From a8923cd771fa43071ad33355cfd57c2e2829dffa Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Wed, 6 May 2026 16:59:14 +0300 Subject: [PATCH 1/4] chore: fix various security vulnerabilities --- charts/gitops-runtime/README.md | 12 ++++++------ charts/gitops-runtime/values.yaml | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index ee228010..4aaf8363 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -506,13 +506,13 @@ global: | app-proxy.extraVolumeMounts | list | `[]` | Extra volume mounts for main container | | app-proxy.extraVolumes | list | `[]` | extra volumes | | app-proxy.fullnameOverride | string | `"cap-app-proxy"` | | -| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.26-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.26-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration | -| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.26-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.26-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow | +| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.27-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.27-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration | +| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.27-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.27-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow | | app-proxy.image-enrichment.config.clientHeartbeatIntervalInSeconds | int | `5` | Client heartbeat interval in seconds for image enrichemnt workflow | | app-proxy.image-enrichment.config.concurrencyCmKey | string | `"imageReportExecutor"` | The name of the key in the configmap to use as synchronization semaphore | | app-proxy.image-enrichment.config.concurrencyCmName | string | `"workflow-synchronization-semaphores"` | The name of the configmap to use as synchronization semaphore, see https://argoproj.github.io/argo-workflows/synchronization/ | -| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.26-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.26-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}}` | Enrichemnt images | -| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}` | Report image enrichment task image | +| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.27-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.27-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}}` | Enrichemnt images | +| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}` | Report image enrichment task image | | app-proxy.image-enrichment.config.podGcStrategy | string | `"OnWorkflowCompletion"` | Pod grabage collection strategy. By default all pods will be deleted when the enrichment workflow completes. | | app-proxy.image-enrichment.config.ttlActiveInSeconds | int | `900` | Maximum allowed runtime for the enrichment workflow | | app-proxy.image-enrichment.config.ttlAfterCompletionInSeconds | int | `86400` | Number of seconds to live after completion | @@ -791,12 +791,12 @@ global: | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | | redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | | redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | -| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | | redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | | redis-ha.topologySpreadConstraints.whenUnsatisfiable | string | `""` (defaults to `ScheduleAnyway`) | Enforcement policy, hard or soft | -| redis-secret-init | object | `{"affinity":{},"image":{"registry":"docker.io","repository":"alpine/kubectl","tag":"1.35.3"},"nodeSelector":{},"tolerations":[]}` | Enable hook job to create redis secret | +| redis-secret-init | object | `{"affinity":{},"image":{"registry":"docker.io","repository":"alpine/kubectl","tag":"1.35.4"},"nodeSelector":{},"tolerations":[]}` | Enable hook job to create redis secret | | redis.image | object | `{"registry":"public.ecr.aws","repository":"docker/library/redis","tag":"8.2.1-alpine"}` | Redis image | | redis.metrics | object | `{"enabled":true,"env":{},"envFrom":[],"image":{"registry":"ghcr.io","repository":"oliver006/redis_exporter","tag":"v1.72.1"},"livenessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"readinessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"resources":{},"serviceMonitor":{"enabled":false}}` | Enable metrics sidecar | | redis.metrics.serviceMonitor | object | `{"enabled":false}` | Enable a prometheus ServiceMonitor | diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 5bd99037..f80b0b7e 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -446,17 +446,17 @@ app-proxy: reportImage: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-report-image-info - tag: 1.1.26-main + tag: 1.1.27-main # Git enrichment task image gitEnrichment: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info - tag: 1.1.26-main + tag: 1.1.27-main # Jira enrichment task image jiraEnrichment: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info - tag: 1.1.26-main + tag: 1.1.27-main image: repository: quay.io/codefresh/cap-app-proxy tag: 1.4085.0 @@ -722,7 +722,7 @@ redis-secret-init: image: registry: docker.io repository: alpine/kubectl - tag: 1.35.3 + tag: 1.35.4 nodeSelector: {} tolerations: [] affinity: {} From 1aa6067912f99537d933338b40c1509bd3ee83a5 Mon Sep 17 00:00:00 2001 From: cf-ci-bot-v2 Date: Wed, 6 May 2026 14:02:02 +0000 Subject: [PATCH 2/4] CI Automatic commit - align Chart version --- charts/gitops-runtime/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 9e3be48b..b0504493 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.8 +version: 0.29.9 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: From b63dba67417407a50d76818e7551de6e198f6adc Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Thu, 7 May 2026 10:59:05 +0300 Subject: [PATCH 3/4] update cap-app-proxy to 1.4091.0 --- charts/gitops-runtime/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index f80b0b7e..c6e988fc 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -459,14 +459,14 @@ app-proxy: tag: 1.1.27-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.4085.0 + tag: 1.4091.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.4085.0 + tag: 1.4091.0 pullPolicy: IfNotPresent command: - ./init.sh From 58873ffc15d6f46f8896f51fd96ada43bfcf7234 Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Thu, 7 May 2026 11:03:05 +0300 Subject: [PATCH 4/4] update helm docs --- charts/gitops-runtime/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 4aaf8363..740751c3 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.8](https://img.shields.io/badge/Version-0.29.8-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.9](https://img.shields.io/badge/Version-0.29.9-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.8 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.9 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.8 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.9 ``` ## Openshift @@ -523,14 +523,14 @@ global: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.4085.0"` | | +| app-proxy.image.tag | string | `"1.4091.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.4085.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.4091.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | |