argoproj-labs · olivergondza · Nov 20, 2025 · Oct 27, 2025 · Sep 21, 2025 · Oct 27, 2025
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
@@ -46,8 +46,9 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        k3s-version: [v1.27.1]
-        # k3s-version: [v1.20.2, v1.19.2, v1.18.9, v1.17.11, v1.16.15]
+        k3s-version:
+          - v1.27.1-k3s1
+          - v1.33.5-k3s1
     steps:
       - name: Download kuttl plugin
         env:
@@ -68,13 +69,23 @@ jobs:
           curl -s https://raw.githubusercontent.com/rancher/k3d/main/install.sh | bash
           sudo mkdir -p $HOME/.kube && sudo chown -R runner $HOME/.kube
 
+          feature_flags=()
+          case "${{ matrix.k3s-version }}" in
+          v1.3[3456789]*)
+              # Enable ClusterTrustBundle and ClusterTrustBundleProjection until it is enabled by default in kubernetes
+              feature_flags+=(
+                  "--k3s-arg" "--kube-apiserver-arg=feature-gates=ClusterTrustBundle=true,ClusterTrustBundleProjection=true@server:*"
+                  "--k3s-arg" "--kube-apiserver-arg=runtime-config=certificates.k8s.io/v1beta1/clustertrustbundles=true@server:*"
+                  "--k3s-arg" "--kubelet-arg=feature-gates=ClusterTrustBundle=true,ClusterTrustBundleProjection=true@agent:*"
+              )
+          ;;
+          esac
+
           # preserved for future use:
           # - limit logs to 4Mi, to avoid overwhelming GitHub's small runner storage (14Gi)
-          # - k3d cluster create --servers 3 --image rancher/k3s:${{ matrix.k3s-version }}-k3s1 --k3s-arg '--kubelet-arg=container-log-max-files=2@server:*' --k3s-arg '--kubelet-arg=container-log-max-size=2Mi@server:*'
+          # - k3d cluster create --servers 3 --image "rancher/k3s:${{ matrix.k3s-version }}" --k3s-arg '--kubelet-arg=container-log-max-files=2@server:*' --k3s-arg '--kubelet-arg=container-log-max-size=2Mi@server:*'
           # - I tried this, to reduce the the amount of GitHub Runner disk space used by k3d. These params did not appear to affect disk space usage.
-
-          # create k3d cluster
-          k3d cluster create --servers 3 --image rancher/k3s:${{ matrix.k3s-version }}-k3s1
+          k3d cluster create --servers 3 --image "rancher/k3s:${{ matrix.k3s-version }}" "${feature_flags[@]}"
           kubectl version
           k3d version
       - name: Checkout code

diff --git a/api/v1beta1/argocd_types.go b/api/v1beta1/argocd_types.go
@@ -591,6 +591,9 @@ type ArgoCDRepoSpec struct {
 
 	// Custom labels to pods deployed by the operator
 	Labels map[string]string `json:"labels,omitempty"`
+
+	// Custom certificates to inject into the repo server container and its plugins to trust source hosting sites
+	SystemCATrust *ArgoCDSystemCATrustSpec `json:"systemCATrust,omitempty"`
 }
 
 func (a *ArgoCDRepoSpec) IsEnabled() bool {
@@ -601,6 +604,18 @@ func (a *ArgoCDRepoSpec) IsRemote() bool {
 	return a.Remote != nil && *a.Remote != ""
 }
 
+// ArgoCDSystemCATrustSpec defines custom certificates to inject into the repo server container and its plugins to trust source hosting sites
+type ArgoCDSystemCATrustSpec struct {
+	// DropImageCertificates will remove all certs that are present in the image, leaving only those explicitly configured here.
+	DropImageCertificates bool `json:"dropImageCertificates,omitempty"`
+	// ClusterTrustBundles is a list of projected ClusterTrustBundle volume definitions from where to take the trust certs.
+	ClusterTrustBundles []corev1.ClusterTrustBundleProjection `json:"clusterTrustBundles,omitempty"`
+	// Secrets is a list of projected Secret volume definitions from where to take the trust certs.
+	Secrets []corev1.SecretProjection `json:"secrets,omitempty"`
+	// ConfigMaps is a list of projected ConfigMap volume definitions from where to take the trust certs.
+	ConfigMaps []corev1.ConfigMapProjection `json:"configMaps,omitempty"`
+}
+
 // ArgoCDRouteSpec defines the desired state for an OpenShift Route.
 type ArgoCDRouteSpec struct {
 	// Annotations is the map of annotations to use for the Route resource.

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/argocd-operator.clusterserviceversion.yaml b/bundle/manifests/argocd-operator.clusterserviceversion.yaml
@@ -257,7 +257,7 @@ metadata:
     capabilities: Deep Insights
     categories: Integration & Delivery
     certified: "false"
-    createdAt: "2025-12-17T12:19:06Z"
+    createdAt: "2026-01-21T10:11:54Z"
     description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
     operators.operatorframework.io/builder: operator-sdk-v1.35.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
@@ -1826,6 +1826,14 @@ spec:
           - jobs
           verbs:
           - '*'
+        - apiGroups:
+          - certificates.k8s.io
+          resources:
+          - clustertrustbundles
+          verbs:
+          - get
+          - list
+          - watch
         - apiGroups:
           - config.openshift.io
           resources: