-6f85cd4655-hvt5k   1/1     Running   0          13h
pod/argocd-argocd-dex-server-558f769fbf-pjwwh                  1/1     Running   0          13h
pod/argocd-argocd-notifications-controller-545dcd8786-fsxwr    1/1     Running   0          13h
pod/argocd-argocd-repo-server-844c59765d-bl2pj                 1/1     Running   0          13h
pod/argocd-argocd-server-7998f967cc-m2xgh                      1/1     Running   0          13h
pod/redis-bb-master-0                                          1/1     Running   0          13h
pod/redis-bb-replicas-0                                        1/1     Running   0          13h
NAME                                                                                                                             POD-SELECTOR                                              AGE
networkpolicy.networking.k8s.io/allow-egress-from-argocd-application-controller-to-kubeapi                                       app.kubernetes.io/name=argocd-application-controller      13h
networkpolicy.networking.k8s.io/allow-egress-from-argocd-applicationset-controller-to-kubeapi                                    app.kubernetes.io/name=argocd-applicationset-controller   13h
networkpolicy.networking.k8s.io/allow-egress-from-argocd-dex-server-to-kubeapi                                                   app.kubernetes.io/name=argocd-dex-server                  13h
networkpolicy.networking.k8s.io/allow-egress-from-argocd-notifications-controller-to-kubeapi                                     app.kubernetes.io/name=argocd-notifications-controller    13h
networkpolicy.networking.k8s.io/allow-egress-from-argocd-repo-server-to-anywhere-tcp-port-443                                    app.kubernetes.io/name=argocd-repo-server                 13h
networkpolicy.networking.k8s.io/allow-egress-from-argocd-server-to-kubeapi                                                       app.kubernetes.io/name=argocd-server                      13h
networkpolicy.networking.k8s.io/allow-egress-from-argocd-upgrade-job-to-kubeapi                                                  app.kubernetes.io/name=argocd-upgrade-job                 13h
networkpolicy.networking.k8s.io/allow-ingress-to-argocd-8080-from-ns-istio-gateway-pod-public-ingressgateway                     app.kubernetes.io/name=argocd-server                      13h
networkpolicy.networking.k8s.io/allow-ingress-to-argocd-application-controller-tcp-port-8082-from-ns-monitoring-pod-prometheus   app.kubernetes.io/name=argocd-application-controller      13h
networkpolicy.networking.k8s.io/allow-ingress-to-argocd-repo-server-tcp-port-8084-from-ns-monitoring-pod-prometheus              app.kubernetes.io/name=argocd-repo-server                 13h
networkpolicy.networking.k8s.io/allow-ingress-to-argocd-server-tcp-port-8083-from-ns-monitoring-pod-prometheus                   app.kubernetes.io/name=argocd-server                      13h
networkpolicy.networking.k8s.io/allow-ingress-to-redis-bb-tcp-port-6379-from-ns-monitoring-pod-grafana                           app.kubernetes.io/name=redis-bb                           13h
networkpolicy.networking.k8s.io/allow-ingress-to-redis-bb-tcp-port-9121-from-ns-monitoring-pod-prometheus                        app.kubernetes.io/name=redis-bb                           13h
networkpolicy.networking.k8s.io/default-egress-allow-all-in-ns                                                                   <none>                                                    13h
networkpolicy.networking.k8s.io/default-egress-allow-kube-dns                                                                    <none>                                                    13h
networkpolicy.networking.k8s.io/default-egress-deny-all                                                                          <none>                                                    13h
networkpolicy.networking.k8s.io/default-ingress-allow-all-in-ns                                                                  <none>                                                    13h
networkpolicy.networking.k8s.io/default-ingress-allow-ambient-kubelet                                                            <none>                                                    13h
networkpolicy.networking.k8s.io/default-ingress-deny-all                                                                         <none>                                                    13h

NAME                                                                                                                                                                        ACTION   AGE
authorizationpolicy.security.istio.io/allow-ingress-to-argocd-application-controller-tcp-port-8082-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus   ALLOW    13h
authorizationpolicy.security.istio.io/allow-ingress-to-argocd-repo-server-tcp-port-8084-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus              ALLOW    13h
authorizationpolicy.security.istio.io/allow-ingress-to-argocd-server-tcp-port-8083-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus                   ALLOW    13h
authorizationpolicy.security.istio.io/allow-ingress-to-redis-bb-tcp-port-6379-from-ns-monitoring                                                                            ALLOW    13h
authorizationpolicy.security.istio.io/allow-ingress-to-redis-bb-tcp-port-9121-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus                        ALLOW    13h
authorizationpolicy.security.istio.io/argocd-public-ingressgateway-authz-policy                                                                                             ALLOW    13h
authorizationpolicy.security.istio.io/default-authz-allow-all-in-ns                                                                                                         ALLOW    13h
authorizationpolicy.security.istio.io/default-authz-allow-nothing                                                                                                                    13h

NAME                                                              HOSTS                                                                                                    LOCATION        RESOLUTION   AGE
serviceentry.networking.istio.io/argocd-internal                  ["argocd.dev.bigbang.mil"]                                                                               MESH_EXTERNAL   DNS          13h
serviceentry.networking.istio.io/cypress-service-entries-argocd   ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil","argocd.dev.bigbang.mil"]   MESH_EXTERNAL   DNS          13h
124:kind: Job
190:kind: Job
192:  name: argocd-upgrade-job
201:        app.kubernetes.io/name: argocd-upgrade-job
207:      - name: argocd-upgrade-job

Linked Issue

Closes #301 (closed)

Upgrade Notices

No user action is required. The Argo CD CRD ownership upgrade job still runs, but it no longer waits for or shuts down an Istio sidecar with /quitquitquit.

Edited by Dax McDonald

Merge request reports

UNCLASSIFIED - NO CUI