Why ArgoCD 3.3 Deserves Your Attention
On February 28, 2026, ArgoCD 3.3 was released. Rather than major architectural changes, this release focused on filling long-needed gaps in production operations. The most significant change is the introduction of the PreDelete Hook. In GitOps workflows, deletion has always been a risky operation. When stateful applications are abruptly removed, data can be lost or dependent external systems lose service without notification. ArgoCD 3.3 elevates deletion to an explicit lifecycle stage.
PreDelete Hook: Deletion as a Lifecycle Stage
Traditional ArgoCD provided three hook stages: PreSync → Sync → PostSync. With PreDelete added in 3.3, the complete application lifecycle is now realized. When a deletion request arrives, the PreDelete Hook executes a designated Kubernetes Job before actual resource removal. Deletion proceeds only if this Job succeeds; failure blocks deletion entirely.
# PreDelete Hook example: Database backup before deletion
apiVersion: batch/v1
kind: Job
metadata:
name: pre-delete-db-backup
annotations:
argocd.argoproj.io/hook: PreDelete
argocd.argoproj.io/hook-delete-policy: HookSucceeded
spec:
backoffLimit: 2
template:
spec:
restartPolicy: Never
containers:
- name: backup
image: postgres:16-alpine
command:
- sh
- -c
- |
echo "[PreDelete] Starting database backup..."
pg_dump $DATABASE_URL > /backup/dump-$(date +%Y%m%d%H%M%S).sql
aws s3 cp /backup/ s3://backups/pre-delete/ --recursive
echo "[PreDelete] Backup complete, allowing deletion"
envFrom:
- secretRef:
name: db-credentials
The key is a single annotation: argocd.argoproj.io/hook: PreDelete. Following the same pattern as existing PreSync/PostSync hooks, there's virtually no learning curve.
Real-World Use Cases
| Scenario | PreDelete Hook Role | Failure Behavior |
|---|---|---|
| Removing stateful app | DB dump → S3 upload | Blocks deletion, retries backup |
| Service mesh traffic drain | Istio DestinationRule weight to 0 | Prevents traffic loss |
| External system notification | Send retirement alert to Slack/PagerDuty | Holds deletion if notification fails |
| Compliance audit logging | Record deletion reason + approver | Prevents missing audit records |
| DNS/CDN cleanup | Remove Route53 record, invalidate CloudFront | Prevents orphaned resources |
ArgoCD 3.3 Key Improvements Summary
OIDC Background Token Refresh
When integrating with OIDC providers like Keycloak, sudden logouts during extended debugging or deployment monitoring are now resolved. ArgoCD 3.3 automatically refreshes OIDC tokens in the background before expiration, with configurable refresh thresholds.
Shallow Git Cloning
An opt-in feature for large monorepos or legacy projects to fetch only required commits instead of full Git history. Repository server fetch times can drop from minutes to seconds.
Granular Cluster Resource Control
AppProject's clusterResourceWhitelist now extends beyond API groups and kinds to restrict individual resource names. Multi-tenant environments can now manage access to specific CRDs at the project level with fine-grained control.
Native KEDA Support
ScaledObject and ScaledJob pause/resume can now be controlled directly from the UI, with accurate health status displayed instead of the previous 'Unknown' state.
Upgrade Guide: 3.2 to 3.3
# 1. Check current ArgoCD version
argocd version
# 2. Update Helm chart
helm repo update
helm search repo argo/argo-cd --versions | head -5
# 3. Update values.yaml with new versions
# server.image.tag: v3.3.2
# repoServer.image.tag: v3.3.2
# controller.image.tag: v3.3.2
# 4. Upgrade in staging first
helm upgrade argocd argo/argo-cd -n argocd -f values-staging.yaml --version 7.8.0
# 5. Verify application status
argocd app list --output wide
argocd app get <app-name> --hard-refresh
Tip: PreDelete Hooks can be adopted incrementally. Start with new apps, test in staging, then deploy to production.
FAQ
Q: What happens if PreDelete Hook fails?
Deletion is blocked. After retrying up to backoffLimit, it remains pending. Check failure status in ArgoCD UI and manually resolve the issue.
Q: Can I use multiple hook types together?
Yes, all hooks operate independently. You can use PreSync, Sync, PostSync, and PreDelete hooks on the same application.
Q: Is Shallow Clone safe for all projects?
Recommended for most cases. Disable if using custom plugins that need full Git history.
This article was originally published on ManoIT Tech Blog.
Top comments (0)