From 79ed09476e3deaf84dd6b95e46a68ee6aa2f1f8d Mon Sep 17 00:00:00 2001 From: vadim-kharin-codefresh Date: Tue, 24 Mar 2026 12:22:05 +0200 Subject: [PATCH 01/47] chore: fix various security vulnerabilities in cap-app-proxy (#1140) * chore: fix various security vulnerabilities in cap-app-proxy * CI Automatic commit - align Chart version --------- Co-authored-by: cf-ci-bot-v2 --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/README.md | 6 +++--- charts/gitops-runtime/values.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 84ca5ffd0..466871586 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.1.72 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.0.0 +version: 0.29.0 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 413b8ad95..0d605d8ee 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -511,14 +511,14 @@ global: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.4072.0"` | | +| app-proxy.image.tag | string | `"1.4074.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.4072.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.4074.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | | @@ -779,7 +779,7 @@ global: | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | | redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | | redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | -| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | | redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index b8ed356d1..cf51b072e 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -459,14 +459,14 @@ app-proxy: tag: 1.1.23-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.4072.0 + tag: 1.4074.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.4072.0 + tag: 1.4074.0 pullPolicy: IfNotPresent command: - ./init.sh From c822ae8bce3267f1da4e4f55286c85e75cacc720 Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Wed, 25 Mar 2026 16:16:33 +0200 Subject: [PATCH 02/47] prepare-version(0.29.0): prepare chart content for release (#1136) * Update Chart.yaml and changelog for 0.29.0 release * v0.2.3 (0.29.0) * Update Chart.yaml and changelog for 0.29.0 release * update artifacthub.io/changes --------- Co-authored-by: cf-ci-bot-v2 Co-authored-by: andrii-codefresh Co-authored-by: vadim-kharin-codefresh --- charts/gitops-runtime/Chart.yaml | 9 ++++++++- charts/gitops-runtime/README.md | 6 +++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 466871586..02ebb7830 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.1.72 +appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime version: 0.29.0 @@ -13,6 +13,13 @@ maintainers: url: https://codefresh-io.github.io/ annotations: artifacthub.io/alternativeName: "codefresh-gitops-runtime" + artifacthub.io/changes: |- + - kind: added + description: "Added ABAC validation to application existence query" + - kind: changed + description: 'update app-proxy to 1.4074.0' + - kind: security + description: 'fix various security vulnerabilities in app-proxy' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 0d605d8ee..67975a1d4 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![AppVersion: 0.1.72](https://img.shields.io/badge/AppVersion-0.1.72-informational?style=flat-square) +![Version: 0.29.0](https://img.shields.io/badge/Version-0.29.0-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -193,7 +193,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.0.0 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.0 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -206,7 +206,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.0.0 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.0 ``` ## Openshift From 1bf134e6168934ce9b3de1cddc4d63e9f71ea0a8 Mon Sep 17 00:00:00 2001 From: vadim-kharin-codefresh Date: Fri, 27 Mar 2026 13:50:45 +0200 Subject: [PATCH 03/47] chore: fix various security vulnerabilities in argo-workflows (#1144) * chore: fix various security vulnerabilities in argo-workflows * update alpine/kubectl to 1.35.3 --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 02ebb7830..8bd6383a5 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -27,7 +27,7 @@ dependencies: version: 9.4.4 - name: argo-workflows repository: https://codefresh-io.github.io/argo-helm - version: 0.45.18-v3.6.7-cap-CR-32333 + version: 0.45.19-v3.6.7-cap-CR-38032 condition: argo-workflows.enabled - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index cf51b072e..55b2a871e 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -722,7 +722,7 @@ redis-secret-init: image: registry: docker.io repository: alpine/kubectl - tag: 1.35.1 + tag: 1.35.3 nodeSelector: {} tolerations: [] affinity: {} From 6f6c73a795d7c2fc2e669d82625f463749fc03a9 Mon Sep 17 00:00:00 2001 From: vadim-kharin-codefresh Date: Fri, 27 Mar 2026 15:55:32 +0200 Subject: [PATCH 04/47] chore: align Chart version (#1147) --- charts/gitops-runtime/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 8bd6383a5..468409d0a 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.0 +version: 0.29.1 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: From bafdcaf1e2face6070118ce3475d0e66bbb7cebf Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Fri, 27 Mar 2026 17:58:03 +0200 Subject: [PATCH 05/47] prepare-version(0.29.1): prepare chart content for release (#1148) * Update Chart.yaml and changelog for 0.29.1 release --------- Co-authored-by: cf-ci-bot-v2 Co-authored-by: Vadim Kharin --- charts/gitops-runtime/Chart.yaml | 6 ++---- charts/gitops-runtime/README.md | 8 ++++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 468409d0a..6a95f1b74 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -14,12 +14,10 @@ maintainers: annotations: artifacthub.io/alternativeName: "codefresh-gitops-runtime" artifacthub.io/changes: |- - - kind: added - description: "Added ABAC validation to application existence query" - kind: changed - description: 'update app-proxy to 1.4074.0' + description: 'update alpine/kubectl to 1.35.3' - kind: security - description: 'fix various security vulnerabilities in app-proxy' + description: 'fix various security vulnerabilities in argo-workflows' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 67975a1d4..b6bd11f14 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.0](https://img.shields.io/badge/Version-0.29.0-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.1](https://img.shields.io/badge/Version-0.29.1-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -193,7 +193,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.0 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.1 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -206,7 +206,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.0 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.1 ``` ## Openshift @@ -784,7 +784,7 @@ global: | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | | redis-ha.topologySpreadConstraints.whenUnsatisfiable | string | `""` (defaults to `ScheduleAnyway`) | Enforcement policy, hard or soft | -| redis-secret-init | object | `{"affinity":{},"image":{"registry":"docker.io","repository":"alpine/kubectl","tag":"1.35.1"},"nodeSelector":{},"tolerations":[]}` | Enable hook job to create redis secret | +| redis-secret-init | object | `{"affinity":{},"image":{"registry":"docker.io","repository":"alpine/kubectl","tag":"1.35.3"},"nodeSelector":{},"tolerations":[]}` | Enable hook job to create redis secret | | redis.image | object | `{"registry":"public.ecr.aws","repository":"docker/library/redis","tag":"8.2.1-alpine"}` | Redis image | | redis.metrics | object | `{"enabled":true,"env":{},"envFrom":[],"image":{"registry":"ghcr.io","repository":"oliver006/redis_exporter","tag":"v1.72.1"},"livenessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"readinessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"resources":{},"serviceMonitor":{"enabled":false}}` | Enable metrics sidecar | | redis.metrics.serviceMonitor | object | `{"enabled":false}` | Enable a prometheus ServiceMonitor | From 89dff7998890039047726bb3e6ffe913532f1b2d Mon Sep 17 00:00:00 2001 From: vadim-kharin-codefresh Date: Wed, 1 Apr 2026 12:06:58 +0300 Subject: [PATCH 06/47] chore: Fix various security vulnerabilities in argo-workflows (#1149) * chore: Fix various security vulnerabilities in argo-workflows * CI Automatic commit - align Chart version --------- Co-authored-by: cf-ci-bot-v2 --- charts/gitops-runtime/Chart.yaml | 4 ++-- charts/gitops-runtime/values.yaml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 6a95f1b74..7aacaf4af 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.1 +version: 0.29.2 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: @@ -25,7 +25,7 @@ dependencies: version: 9.4.4 - name: argo-workflows repository: https://codefresh-io.github.io/argo-helm - version: 0.45.19-v3.6.7-cap-CR-38032 + version: 0.45.20-v3.6.7-cap-CR-36597 condition: argo-workflows.enabled - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 55b2a871e..cb686e778 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -446,17 +446,17 @@ app-proxy: reportImage: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-report-image-info - tag: 1.1.23-main + tag: 1.1.25-main # Git enrichment task image gitEnrichment: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info - tag: 1.1.23-main + tag: 1.1.25-main # Jira enrichment task image jiraEnrichment: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info - tag: 1.1.23-main + tag: 1.1.25-main image: repository: quay.io/codefresh/cap-app-proxy tag: 1.4074.0 From 2804e15daa6593aede8990eb30dc0e0d8a8448f6 Mon Sep 17 00:00:00 2001 From: vitalii-codefresh Date: Thu, 2 Apr 2026 13:21:58 +0300 Subject: [PATCH 07/47] update argocd to 3.3.6, dex to 2.45.1 (#1155) --- charts/gitops-runtime/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 7aacaf4af..1ed4b8ab1 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -22,7 +22,7 @@ dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm condition: argo-cd.enabled - version: 9.4.4 + version: 9.4.17 - name: argo-workflows repository: https://codefresh-io.github.io/argo-helm version: 0.45.20-v3.6.7-cap-CR-36597 From bb8df2f539cc5082fa092b800cff025540ea757f Mon Sep 17 00:00:00 2001 From: Andrii Shaforostov Date: Thu, 2 Apr 2026 18:26:46 +0300 Subject: [PATCH 08/47] fix: security fixes (#1157) (#1158) * fix: security fixes codefresh-gitops-operator CVE-2026-33186 CVE-2026-31892 CVE-2026-28229 cf-argocd-extras CVE-2026-33186 cap-app-proxy crypto/tls CVE-2025-68121 path-to-regexp CVE-2026-4867 node-forge CVE-2026-33896 CVE-2026-33895 CVE-2026-33894 CVE-2026-33891 picomatch CVE-2026-33671 CVE-2026-33672 gitops-runtime-installer (cli-v2) CVE-2026-33186 CVE-2026-24051 (cherry picked from commit bdce2fe1a264852985d2e39ec7d15a9f7353e120) --- charts/gitops-runtime/README.md | 18 +++++++++--------- charts/gitops-runtime/values.yaml | 10 +++++----- installer-image/Dockerfile | 2 +- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index b6bd11f14..36db5d52b 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -494,13 +494,13 @@ global: | app-proxy.extraVolumeMounts | list | `[]` | Extra volume mounts for main container | | app-proxy.extraVolumes | list | `[]` | extra volumes | | app-proxy.fullnameOverride | string | `"cap-app-proxy"` | | -| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.23-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.23-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.23-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration | -| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.23-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.23-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.23-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow | +| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.25-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.25-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration | +| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.25-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.25-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow | | app-proxy.image-enrichment.config.clientHeartbeatIntervalInSeconds | int | `5` | Client heartbeat interval in seconds for image enrichemnt workflow | | app-proxy.image-enrichment.config.concurrencyCmKey | string | `"imageReportExecutor"` | The name of the key in the configmap to use as synchronization semaphore | | app-proxy.image-enrichment.config.concurrencyCmName | string | `"workflow-synchronization-semaphores"` | The name of the configmap to use as synchronization semaphore, see https://argoproj.github.io/argo-workflows/synchronization/ | -| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.23-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.23-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.23-main"}}` | Enrichemnt images | -| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.23-main"}` | Report image enrichment task image | +| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.25-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.25-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}}` | Enrichemnt images | +| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}` | Report image enrichment task image | | app-proxy.image-enrichment.config.podGcStrategy | string | `"OnWorkflowCompletion"` | Pod grabage collection strategy. By default all pods will be deleted when the enrichment workflow completes. | | app-proxy.image-enrichment.config.ttlActiveInSeconds | int | `900` | Maximum allowed runtime for the enrichment workflow | | app-proxy.image-enrichment.config.ttlAfterCompletionInSeconds | int | `86400` | Number of seconds to live after completion | @@ -511,14 +511,14 @@ global: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.4074.0"` | | +| app-proxy.image.tag | string | `"1.4077.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.4074.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.4077.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | | @@ -589,7 +589,7 @@ global: | argo-cd.redis-ha.image.tag | string | `"8.2.2-alpine"` | Redis tag | | argo-cd.redis.image.repository | string | `"ecr-public.aws.com/docker/library/redis"` | Redis repository | | argo-cd.redis.image.tag | string | `"8.2.2-alpine"` | Redis tag | -| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"7b43e16"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | +| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"9542ac9"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | | argo-workflows.crds.install | bool | `true` | Install and upgrade CRDs | | argo-workflows.enabled | bool | `true` | | | argo-workflows.executor.resources.requests.ephemeral-storage | string | `"10Mi"` | | @@ -651,7 +651,7 @@ global: | gitops-operator.env.<<[0].OTEL_TRACES_SAMPLER | string | `"parentbased_always_on"` | OTel sampler to be used for traces. Ref: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/ | | gitops-operator.env.GITOPS_OPERATOR_VERSION | string | `"0.11.1"` | | | gitops-operator.fullnameOverride | string | `""` | | -| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"main-78571af"}` | GitOps operator image | +| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"b9725cd"}` | GitOps operator image | | gitops-operator.imagePullSecrets | list | `[]` | | | gitops-operator.nameOverride | string | `""` | | | gitops-operator.nodeSelector | object | `{}` | | @@ -681,7 +681,7 @@ global: | global.codefresh.userToken | object | `{"secretKeyRef":{},"token":""}` | User token. Used for runtime registration against the patform. One of token (for plain text value) or secretKeyRef must be provided. | | global.codefresh.userToken.secretKeyRef | object | `{}` | User token that references an existing secret containing the token. | | global.codefresh.userToken.token | string | `""` | User token in plain text. The chart creates and manages the secret for this token. | -| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"7b43e16"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform | +| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"9542ac9"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform | | global.httpProxy | string | `""` | global HTTP_PROXY for all components | | global.httpsProxy | string | `""` | global HTTPS_PROXY for all components | | global.imageRegistry | string | `""` | | diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index cb686e778..30a2b6cb9 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -136,7 +136,7 @@ global: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: 7b43e16 + tag: "3190219" nodeSelector: {} tolerations: [] affinity: {} @@ -459,14 +459,14 @@ app-proxy: tag: 1.1.25-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.4074.0 + tag: 1.4077.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.4074.0 + tag: 1.4077.0 pullPolicy: IfNotPresent command: - ./init.sh @@ -647,7 +647,7 @@ gitops-operator: image: registry: quay.io repository: codefresh/codefresh-gitops-operator - tag: main-78571af + tag: b9540c4 env: !!merge <<: - *otel-config @@ -679,7 +679,7 @@ argo-gateway: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: 7b43e16 + tag: "3190219" nodeSelector: {} tolerations: [] affinity: {} diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile index 84818e1a1..f35fe9f4c 100644 --- a/installer-image/Dockerfile +++ b/installer-image/Dockerfile @@ -2,7 +2,7 @@ FROM octopusdeploy/dhi-golang:1.25-debian13-dev AS build ARG TARGETARCH -ARG CF_CLI_VERSION=v1.0.1 +ARG CF_CLI_VERSION=v1.0.2 RUN go install github.com/davidrjonas/semver-cli@latest \ && cp $GOPATH/bin/semver-cli /tmp/semver-cli ADD --unpack=true --chown=nonroot:nonroot --chmod=755 https://github.com/codefresh-io/cli-v2/releases/download/${CF_CLI_VERSION}/cf-linux-${TARGETARCH}.tar.gz /tmp/cf/ From 5ae9cf8e77b75c770468029c880dc8ccc549de33 Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Thu, 2 Apr 2026 21:28:16 +0300 Subject: [PATCH 09/47] prepare-version(0.29.2): prepare chart content for release (#1151) --- charts/gitops-runtime/Chart.yaml | 7 ++++--- charts/gitops-runtime/README.md | 12 ++++++------ 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 1ed4b8ab1..1bfb67bb8 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -13,11 +13,12 @@ maintainers: url: https://codefresh-io.github.io/ annotations: artifacthub.io/alternativeName: "codefresh-gitops-runtime" + artifacthub.io/containsSecurityUpdates: true artifacthub.io/changes: |- - - kind: changed - description: 'update alpine/kubectl to 1.35.3' - kind: security - description: 'fix various security vulnerabilities in argo-workflows' + description: 'fix various security vulnerabilities in argo-workflows, cap-app-proxy, cf-argocd-extras, codefresh-gitops-operator, gitops-runtime-installer' + - kind: changed + description: 'update argocd to 3.3.6, dex to 2.45.1' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 36db5d52b..73ba3dbe2 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.1](https://img.shields.io/badge/Version-0.29.1-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.2](https://img.shields.io/badge/Version-0.29.2-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -193,7 +193,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.1 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.2 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -206,7 +206,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.1 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.2 ``` ## Openshift @@ -589,7 +589,7 @@ global: | argo-cd.redis-ha.image.tag | string | `"8.2.2-alpine"` | Redis tag | | argo-cd.redis.image.repository | string | `"ecr-public.aws.com/docker/library/redis"` | Redis repository | | argo-cd.redis.image.tag | string | `"8.2.2-alpine"` | Redis tag | -| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"9542ac9"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | +| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"3190219"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | | argo-workflows.crds.install | bool | `true` | Install and upgrade CRDs | | argo-workflows.enabled | bool | `true` | | | argo-workflows.executor.resources.requests.ephemeral-storage | string | `"10Mi"` | | @@ -651,7 +651,7 @@ global: | gitops-operator.env.<<[0].OTEL_TRACES_SAMPLER | string | `"parentbased_always_on"` | OTel sampler to be used for traces. Ref: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/ | | gitops-operator.env.GITOPS_OPERATOR_VERSION | string | `"0.11.1"` | | | gitops-operator.fullnameOverride | string | `""` | | -| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"b9725cd"}` | GitOps operator image | +| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"b9540c4"}` | GitOps operator image | | gitops-operator.imagePullSecrets | list | `[]` | | | gitops-operator.nameOverride | string | `""` | | | gitops-operator.nodeSelector | object | `{}` | | @@ -681,7 +681,7 @@ global: | global.codefresh.userToken | object | `{"secretKeyRef":{},"token":""}` | User token. Used for runtime registration against the patform. One of token (for plain text value) or secretKeyRef must be provided. | | global.codefresh.userToken.secretKeyRef | object | `{}` | User token that references an existing secret containing the token. | | global.codefresh.userToken.token | string | `""` | User token in plain text. The chart creates and manages the secret for this token. | -| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"9542ac9"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform | +| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"3190219"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform | | global.httpProxy | string | `""` | global HTTP_PROXY for all components | | global.httpsProxy | string | `""` | global HTTPS_PROXY for all components | | global.imageRegistry | string | `""` | | From 54100a499a28dced3f100fef29f728f8fe49d1eb Mon Sep 17 00:00:00 2001 From: Andrii Shaforostov Date: Fri, 10 Apr 2026 20:18:53 +0300 Subject: [PATCH 10/47] chore: security fix (#1163) * CVE-2026-34165, CVE-2026-25934, CVE-2026-33762 (github.com/go-git/go-git/v5) fix high vulnerabilities in glibc, dpkg * CI Automatic commit - align Chart version --------- Co-authored-by: cf-ci-bot-v2 --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/values.yaml | 4 ++-- installer-image/Dockerfile | 5 +++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 1bfb67bb8..95d9c59bb 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.2 +version: 0.29.3 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 30a2b6cb9..c24ea8926 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -136,7 +136,7 @@ global: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "3190219" + tag: "06801ec" nodeSelector: {} tolerations: [] affinity: {} @@ -679,7 +679,7 @@ argo-gateway: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "3190219" + tag: "06801ec" nodeSelector: {} tolerations: [] affinity: {} diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile index f35fe9f4c..26a431a5b 100644 --- a/installer-image/Dockerfile +++ b/installer-image/Dockerfile @@ -1,6 +1,7 @@ # syntax=docker/dockerfile:1 -FROM octopusdeploy/dhi-golang:1.25-debian13-dev AS build +# DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-golang/tags/1.25-debian13-dev +FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:b2c03c829a4df4f724712501d18321e46a2ac770377f0b6e2f383bc9d02b99d3 AS build ARG TARGETARCH ARG CF_CLI_VERSION=v1.0.2 RUN go install github.com/davidrjonas/semver-cli@latest \ @@ -9,7 +10,7 @@ ADD --unpack=true --chown=nonroot:nonroot --chmod=755 https://github.com/codefre # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-debian-base/customizations/8106437942896324135 -FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:e72836b4e4c408f04caf8ac6e34824d90e192b7cecedab9aeed647e14d0cd599 AS production +FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:ab35aedc53ad95d3a95094d6f2c9d052c2cdb43b605ce1f9a4ea677911373b99 AS production ARG TARGETARCH COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/cf/cf-linux-${TARGETARCH} /usr/local/bin/cf COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/semver-cli /usr/local/bin/semver-cli From d499a7d600e5dd74ec57f2d5cfa5bcf37bccf583 Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Fri, 10 Apr 2026 21:10:08 +0300 Subject: [PATCH 11/47] prepare-version(0.29.3): prepare chart content for release (#1164) * Update Chart.yaml and changelog for 0.29.3 release --------- Co-authored-by: cf-ci-bot-v2 Co-authored-by: andrii-codefresh --- charts/gitops-runtime/Chart.yaml | 4 +--- charts/gitops-runtime/README.md | 10 +++++----- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 95d9c59bb..8a1894e12 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -16,9 +16,7 @@ annotations: artifacthub.io/containsSecurityUpdates: true artifacthub.io/changes: |- - kind: security - description: 'fix various security vulnerabilities in argo-workflows, cap-app-proxy, cf-argocd-extras, codefresh-gitops-operator, gitops-runtime-installer' - - kind: changed - description: 'update argocd to 3.3.6, dex to 2.45.1' + description: 'fix various security vulnerabilities in cf-argocd-extras, gitops-runtime-installer' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 73ba3dbe2..0877548fa 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.2](https://img.shields.io/badge/Version-0.29.2-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.3](https://img.shields.io/badge/Version-0.29.3-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -193,7 +193,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.2 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.3 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -206,7 +206,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.2 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.3 ``` ## Openshift @@ -589,7 +589,7 @@ global: | argo-cd.redis-ha.image.tag | string | `"8.2.2-alpine"` | Redis tag | | argo-cd.redis.image.repository | string | `"ecr-public.aws.com/docker/library/redis"` | Redis repository | | argo-cd.redis.image.tag | string | `"8.2.2-alpine"` | Redis tag | -| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"3190219"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | +| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"06801ec"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | | argo-workflows.crds.install | bool | `true` | Install and upgrade CRDs | | argo-workflows.enabled | bool | `true` | | | argo-workflows.executor.resources.requests.ephemeral-storage | string | `"10Mi"` | | @@ -681,7 +681,7 @@ global: | global.codefresh.userToken | object | `{"secretKeyRef":{},"token":""}` | User token. Used for runtime registration against the patform. One of token (for plain text value) or secretKeyRef must be provided. | | global.codefresh.userToken.secretKeyRef | object | `{}` | User token that references an existing secret containing the token. | | global.codefresh.userToken.token | string | `""` | User token in plain text. The chart creates and manages the secret for this token. | -| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"3190219"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform | +| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"06801ec"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform | | global.httpProxy | string | `""` | global HTTP_PROXY for all components | | global.httpsProxy | string | `""` | global HTTPS_PROXY for all components | | global.imageRegistry | string | `""` | | From a1887fadb75815e895a7e67cea6fadc84c03fa5e Mon Sep 17 00:00:00 2001 From: Scott Merchant Date: Mon, 13 Apr 2026 16:55:31 +0200 Subject: [PATCH 12/47] [Backport 0.29] chore: Apply CVE fixes on new main (tip of stable/0.26) (#1165) (#1166) * chore: Apply CVE fixes on new main (tip of stable/0.26) (#1165) * [gitops-operator]chore: Apply CVE fixes on new main (tip of stable/0.26) * re-enable component test * update restrictedgitsources crd --------- Co-authored-by: codefresh-v2-pipelines[bot] <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Co-authored-by: scme0 * trigger * trigger * CI Automatic commit - align Chart version --------- Co-authored-by: codefresh-v2-pipelines[bot] <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Co-authored-by: cf-ci-bot-v2 --- .github/workflows/component-test.yaml | 1 - charts/gitops-runtime/Chart.yaml | 2 +- .../crds/restrictedgitsources.yaml | 29 +++++++++++++++++++ charts/gitops-runtime/values.yaml | 2 +- 4 files changed, 31 insertions(+), 3 deletions(-) diff --git a/.github/workflows/component-test.yaml b/.github/workflows/component-test.yaml index 7a9a134a5..2b97bfeb1 100644 --- a/.github/workflows/component-test.yaml +++ b/.github/workflows/component-test.yaml @@ -15,7 +15,6 @@ on: jobs: component-test: - if : false # temporarily disable component tests runs-on: ubuntu-latest env: diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 8a1894e12..d73ce5b9e 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.3 +version: 0.29.4 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/crds/restrictedgitsources.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/crds/restrictedgitsources.yaml index 395e09520..bb0c5f590 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/crds/restrictedgitsources.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/crds/restrictedgitsources.yaml @@ -286,6 +286,14 @@ spec: description: SkipCrds skips custom resource definition installation step (Helm's --skip-crds) type: boolean + skipSchemaValidation: + description: SkipSchemaValidation skips JSON schema validation + (Helm's --skip-schema-validation) + type: boolean + skipTests: + description: SkipTests skips test manifest installation step + (Helm's --skip-tests). + type: boolean valueFiles: description: ValuesFiles is a list of Helm value files to use when generating a template @@ -348,6 +356,11 @@ spec: description: ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps type: boolean + ignoreMissingComponents: + description: IgnoreMissingComponents prevents kustomize from + failing when components do not exist locally by not appending + them to kustomization file + type: boolean images: description: Images is a list of Kustomize image override specifications @@ -361,6 +374,10 @@ spec: KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD uses the Kubernetes version of the target cluster. type: string + labelIncludeTemplates: + description: LabelIncludeTemplates specifies whether to apply + common labels to resource templates or not + type: boolean labelWithoutSelector: description: LabelWithoutSelector specifies whether to apply common labels to resource selectors or not @@ -432,6 +449,10 @@ spec: use for rendering manifests type: string type: object + name: + description: Name is used to refer to a source and is displayed + in the UI. It is used in multi-source Applications. + type: string path: description: Path is a directory path within the Git repository, and is only valid for applications sourced from Git. @@ -519,6 +540,10 @@ spec: description: 'AllowEmpty allows apps have zero live resources (default: false)' type: boolean + enabled: + description: Enable allows apps to explicitly control automated + sync + type: boolean prune: description: 'Prune specifies whether to delete resources from the cluster that are not found in the sources anymore @@ -570,6 +595,10 @@ spec: a failed sync. If set to 0, no retries will be performed. format: int64 type: integer + refresh: + description: 'Refresh indicates if the latest revision should + be used on retry instead of the initial one (default: false)' + type: boolean type: object syncOptions: description: Options allow you to specify whole app sync-options diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index c24ea8926..1f1dbc1a1 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -647,7 +647,7 @@ gitops-operator: image: registry: quay.io repository: codefresh/codefresh-gitops-operator - tag: b9540c4 + tag: bc5c4eb env: !!merge <<: - *otel-config From e7b9dac94b513e276fd6671584c4e6901a66a3ec Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Tue, 14 Apr 2026 15:14:13 +0200 Subject: [PATCH 13/47] prepare-version(0.29.4): prepare chart content for release (#1167) * Update Chart.yaml and changelog for 0.29.4 release * Update Chart.yaml with security fix description --------- Co-authored-by: cf-ci-bot-v2 Co-authored-by: Scott Merchant --- charts/gitops-runtime/Chart.yaml | 4 ++-- charts/gitops-runtime/README.md | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index d73ce5b9e..a2a60be5f 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -15,8 +15,8 @@ annotations: artifacthub.io/alternativeName: "codefresh-gitops-runtime" artifacthub.io/containsSecurityUpdates: true artifacthub.io/changes: |- - - kind: security - description: 'fix various security vulnerabilities in cf-argocd-extras, gitops-runtime-installer' + - kind: changed + description: 'fix: restore functionality and apply security fixes to the Gitops Operator(#1166)' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 0877548fa..6e6bb34a4 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.3](https://img.shields.io/badge/Version-0.29.3-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.4](https://img.shields.io/badge/Version-0.29.4-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -193,7 +193,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.3 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.4 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -206,7 +206,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.3 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.4 ``` ## Openshift @@ -651,7 +651,7 @@ global: | gitops-operator.env.<<[0].OTEL_TRACES_SAMPLER | string | `"parentbased_always_on"` | OTel sampler to be used for traces. Ref: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/ | | gitops-operator.env.GITOPS_OPERATOR_VERSION | string | `"0.11.1"` | | | gitops-operator.fullnameOverride | string | `""` | | -| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"b9540c4"}` | GitOps operator image | +| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"bc5c4eb"}` | GitOps operator image | | gitops-operator.imagePullSecrets | list | `[]` | | | gitops-operator.nameOverride | string | `""` | | | gitops-operator.nodeSelector | object | `{}` | | From 6389ef679d0e5add72511c3b8e68c315cefe1839 Mon Sep 17 00:00:00 2001 From: vadim-kharin-codefresh Date: Wed, 15 Apr 2026 14:32:08 +0300 Subject: [PATCH 14/47] chore: Update cap-app-proxy to 1.4081.0 with non-root user (#1159) * chore: Update cap-app-proxy to 1.4081.0 * CI Automatic commit - align Chart version * CI Automatic commit - align Chart version --------- Co-authored-by: cf-ci-bot-v2 --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index a2a60be5f..82ee2e2a4 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.4 +version: 0.29.5 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 1f1dbc1a1..c43ef8f33 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -459,14 +459,14 @@ app-proxy: tag: 1.1.25-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.4077.0 + tag: 1.4081.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.4077.0 + tag: 1.4081.0 pullPolicy: IfNotPresent command: - ./init.sh From f9c183295abf71034bdd15b9c1905bd5eaf654ae Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 18:06:49 +0300 Subject: [PATCH 15/47] prepare-version(0.29.4): prepare chart content for release (#1169) * Update Chart.yaml and changelog for 0.29.4 release * add extra change to artifacthub changes annotation * update changelog * Update charts/gitops-runtime/Chart.yaml Co-authored-by: Zhenya Tikhonov * update artifacthub.io/changes annotation as per review comments. --------- Co-authored-by: cf-ci-bot-v2 Co-authored-by: scme0 Co-authored-by: Vadim Kharin Co-authored-by: Zhenya Tikhonov --- charts/gitops-runtime/Chart.yaml | 12 ++++++++++-- charts/gitops-runtime/README.md | 4 ++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 82ee2e2a4..63a27966c 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.5 +version: 0.29.4 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: @@ -16,7 +16,15 @@ annotations: artifacthub.io/containsSecurityUpdates: true artifacthub.io/changes: |- - kind: changed - description: 'fix: restore functionality and apply security fixes to the Gitops Operator(#1166)' + description: 'update "gitops-operator" to bc5c4eb' + - kind: changed + description: 'update "cap-app-proxy" to 1.4081.0' + - kind: fixed + description: 'fix Promotions functionality broken since Chart v0.27' + - kind: security + description: 'execute "cap-app-proxy" with non-root user' + - kind: security + description: 'fix various CVE in different components' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 6e6bb34a4..e42bcbd0e 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -511,14 +511,14 @@ global: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.4077.0"` | | +| app-proxy.image.tag | string | `"1.4081.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.4077.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.4081.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | | From ace2bc5d2a0f00a0e7b3b97b15a31d32bb9baa1e Mon Sep 17 00:00:00 2001 From: vitalii-codefresh Date: Mon, 20 Apr 2026 18:48:19 +0300 Subject: [PATCH 16/47] chore: bump image tags to 1.1.26-main of enrichers (#1173) --- charts/gitops-runtime/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index c43ef8f33..68f136b0f 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -446,17 +446,17 @@ app-proxy: reportImage: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-report-image-info - tag: 1.1.25-main + tag: 1.1.26-main # Git enrichment task image gitEnrichment: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info - tag: 1.1.25-main + tag: 1.1.26-main # Jira enrichment task image jiraEnrichment: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info - tag: 1.1.25-main + tag: 1.1.26-main image: repository: quay.io/codefresh/cap-app-proxy tag: 1.4081.0 From 0f38b2a0c71a57256874feb51a7fbd7dad7e0335 Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Mon, 20 Apr 2026 21:46:59 +0300 Subject: [PATCH 17/47] Update Chart.yaml and changelog for 0.29.5 release (#1175) Co-authored-by: cf-ci-bot-v2 --- charts/gitops-runtime/Chart.yaml | 12 ++---------- charts/gitops-runtime/README.md | 14 +++++++------- 2 files changed, 9 insertions(+), 17 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 63a27966c..cf7d76deb 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.4 +version: 0.29.5 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: @@ -16,15 +16,7 @@ annotations: artifacthub.io/containsSecurityUpdates: true artifacthub.io/changes: |- - kind: changed - description: 'update "gitops-operator" to bc5c4eb' - - kind: changed - description: 'update "cap-app-proxy" to 1.4081.0' - - kind: fixed - description: 'fix Promotions functionality broken since Chart v0.27' - - kind: security - description: 'execute "cap-app-proxy" with non-root user' - - kind: security - description: 'fix various CVE in different components' + description: 'chore: bump image tags to 1.1.26-main of enrichers (#1173)' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index e42bcbd0e..eb63c408d 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.4](https://img.shields.io/badge/Version-0.29.4-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.5](https://img.shields.io/badge/Version-0.29.5-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -193,7 +193,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.4 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.5 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -206,7 +206,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.4 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.5 ``` ## Openshift @@ -494,13 +494,13 @@ global: | app-proxy.extraVolumeMounts | list | `[]` | Extra volume mounts for main container | | app-proxy.extraVolumes | list | `[]` | extra volumes | | app-proxy.fullnameOverride | string | `"cap-app-proxy"` | | -| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.25-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.25-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration | -| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.25-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.25-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow | +| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.26-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.26-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration | +| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.26-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.26-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow | | app-proxy.image-enrichment.config.clientHeartbeatIntervalInSeconds | int | `5` | Client heartbeat interval in seconds for image enrichemnt workflow | | app-proxy.image-enrichment.config.concurrencyCmKey | string | `"imageReportExecutor"` | The name of the key in the configmap to use as synchronization semaphore | | app-proxy.image-enrichment.config.concurrencyCmName | string | `"workflow-synchronization-semaphores"` | The name of the configmap to use as synchronization semaphore, see https://argoproj.github.io/argo-workflows/synchronization/ | -| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.25-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.25-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}}` | Enrichemnt images | -| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.25-main"}` | Report image enrichment task image | +| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.26-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.26-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}}` | Enrichemnt images | +| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}` | Report image enrichment task image | | app-proxy.image-enrichment.config.podGcStrategy | string | `"OnWorkflowCompletion"` | Pod grabage collection strategy. By default all pods will be deleted when the enrichment workflow completes. | | app-proxy.image-enrichment.config.ttlActiveInSeconds | int | `900` | Maximum allowed runtime for the enrichment workflow | | app-proxy.image-enrichment.config.ttlAfterCompletionInSeconds | int | `86400` | Number of seconds to live after completion | From 40bd61505eb08ea848dfd93ebe5b652b6d0074a9 Mon Sep 17 00:00:00 2001 From: Andrii Shaforostov Date: Wed, 22 Apr 2026 10:28:55 +0300 Subject: [PATCH 18/47] chore: update cap-app-proxy to 1.4085.0 (#1177) * chore: update cap-app-proxy to 1.4085.0 * helm-docs --- charts/gitops-runtime/Chart.yaml | 4 ++-- charts/gitops-runtime/README.md | 10 +++++----- charts/gitops-runtime/values.yaml | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index cf7d76deb..4f575c965 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.5 +version: 0.29.6 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: @@ -16,7 +16,7 @@ annotations: artifacthub.io/containsSecurityUpdates: true artifacthub.io/changes: |- - kind: changed - description: 'chore: bump image tags to 1.1.26-main of enrichers (#1173)' + description: 'chore: update cap-app-proxy to 1.4085.0' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index eb63c408d..57040713c 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.5](https://img.shields.io/badge/Version-0.29.5-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.6](https://img.shields.io/badge/Version-0.29.6-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -193,7 +193,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.5 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.6 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -206,7 +206,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.5 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.6 ``` ## Openshift @@ -511,14 +511,14 @@ global: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.4081.0"` | | +| app-proxy.image.tag | string | `"1.4085.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.4081.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.4085.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | | diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 68f136b0f..5bd990370 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -459,14 +459,14 @@ app-proxy: tag: 1.1.26-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.4081.0 + tag: 1.4085.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.4081.0 + tag: 1.4085.0 pullPolicy: IfNotPresent command: - ./init.sh From 43c05b8947cceef1248f9ff8cb6723aeb058eaab Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Wed, 22 Apr 2026 11:45:41 +0300 Subject: [PATCH 19/47] Update Chart.yaml and changelog for 0.29.6 release (#1178) Co-authored-by: cf-ci-bot-v2 --- charts/gitops-runtime/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 4f575c965..ffa7e924c 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -16,7 +16,7 @@ annotations: artifacthub.io/containsSecurityUpdates: true artifacthub.io/changes: |- - kind: changed - description: 'chore: update cap-app-proxy to 1.4085.0' + description: 'chore: update cap-app-proxy to 1.4085.0 (#1177)' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm From 1d4e62b8a3c36f666198912a1fc3d4798047b5c0 Mon Sep 17 00:00:00 2001 From: Zhenya Tikhonov Date: Wed, 29 Apr 2026 18:25:04 +0400 Subject: [PATCH 20/47] docs(0.29): document ArgoCD compatibility (#1183) * docs: document ArgoCD compatibility Co-authored-by: Copilot * docs: regenerate Readme * doc: fix TOC Co-authored-by: Copilot * CI Automatic commit - align Chart version --------- Co-authored-by: Copilot Co-authored-by: cf-ci-bot-v2 --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/README.md | 14 +++++++++++++- charts/gitops-runtime/README.md.gotmpl | 12 ++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index ffa7e924c..e15b1e104 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.6 +version: 0.29.7 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 57040713c..f6792169b 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -8,6 +8,7 @@ - [Codefresh official documentation](#codefresh-official-documentation) - [Argo-workflows artifact and log storage](#argo-workflows-artifact-and-log-storage) - [Installation with External ArgoCD](#installation-with-external-argocd) + - [ArgoCD compatibility](#argocd-compatibility) - [Using with private registries - Helper utility](#using-with-private-registries---helper-utility) - [Openshift](#openshift) - [High Availability](#high-availability) @@ -182,6 +183,17 @@ data: admin.enabled: "true" ``` +### ArgoCD compatibility + +| GitOps Runtime version | Supported ArgoCD versions | +|------------------------|---------------------------| +| 0.29.x | >=3.1 <=3.3 | +| 0.28.x | >=3.0 <=3.2 | +| 0.27.x | >=3.0 <=3.2 | +| 0.26.x | >=3.0 <=3.2 | +| 0.25.x | >=2.12 <=3.0 | +| 0.24.x | >=2.12 <=3.0 | + ## Using with private registries - Helper utility The GitOps Runtime comprises multiple subcharts and container images. Subcharts also vary in values structure, making it difficult to override image specific values to use private registries. We have created a helper utility to resolve this issue: @@ -779,7 +791,7 @@ global: | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | | redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | | redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | -| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | | redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | diff --git a/charts/gitops-runtime/README.md.gotmpl b/charts/gitops-runtime/README.md.gotmpl index 65a5f27a0..c7efc6e50 100644 --- a/charts/gitops-runtime/README.md.gotmpl +++ b/charts/gitops-runtime/README.md.gotmpl @@ -8,6 +8,7 @@ - [Codefresh official documentation](#codefresh-official-documentation) - [Argo-workflows artifact and log storage](#argo-workflows-artifact-and-log-storage) - [Installation with External ArgoCD](#installation-with-external-argocd) + - [ArgoCD compatibility](#argocd-compatibility) - [Using with private registries - Helper utility](#using-with-private-registries---helper-utility) - [Openshift](#openshift) - [High Availability](#high-availability) @@ -185,6 +186,17 @@ data: admin.enabled: "true" ``` +### ArgoCD compatibility + +| GitOps Runtime version | Supported ArgoCD versions | +|------------------------|---------------------------| +| 0.29.x | >=3.1 <=3.3 | +| 0.28.x | >=3.0 <=3.2 | +| 0.27.x | >=3.0 <=3.2 | +| 0.26.x | >=3.0 <=3.2 | +| 0.25.x | >=2.12 <=3.0 | +| 0.24.x | >=2.12 <=3.0 | + ## Using with private registries - Helper utility The GitOps Runtime comprises multiple subcharts and container images. Subcharts also vary in values structure, making it difficult to override image specific values to use private registries. We have created a helper utility to resolve this issue: From 726651a8a2d164fae71fce748ba006384e711e14 Mon Sep 17 00:00:00 2001 From: vadim-kharin-codefresh Date: Thu, 30 Apr 2026 13:39:52 +0300 Subject: [PATCH 21/47] chore: fix various security vulnerabilities in argo-workflows (#1185) --- charts/gitops-runtime/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index e15b1e104..c1c4d0da0 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -24,7 +24,7 @@ dependencies: version: 9.4.17 - name: argo-workflows repository: https://codefresh-io.github.io/argo-helm - version: 0.45.20-v3.6.7-cap-CR-36597 + version: 0.45.21-v3.6.7-cap-CR-38757 condition: argo-workflows.enabled - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ From 8be1e698137026e60fd86fff850c5d29d20fe57a Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Fri, 1 May 2026 14:33:34 +0300 Subject: [PATCH 22/47] prepare-version(0.29.7): prepare chart content for release (#1184) * Update Chart.yaml and changelog for 0.29.7 release * ci: update release notes * Update Chart.yaml and changelog for 0.29.7 release * update changelog * update changelog * update changelog --------- Co-authored-by: cf-ci-bot-v2 Co-authored-by: Zhenya Tikhonov Co-authored-by: vadim-kharin-codefresh --- charts/gitops-runtime/Chart.yaml | 9 +++++++-- charts/gitops-runtime/README.md | 8 ++++---- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index c1c4d0da0..bda3ceddd 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -13,10 +13,15 @@ maintainers: url: https://codefresh-io.github.io/ annotations: artifacthub.io/alternativeName: "codefresh-gitops-runtime" - artifacthub.io/containsSecurityUpdates: true + artifacthub.io/containsSecurityUpdates: "true" + # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: |- - kind: changed - description: 'chore: update cap-app-proxy to 1.4085.0 (#1177)' + description: 'update argo-workflows to 0.45.21-v3.6.7-cap-CR-38757' + - kind: security + description: 'fix various security vulnerabilities in argo-workflows' + - kind: changed + description: 'document ArgoCD compatibility with the Runtime' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index f6792169b..1b23859ac 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.6](https://img.shields.io/badge/Version-0.29.6-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.7](https://img.shields.io/badge/Version-0.29.7-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.6 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.7 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.6 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.7 ``` ## Openshift @@ -791,7 +791,7 @@ global: | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | | redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | | redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | -| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | | redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | From 903b78e99148fa685fb93b43560a55e4db9ca884 Mon Sep 17 00:00:00 2001 From: alinashklyar Date: Sat, 2 May 2026 11:02:17 +0300 Subject: [PATCH 23/47] fix: upgrade argo-cd (#1187) * upgrade argo-cd * CI Automatic commit - align Chart version --------- Co-authored-by: cf-ci-bot-v2 --- charts/gitops-runtime/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index bda3ceddd..209cd9f7a 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.7 +version: 0.29.8 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: @@ -26,7 +26,7 @@ dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm condition: argo-cd.enabled - version: 9.4.17 + version: 9.5.11 - name: argo-workflows repository: https://codefresh-io.github.io/argo-helm version: 0.45.21-v3.6.7-cap-CR-38757 From 70276bd0020ee9029afa3a26293b9f606f8802a2 Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Sat, 2 May 2026 12:29:48 +0300 Subject: [PATCH 24/47] prepare-version(0.29.8): prepare chart content for release (#1188) * Update Chart.yaml and changelog for 0.29.8 release * prepare release notes; update docs * empty * empty * revert docs * add docs * update docs * empty --------- Co-authored-by: cf-ci-bot-v2 Co-authored-by: alinashklyar --- charts/gitops-runtime/Chart.yaml | 6 ++---- charts/gitops-runtime/README.md | 6 +++--- tests/component-tests/setup/fixture/simple-app/README.md | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 209cd9f7a..9e3be48bf 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -17,11 +17,9 @@ annotations: # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: |- - kind: changed - description: 'update argo-workflows to 0.45.21-v3.6.7-cap-CR-38757' + description: 'chore: upgrade argo-cd to 9.5.11' - kind: security - description: 'fix various security vulnerabilities in argo-workflows' - - kind: changed - description: 'document ArgoCD compatibility with the Runtime' + description: 'chore: patch fix for a critical argo-cd vulnerability.' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 1b23859ac..ee228010b 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.7](https://img.shields.io/badge/Version-0.29.7-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.8](https://img.shields.io/badge/Version-0.29.8-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.7 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.8 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.7 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.8 ``` ## Openshift diff --git a/tests/component-tests/setup/fixture/simple-app/README.md b/tests/component-tests/setup/fixture/simple-app/README.md index 1ab4be19e..dfe0feb1d 100644 --- a/tests/component-tests/setup/fixture/simple-app/README.md +++ b/tests/component-tests/setup/fixture/simple-app/README.md @@ -52,4 +52,4 @@ A Helm chart for Kubernetes | volumes | list | `[]` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.9.1](https://github.com/norwoodj/helm-docs/releases/v1.9.1) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) From 4a92a2708c2ae02c417de301da0eca2b740c7c9d Mon Sep 17 00:00:00 2001 From: vadim-kharin-codefresh Date: Thu, 7 May 2026 16:45:59 +0300 Subject: [PATCH 25/47] chore: fix various security vulnerabilities (#1190) * chore: fix various security vulnerabilities * CI Automatic commit - align Chart version * update cap-app-proxy to 1.4091.0 --------- Co-authored-by: cf-ci-bot-v2 --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/README.md | 22 +++++++++++----------- charts/gitops-runtime/values.yaml | 12 ++++++------ 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 9e3be48bf..b05044932 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.8 +version: 0.29.9 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index ee228010b..740751c3d 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.8](https://img.shields.io/badge/Version-0.29.8-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.9](https://img.shields.io/badge/Version-0.29.9-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.8 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.9 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.8 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.9 ``` ## Openshift @@ -506,13 +506,13 @@ global: | app-proxy.extraVolumeMounts | list | `[]` | Extra volume mounts for main container | | app-proxy.extraVolumes | list | `[]` | extra volumes | | app-proxy.fullnameOverride | string | `"cap-app-proxy"` | | -| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.26-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.26-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration | -| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.26-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.26-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow | +| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.27-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.27-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration | +| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.27-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.27-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow | | app-proxy.image-enrichment.config.clientHeartbeatIntervalInSeconds | int | `5` | Client heartbeat interval in seconds for image enrichemnt workflow | | app-proxy.image-enrichment.config.concurrencyCmKey | string | `"imageReportExecutor"` | The name of the key in the configmap to use as synchronization semaphore | | app-proxy.image-enrichment.config.concurrencyCmName | string | `"workflow-synchronization-semaphores"` | The name of the configmap to use as synchronization semaphore, see https://argoproj.github.io/argo-workflows/synchronization/ | -| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.26-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.26-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}}` | Enrichemnt images | -| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.26-main"}` | Report image enrichment task image | +| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.27-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.27-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}}` | Enrichemnt images | +| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}` | Report image enrichment task image | | app-proxy.image-enrichment.config.podGcStrategy | string | `"OnWorkflowCompletion"` | Pod grabage collection strategy. By default all pods will be deleted when the enrichment workflow completes. | | app-proxy.image-enrichment.config.ttlActiveInSeconds | int | `900` | Maximum allowed runtime for the enrichment workflow | | app-proxy.image-enrichment.config.ttlAfterCompletionInSeconds | int | `86400` | Number of seconds to live after completion | @@ -523,14 +523,14 @@ global: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.4085.0"` | | +| app-proxy.image.tag | string | `"1.4091.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.4085.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.4091.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | | @@ -791,12 +791,12 @@ global: | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | | redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | | redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | -| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | | redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | | redis-ha.topologySpreadConstraints.whenUnsatisfiable | string | `""` (defaults to `ScheduleAnyway`) | Enforcement policy, hard or soft | -| redis-secret-init | object | `{"affinity":{},"image":{"registry":"docker.io","repository":"alpine/kubectl","tag":"1.35.3"},"nodeSelector":{},"tolerations":[]}` | Enable hook job to create redis secret | +| redis-secret-init | object | `{"affinity":{},"image":{"registry":"docker.io","repository":"alpine/kubectl","tag":"1.35.4"},"nodeSelector":{},"tolerations":[]}` | Enable hook job to create redis secret | | redis.image | object | `{"registry":"public.ecr.aws","repository":"docker/library/redis","tag":"8.2.1-alpine"}` | Redis image | | redis.metrics | object | `{"enabled":true,"env":{},"envFrom":[],"image":{"registry":"ghcr.io","repository":"oliver006/redis_exporter","tag":"v1.72.1"},"livenessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"readinessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"resources":{},"serviceMonitor":{"enabled":false}}` | Enable metrics sidecar | | redis.metrics.serviceMonitor | object | `{"enabled":false}` | Enable a prometheus ServiceMonitor | diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 5bd990370..c6e988fc8 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -446,27 +446,27 @@ app-proxy: reportImage: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-report-image-info - tag: 1.1.26-main + tag: 1.1.27-main # Git enrichment task image gitEnrichment: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info - tag: 1.1.26-main + tag: 1.1.27-main # Jira enrichment task image jiraEnrichment: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info - tag: 1.1.26-main + tag: 1.1.27-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.4085.0 + tag: 1.4091.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.4085.0 + tag: 1.4091.0 pullPolicy: IfNotPresent command: - ./init.sh @@ -722,7 +722,7 @@ redis-secret-init: image: registry: docker.io repository: alpine/kubectl - tag: 1.35.3 + tag: 1.35.4 nodeSelector: {} tolerations: [] affinity: {} From 61da359f570aa8a5441ddc5f84b461584dd96629 Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Thu, 7 May 2026 18:49:02 +0300 Subject: [PATCH 26/47] prepare-version(0.29.9): prepare chart content for release (#1191) * Update Chart.yaml and changelog for 0.29.9 release * update changelog * update changelog --------- Co-authored-by: cf-ci-bot-v2 Co-authored-by: Vadim Kharin --- charts/gitops-runtime/Chart.yaml | 6 ++++-- charts/gitops-runtime/README.md | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index b05044932..0eea5a083 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -17,9 +17,11 @@ annotations: # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: |- - kind: changed - description: 'chore: upgrade argo-cd to 9.5.11' + description: 'update argo-hub codefresh-csdp plugins to 1.1.27' + - kind: changed + description: 'update cap-app-proxy to 1.4091.0' - kind: security - description: 'chore: patch fix for a critical argo-cd vulnerability.' + description: 'fix various security vulnerabilities in cap-app-proxy and argo-hub codefresh-csdp plugins' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 740751c3d..9c44387b9 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -791,7 +791,7 @@ global: | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | | redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | | redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | -| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | | redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | From 79fc68deb6f5ef8eb642c698b27d0f25bd457677 Mon Sep 17 00:00:00 2001 From: Vasil Sudakou <160465134+vasil-cf@users.noreply.github.com> Date: Fri, 8 May 2026 19:00:31 +0400 Subject: [PATCH 27/47] fix(cap-app-proxy): support arbitrary user IDs on OpenShift (#1193) * fix(cap-app-proxy): support arbitrary user IDs on OpenShift * CI Automatic commit - align Chart version --------- Co-authored-by: cf-ci-bot-v2 --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 0eea5a083..59f1e48d8 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.9 +version: 0.29.10 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index c6e988fc8..8094e10a8 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -459,14 +459,14 @@ app-proxy: tag: 1.1.27-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.4091.0 + tag: 1.4092.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.4091.0 + tag: 1.4092.0 pullPolicy: IfNotPresent command: - ./init.sh From 1803af9514a1159c0b67cc91b5bf09752f99f7a2 Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 21:41:01 +0300 Subject: [PATCH 28/47] prepare-version(0.29.10): prepare chart content for release (#1194) * Update Chart.yaml and changelog for 0.29.10 release * chore: update release notes & docs * chore: trigger pipelines * chore: update docs * chore: trigger pipelines --------- Co-authored-by: cf-ci-bot-v2 Co-authored-by: Vasil Sudakou --- charts/gitops-runtime/Chart.yaml | 10 +++------- charts/gitops-runtime/README.md | 10 +++++----- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 59f1e48d8..ce62b2250 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -13,15 +13,11 @@ maintainers: url: https://codefresh-io.github.io/ annotations: artifacthub.io/alternativeName: "codefresh-gitops-runtime" - artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/containsSecurityUpdates: "false" # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: |- - - kind: changed - description: 'update argo-hub codefresh-csdp plugins to 1.1.27' - - kind: changed - description: 'update cap-app-proxy to 1.4091.0' - - kind: security - description: 'fix various security vulnerabilities in cap-app-proxy and argo-hub codefresh-csdp plugins' + - kind: fixed + description: 'cap-app-proxy: support arbitrary user IDs for OpenShift' dependencies: - name: argo-cd repository: https://argoproj.github.io/argo-helm diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 9c44387b9..10a183117 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.9](https://img.shields.io/badge/Version-0.29.9-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.10](https://img.shields.io/badge/Version-0.29.10-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.9 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.10 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.9 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.10 ``` ## Openshift @@ -523,14 +523,14 @@ global: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.4091.0"` | | +| app-proxy.image.tag | string | `"1.4092.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.4091.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.4092.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | | From cb89d2a5c876b7f203e8c9c960ba9a414d96792a Mon Sep 17 00:00:00 2001 From: mikhail-klimko Date: Wed, 13 May 2026 17:33:57 +0400 Subject: [PATCH 29/47] feat: move CI from argo workflows to classic builds (#1196) (#1198) --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/ci/argocd-values.yaml | 3 + .../ci/default-values-custom-tls.yaml | 62 ------------------- charts/gitops-runtime/ci/default-values.yaml | 15 ++--- .../gitops-runtime/ci/ingressless-values.yaml | 20 ------ .../ci/values-external-argocd.yaml | 26 ++++---- charts/gitops-runtime/ci/versions.json | 7 +++ installer-image/Dockerfile | 4 +- 8 files changed, 34 insertions(+), 105 deletions(-) create mode 100644 charts/gitops-runtime/ci/argocd-values.yaml delete mode 100644 charts/gitops-runtime/ci/default-values-custom-tls.yaml delete mode 100644 charts/gitops-runtime/ci/ingressless-values.yaml create mode 100644 charts/gitops-runtime/ci/versions.json diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index ce62b2250..c215599b4 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.10 +version: 0.29.11 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: diff --git a/charts/gitops-runtime/ci/argocd-values.yaml b/charts/gitops-runtime/ci/argocd-values.yaml new file mode 100644 index 000000000..9b2bc09a5 --- /dev/null +++ b/charts/gitops-runtime/ci/argocd-values.yaml @@ -0,0 +1,3 @@ +configs: + cm: + accounts.admin: apiKey,login diff --git a/charts/gitops-runtime/ci/default-values-custom-tls.yaml b/charts/gitops-runtime/ci/default-values-custom-tls.yaml deleted file mode 100644 index 271c3c5fd..000000000 --- a/charts/gitops-runtime/ci/default-values-custom-tls.yaml +++ /dev/null @@ -1,62 +0,0 @@ -global: - codefresh: - accountId: 628a80b693a15c0f9c13ab75 # Codefresh Account id for ilia-codefresh for now, needs to be some test account - userToken: - secretKeyRef: - name: mysecret - key: myvalue - optional: true - tls: - # -- Custom CA certificates bundle for platform access with ssl - caCerts: - # -- Reference to existing secret - secretKeyRef: {} - # -- Chart managed secret for custom platform CA certificates - secret: - # -- Whether to create the secret. - create: true - # -- The secret key that holds the ca bundle - key: 'ca-bundle.crt' - # Annotations - annotations: {} - # Certificate content - content: | - -----BEGIN CERTIFICATE----- - MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB - gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk - MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY - UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx - NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3 - dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy - dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB - dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6 - 38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP - KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q - DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4 - qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa - JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi - PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P - BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs - jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0 - eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD - ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR - vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt - qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa - IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy - i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ - O+7ETPTsJ3xCwnR8gooJybQDJbw= - -----END CERTIFICATE----- - - runtime: - name: default - - ingress: - className: "nginx" - hosts: - - runtime.codefresh.local - - repoCredentialsTemplate: - url: 'https://github.com' - username: 'username' - password: 'dummy' - diff --git a/charts/gitops-runtime/ci/default-values.yaml b/charts/gitops-runtime/ci/default-values.yaml index fe91609da..ffb8e8ed5 100644 --- a/charts/gitops-runtime/ci/default-values.yaml +++ b/charts/gitops-runtime/ci/default-values.yaml @@ -1,20 +1,17 @@ global: codefresh: - accountId: 628a80b693a15c0f9c13ab75 # Codefresh Account id for ilia-codefresh for now, needs to be some test account + accountId: 63dbba4928d5fd1ef065b781 # `gitops-helm-test` Codefresh account (see "gitops-runtime-helm CI" note in 1Password) userToken: - secretKeyRef: - name: mysecret - key: myvalue - optional: true + token: "dummy" # set in `gitops-runtime-helm/ci` pipeline (see "gitops-runtime-helm CI" note in 1Password) runtime: - name: default - cluster: test-cluster + name: "dummy" # set in `gitops-runtime-helm/ci` pipeline ingress: - className: "nginx" + enabled: true + className: haproxy-ingress hosts: - - runtime.codefresh.local + - "runtime.example.com" # set in `gitops-runtime-helm/ci` pipeline repoCredentialsTemplate: url: 'https://github.com' diff --git a/charts/gitops-runtime/ci/ingressless-values.yaml b/charts/gitops-runtime/ci/ingressless-values.yaml deleted file mode 100644 index 55b9a1433..000000000 --- a/charts/gitops-runtime/ci/ingressless-values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -global: - codefresh: - accountId: 628a80b693a15c0f9c13ab75 # Codefresh Account id for ilia-codefresh for now, needs to be some test account - userToken: - secretKeyRef: - name: mysecret - key: myvalue - optional: true - - runtime: - name: default - cluster: test-cluster - - ingress: - enabled: false - - repoCredentialsTemplate: - url: 'https://github.com' - username: 'username' - password: 'dummy' diff --git a/charts/gitops-runtime/ci/values-external-argocd.yaml b/charts/gitops-runtime/ci/values-external-argocd.yaml index 999933f4d..b3733176f 100644 --- a/charts/gitops-runtime/ci/values-external-argocd.yaml +++ b/charts/gitops-runtime/ci/values-external-argocd.yaml @@ -1,28 +1,30 @@ -# Values file used to render all image values global: codefresh: - accountId: 628a80b693a15c0f9c13ab75 # Codefresh Account id for ilia-codefresh for now, needs to be some test account - gitIntegration: - provider: - name: 'GITHUB' - apiUrl: 'https://api.github.com' + accountId: 63dbba4928d5fd1ef065b781 # `gitops-helm-test` Codefresh account userToken: - secretKeyRef: - name: mysecret - key: myvalue - optional: true + token: "dummy" # set in `gitops-runtime-helm/ci` pipeline runtime: - name: default + name: "dummy" # set in `gitops-runtime-helm/ci` pipeline ingress: - enabled: false + enabled: true + className: haproxy-ingress + hosts: + - "runtime.example.com" # set in `gitops-runtime-helm/ci` pipeline repoCredentialsTemplate: url: 'https://github.com' username: 'username' password: 'dummy' + integrations: + argo-cd: + server: + svc: argocd-server + repoServer: + svc: argocd-repo-server + argo-cd: enabled: false diff --git a/charts/gitops-runtime/ci/versions.json b/charts/gitops-runtime/ci/versions.json new file mode 100644 index 000000000..e1c1fd222 --- /dev/null +++ b/charts/gitops-runtime/ci/versions.json @@ -0,0 +1,7 @@ +[ + { + "argo-cd": { + "chartVersion": "8.0.0" + } + } +] diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile index 26a431a5b..362a39be4 100644 --- a/installer-image/Dockerfile +++ b/installer-image/Dockerfile @@ -6,6 +6,7 @@ ARG TARGETARCH ARG CF_CLI_VERSION=v1.0.2 RUN go install github.com/davidrjonas/semver-cli@latest \ && cp $GOPATH/bin/semver-cli /tmp/semver-cli +RUN apt-get update && apt-get install -y --no-install-recommends sed && rm -rf /var/lib/apt/lists/* ADD --unpack=true --chown=nonroot:nonroot --chmod=755 https://github.com/codefresh-io/cli-v2/releases/download/${CF_CLI_VERSION}/cf-linux-${TARGETARCH}.tar.gz /tmp/cf/ @@ -14,5 +15,6 @@ FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@s ARG TARGETARCH COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/cf/cf-linux-${TARGETARCH} /usr/local/bin/cf COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/semver-cli /usr/local/bin/semver-cli +COPY --from=build /usr/bin/sed /usr/bin/sed WORKDIR /home/codefresh -USER nonroot \ No newline at end of file +USER nonroot From c9bc07e81759ba7867954b873502cbc2d95824ae Mon Sep 17 00:00:00 2001 From: mikhail-klimko Date: Thu, 14 May 2026 18:14:37 +0400 Subject: [PATCH 30/47] feat: test promote (#1202) From 973b96ed567dd06ab541f1160759c31f8e5fa93b Mon Sep 17 00:00:00 2001 From: Mikhail Klimko Date: Thu, 14 May 2026 18:19:12 +0400 Subject: [PATCH 31/47] feat: add imagePullSecrets to CI --- charts/gitops-runtime/ci/default-values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/charts/gitops-runtime/ci/default-values.yaml b/charts/gitops-runtime/ci/default-values.yaml index ffb8e8ed5..49304de3b 100644 --- a/charts/gitops-runtime/ci/default-values.yaml +++ b/charts/gitops-runtime/ci/default-values.yaml @@ -1,4 +1,6 @@ global: + imagePullSecrets: + - name: dockerhub-creds codefresh: accountId: 63dbba4928d5fd1ef065b781 # `gitops-helm-test` Codefresh account (see "gitops-runtime-helm CI" note in 1Password) userToken: @@ -17,3 +19,7 @@ global: url: 'https://github.com' username: 'username' password: 'dummy' + +internal-router: + imagePullSecrets: + - name: dockerhub-creds From b51ac1d8b8edeffcc4cc3bdf1f7c0a3e21a53231 Mon Sep 17 00:00:00 2001 From: mikhail-klimko Date: Thu, 14 May 2026 22:55:17 +0400 Subject: [PATCH 32/47] feat: test release-branch-updated pipeline (#1204) From 6bc2bcb2713ee70b3faeca6148147753ceaff4b3 Mon Sep 17 00:00:00 2001 From: vadim-kharin-codefresh Date: Fri, 15 May 2026 14:30:24 +0300 Subject: [PATCH 33/47] chore: fix various security vulnerabilities in argo-cd, argo-workflows, cap-app-proxy, cf-argocd-extras, codefresh-gitops-operator, gitops-runtime-installer (#1206) * chore: fix various security vulnerabilities in argo-workflows, cap-app-proxy, cf-argocd-extras, codefresh-gitops-operator, gitops-runtime-installer * update argocd to v3.3.10 * update Chart.yaml --- charts/gitops-runtime/Chart.yaml | 4 +++- charts/gitops-runtime/values.yaml | 13 ++++++++----- installer-image/Dockerfile | 6 +++--- 3 files changed, 14 insertions(+), 9 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index c215599b4..89f4d736b 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -19,13 +19,15 @@ annotations: - kind: fixed description: 'cap-app-proxy: support arbitrary user IDs for OpenShift' dependencies: + # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version. + # Don't forget to remove the image override after updating to a new version of the chart. - name: argo-cd repository: https://argoproj.github.io/argo-helm condition: argo-cd.enabled version: 9.5.11 - name: argo-workflows repository: https://codefresh-io.github.io/argo-helm - version: 0.45.21-v3.6.7-cap-CR-38757 + version: 0.45.22-v3.6.7-cap-CR-39681 condition: argo-workflows.enabled - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 8094e10a8..b41229c3e 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -136,7 +136,7 @@ global: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "06801ec" + tag: "7d96f83" nodeSelector: {} tolerations: [] affinity: {} @@ -258,6 +258,9 @@ sealed-secrets: argo-cd: enabled: true fullnameOverride: argo-cd + global: + image: + tag: v3.3.10 notifications: enabled: false redis: @@ -459,14 +462,14 @@ app-proxy: tag: 1.1.27-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.4092.0 + tag: 1.4093.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.4092.0 + tag: 1.4093.0 pullPolicy: IfNotPresent command: - ./init.sh @@ -647,7 +650,7 @@ gitops-operator: image: registry: quay.io repository: codefresh/codefresh-gitops-operator - tag: bc5c4eb + tag: 79a7f3b env: !!merge <<: - *otel-config @@ -679,7 +682,7 @@ argo-gateway: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "06801ec" + tag: "7d96f83" nodeSelector: {} tolerations: [] affinity: {} diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile index 362a39be4..5e0e8e60d 100644 --- a/installer-image/Dockerfile +++ b/installer-image/Dockerfile @@ -1,9 +1,9 @@ # syntax=docker/dockerfile:1 # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-golang/tags/1.25-debian13-dev -FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:b2c03c829a4df4f724712501d18321e46a2ac770377f0b6e2f383bc9d02b99d3 AS build +FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:6ab2431d046a2e21dbcbcb5111e94bec59650d302ec0ac34e696e7e44f708044 AS build ARG TARGETARCH -ARG CF_CLI_VERSION=v1.0.2 +ARG CF_CLI_VERSION=v1.0.3 RUN go install github.com/davidrjonas/semver-cli@latest \ && cp $GOPATH/bin/semver-cli /tmp/semver-cli RUN apt-get update && apt-get install -y --no-install-recommends sed && rm -rf /var/lib/apt/lists/* @@ -11,7 +11,7 @@ ADD --unpack=true --chown=nonroot:nonroot --chmod=755 https://github.com/codefre # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-debian-base/customizations/8106437942896324135 -FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:ab35aedc53ad95d3a95094d6f2c9d052c2cdb43b605ce1f9a4ea677911373b99 AS production +FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:3c5a8f5bf49a3777527797677b3c8c426b0a38a466f3a79f5e059b6adc21943d AS production ARG TARGETARCH COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/cf/cf-linux-${TARGETARCH} /usr/local/bin/cf COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/semver-cli /usr/local/bin/semver-cli From 23d91efe153984cf25c92e86b1b00d4c96935b79 Mon Sep 17 00:00:00 2001 From: "codefresh-v2-pipelines[bot]" <109073600+codefresh-v2-pipelines[bot]@users.noreply.github.com> Date: Fri, 15 May 2026 15:50:25 +0300 Subject: [PATCH 34/47] prepare-version(0.29.11): prepare chart content for release (#1199) * Update Chart.yaml and changelog for 0.29.11 release * empty * empty * Update Chart.yaml and changelog for 0.29.11 release * Update Chart.yaml and changelog for 0.29.11 release * Update Chart.yaml and changelog for 0.29.11 release * Update Chart.yaml and changelog for 0.29.11 release * Update Chart.yaml and changelog for 0.29.11 release * update changelog * update changelog * update changelog --------- Co-authored-by: cf-ci-bot-v2 Co-authored-by: Mikhail Klimko Co-authored-by: mikhail-klimko Co-authored-by: codefresh-git-integration[bot] <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Co-authored-by: vadim-kharin-codefresh --- charts/gitops-runtime/Chart.yaml | 12 +++++++++--- charts/gitops-runtime/README.md | 6 +++--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 89f4d736b..9fb2bc3f8 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -13,11 +13,17 @@ maintainers: url: https://codefresh-io.github.io/ annotations: artifacthub.io/alternativeName: "codefresh-gitops-runtime" - artifacthub.io/containsSecurityUpdates: "false" + artifacthub.io/containsSecurityUpdates: "true" # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: |- - - kind: fixed - description: 'cap-app-proxy: support arbitrary user IDs for OpenShift' + - kind: changed + description: 'update "argo-cd" to 3.3.10' + - kind: changed + description: 'update "argo-workflows" to 0.45.22-v3.6.7-cap-CR-39681' + - kind: changed + description: 'update "cap-app-proxy" to 1.4093.0' + - kind: security + description: 'fix various security vulnerabilities in argo-cd, argo-workflows, cap-app-proxy, cf-argocd-extras, codefresh-gitops-operator, gitops-runtime-installer' dependencies: # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version. # Don't forget to remove the image override after updating to a new version of the chart. diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 10a183117..2ca13637c 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.10](https://img.shields.io/badge/Version-0.29.10-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.11](https://img.shields.io/badge/Version-0.29.11-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.10 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.11 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.10 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.11 ``` ## Openshift From c6124c46250a13adeeeedf99306376b519650fdb Mon Sep 17 00:00:00 2001 From: Vasil Sudakou <160465134+vasil-cf@users.noreply.github.com> Date: Mon, 1 Jun 2026 20:00:30 +0400 Subject: [PATCH 35/47] fix: security vulnerabilities in gitops-runtime-installer (#1208) * fix: security vulnerabilities in gitops-runtime-installer * CI Automatic commit - align Chart version * fix(argo-workflows): security vulnerabilities * empty * empty * delete component-test --------- Co-authored-by: codefresh-git-integration[bot] <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Co-authored-by: alinashklyar --- .github/workflows/component-test.yaml | 73 --------------------------- charts/gitops-runtime/Chart.yaml | 4 +- installer-image/Dockerfile | 4 +- 3 files changed, 4 insertions(+), 77 deletions(-) delete mode 100644 .github/workflows/component-test.yaml diff --git a/.github/workflows/component-test.yaml b/.github/workflows/component-test.yaml deleted file mode 100644 index 2b97bfeb1..000000000 --- a/.github/workflows/component-test.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# File: .github/workflows/docker-go-build.yml -name: gitops-runtime-helm - -on: - push: - branches: - - main - - 'stable/*' - - 'monthly/*' - pull_request: - branches: - - main - - 'stable/*' - - 'monthly/*' - -jobs: - component-test: - runs-on: ubuntu-latest - - env: - DOCKER_CLI_EXPERIMENTAL: enabled - # Enable BuildKit - DOCKER_BUILDKIT: 1 - - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v3 - - name: Set up kubectl - uses: azure/setup-kubectl@v3 - with: - version: 'v1.29.0' - - name: Install K3d - run: | - curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash - k3d --version - - - name: Create K3d cluster - run: | - k3d cluster create test-cluster --wait - kubectl get nodes - - - name: install kuttl - run: | - mkdir -p ./bin - curl -L https://github.com/kudobuilder/kuttl/releases/download/v0.22.0/kubectl-kuttl_0.22.0_linux_x86_64 -o ./bin/kuttl; - - chmod +x ./bin/kuttl; - - name: Install jq - run: | - sudo apt-get update - sudo apt-get install -y jq - - name: install helm - run: | - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - - chmod 700 get_helm.sh - - ./get_helm.sh - helm repo add gitea-charts https://dl.gitea.com/charts/ - helm repo add mockserver https://www.mock-server.com - - - - - name: Run KUTTL tests - run: | - cd tests/component-tests && ./../../bin/kuttl test --parallel 1 --start-kind=false --namespace e2e-test --config startup.yaml diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 9fb2bc3f8..4da9d4b02 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.11 +version: 0.29.12 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: @@ -33,7 +33,7 @@ dependencies: version: 9.5.11 - name: argo-workflows repository: https://codefresh-io.github.io/argo-helm - version: 0.45.22-v3.6.7-cap-CR-39681 + version: 0.45.23-v3.6.7-cap-CFS-7012 condition: argo-workflows.enabled - name: sealed-secrets repository: https://bitnami-labs.github.io/sealed-secrets/ diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile index 5e0e8e60d..5b0679556 100644 --- a/installer-image/Dockerfile +++ b/installer-image/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-golang/tags/1.25-debian13-dev -FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:6ab2431d046a2e21dbcbcb5111e94bec59650d302ec0ac34e696e7e44f708044 AS build +FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:9df1a12a7a9ee811efe2929045a7eabb8617329e8ce01a3296f4af095f89522c AS build ARG TARGETARCH ARG CF_CLI_VERSION=v1.0.3 RUN go install github.com/davidrjonas/semver-cli@latest \ @@ -11,7 +11,7 @@ ADD --unpack=true --chown=nonroot:nonroot --chmod=755 https://github.com/codefre # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-debian-base/customizations/8106437942896324135 -FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:3c5a8f5bf49a3777527797677b3c8c426b0a38a466f3a79f5e059b6adc21943d AS production +FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:5de4afaf8d55ff711756e2ebd9e27fc05374c37d3805acf85dfed70ef07fbee2 AS production ARG TARGETARCH COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/cf/cf-linux-${TARGETARCH} /usr/local/bin/cf COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/semver-cli /usr/local/bin/semver-cli From 8208b2c4bc62e0d0590115dfd4ed94b7b4a211f3 Mon Sep 17 00:00:00 2001 From: "codefresh-git-integration[bot]" <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Date: Tue, 2 Jun 2026 10:41:46 +0300 Subject: [PATCH 36/47] prepare-version(0.29.12): prepare chart content for release (#1210) * Update Chart.yaml and changelog for 0.29.12 release * update release notes * remove accidental changes --------- Co-authored-by: codefresh-git-integration[bot] <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Co-authored-by: alinashklyar --- charts/gitops-runtime/Chart.yaml | 8 ++------ charts/gitops-runtime/README.md | 19 ++++++++++--------- 2 files changed, 12 insertions(+), 15 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 4da9d4b02..ae9bb2d48 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -17,13 +17,9 @@ annotations: # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: |- - kind: changed - description: 'update "argo-cd" to 3.3.10' - - kind: changed - description: 'update "argo-workflows" to 0.45.22-v3.6.7-cap-CR-39681' - - kind: changed - description: 'update "cap-app-proxy" to 1.4093.0' + description: 'update argo-helm to 0.45.23' - kind: security - description: 'fix various security vulnerabilities in argo-cd, argo-workflows, cap-app-proxy, cf-argocd-extras, codefresh-gitops-operator, gitops-runtime-installer' + description: 'fix various security vulnerabilities in argo-helm' dependencies: # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version. # Don't forget to remove the image override after updating to a new version of the chart. diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 2ca13637c..cf47889fd 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.11](https://img.shields.io/badge/Version-0.29.11-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.12](https://img.shields.io/badge/Version-0.29.12-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.11 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.12 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.11 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.12 ``` ## Openshift @@ -523,14 +523,14 @@ global: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.4092.0"` | | +| app-proxy.image.tag | string | `"1.4093.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.4092.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.4093.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | | @@ -596,12 +596,13 @@ global: | argo-cd.controller.statefulsetAnnotations."argocd.argoproj.io/sync-options" | string | `"Delete=false"` | | | argo-cd.enabled | bool | `true` | | | argo-cd.fullnameOverride | string | `"argo-cd"` | | +| argo-cd.global.image.tag | string | `"v3.3.10"` | | | argo-cd.notifications.enabled | bool | `false` | | | argo-cd.redis-ha.image.repository | string | `"ecr-public.aws.com/docker/library/redis"` | Redis repository | | argo-cd.redis-ha.image.tag | string | `"8.2.2-alpine"` | Redis tag | | argo-cd.redis.image.repository | string | `"ecr-public.aws.com/docker/library/redis"` | Redis repository | | argo-cd.redis.image.tag | string | `"8.2.2-alpine"` | Redis tag | -| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"06801ec"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | +| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"7d96f83"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | | argo-workflows.crds.install | bool | `true` | Install and upgrade CRDs | | argo-workflows.enabled | bool | `true` | | | argo-workflows.executor.resources.requests.ephemeral-storage | string | `"10Mi"` | | @@ -663,7 +664,7 @@ global: | gitops-operator.env.<<[0].OTEL_TRACES_SAMPLER | string | `"parentbased_always_on"` | OTel sampler to be used for traces. Ref: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/ | | gitops-operator.env.GITOPS_OPERATOR_VERSION | string | `"0.11.1"` | | | gitops-operator.fullnameOverride | string | `""` | | -| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"bc5c4eb"}` | GitOps operator image | +| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"79a7f3b"}` | GitOps operator image | | gitops-operator.imagePullSecrets | list | `[]` | | | gitops-operator.nameOverride | string | `""` | | | gitops-operator.nodeSelector | object | `{}` | | @@ -693,7 +694,7 @@ global: | global.codefresh.userToken | object | `{"secretKeyRef":{},"token":""}` | User token. Used for runtime registration against the patform. One of token (for plain text value) or secretKeyRef must be provided. | | global.codefresh.userToken.secretKeyRef | object | `{}` | User token that references an existing secret containing the token. | | global.codefresh.userToken.token | string | `""` | User token in plain text. The chart creates and manages the secret for this token. | -| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"06801ec"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform | +| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"7d96f83"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform | | global.httpProxy | string | `""` | global HTTP_PROXY for all components | | global.httpsProxy | string | `""` | global HTTPS_PROXY for all components | | global.imageRegistry | string | `""` | | @@ -791,7 +792,7 @@ global: | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | | redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | | redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | -| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | | redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | From c3b67f6e38c659dce0b2793e172cf5799650738f Mon Sep 17 00:00:00 2001 From: mikhail-klimko Date: Fri, 5 Jun 2026 11:39:30 +0400 Subject: [PATCH 37/47] feat: add httproute template (#1211) (#1212) * feat: add httproute template (#1211) * CI Automatic commit - align Chart version --------- Co-authored-by: codefresh-git-integration[bot] <151943927+codefresh-git-integration[bot]@users.noreply.github.com> --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/templates/_helpers.tpl | 8 +- .../gitops-runtime/templates/httproute.yaml | 46 ++++++++ .../templates/tunnel-client.yaml | 2 +- .../gitops-runtime/tests/httproute_test.yaml | 104 ++++++++++++++++++ charts/gitops-runtime/tests/ingress_test.yaml | 5 +- .../values/mandatory-values-httproute.yaml | 16 +++ .../tests/values/mandatory-values.yaml | 2 + charts/gitops-runtime/values.yaml | 23 ++++ 9 files changed, 202 insertions(+), 6 deletions(-) create mode 100644 charts/gitops-runtime/templates/httproute.yaml create mode 100644 charts/gitops-runtime/tests/httproute_test.yaml create mode 100644 charts/gitops-runtime/tests/values/mandatory-values-httproute.yaml diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index ae9bb2d48..9a95de792 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.12 +version: 0.29.13 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl index c487355d0..5878b65df 100644 --- a/charts/gitops-runtime/templates/_helpers.tpl +++ b/charts/gitops-runtime/templates/_helpers.tpl @@ -341,6 +341,12 @@ Get ingress url for both tunnel based and ingress based runtimes {{- else }} {{ fail (printf "ERROR: Unsupported protocol %s for ingress. Only http and https supported" .Values.global.runtime.ingress.protocol)}} {{- end }} + {{- else if .Values.global.runtime.httpRoute.enabled }} + {{- if has .Values.global.runtime.httpRoute.protocol $supportedProtocols }} + {{- printf "%s://%s" .Values.global.runtime.httpRoute.protocol (index .Values.global.runtime.httpRoute.hostnames 0)}} + {{- else }} + {{ fail (printf "ERROR: Unsupported protocol %s for httpRoute. Only http and https supported" .Values.global.runtime.httpRoute.protocol)}} + {{- end }} {{/* If tunnel client is enabled - ingress url is -. */}} {{- else if index .Values "tunnel-client" "enabled" }} {{- $accoundId := required "global.codefresh.accountId is required for tunnel based runtime" .Values.global.codefresh.accountId }} @@ -357,7 +363,7 @@ Get ingress url for both tunnel based and ingress based runtimes {{- fail "ERROR: Only http and https are supported for global.runtime.ingressUrl"}} {{- end }} {{- else }} - {{- fail "ERROR: When global.runtime.ingress.enabled is false and tunnel-client.enabled is false - global.runtime.ingressUrl must be provided" }} + {{- fail "ERROR: When global.runtime.ingress.enabled and global.runtime.httpRoute.enabled are false and tunnel-client.enabled is false - global.runtime.ingressUrl must be provided" }} {{- end }} {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/httproute.yaml b/charts/gitops-runtime/templates/httproute.yaml new file mode 100644 index 000000000..00d247da0 --- /dev/null +++ b/charts/gitops-runtime/templates/httproute.yaml @@ -0,0 +1,46 @@ +{{- if .Values.global.runtime.httpRoute.enabled -}} +{{- $svcName := include "internal-router.fullname" (dict "Values" (get .Values "internal-router")) -}} +{{- $svcPort := index .Values "internal-router" "service" "port" -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: codefresh-gitops-runtime + labels: + {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} + {{- with .Values.global.runtime.httpRoute.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.global.runtime.httpRoute.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + parentRefs: + {{- if .Values.global.runtime.httpRoute.parentRefs }} + {{- toYaml .Values.global.runtime.httpRoute.parentRefs | nindent 4 }} + {{- else }} + {{- fail "ERROR: global.runtime.httpRoute.parentRefs is required when httpRoute is enabled" }} + {{- end }} + hostnames: + {{- if .Values.global.runtime.httpRoute.hostnames }} + {{- toYaml .Values.global.runtime.httpRoute.hostnames | nindent 4 }} + {{- else }} + {{- fail "ERROR: global.runtime.httpRoute.hostnames is required when httpRoute is enabled" }} + {{- end }} + rules: + - matches: + - path: + type: PathPrefix + value: /webhooks + - path: + type: PathPrefix + value : /app-proxy + {{- if (index (get $.Values "argo-workflows") "enabled") }} + - path: + type: PathPrefix + value : /workflows + {{- end }} + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} +{{- end }} diff --git a/charts/gitops-runtime/templates/tunnel-client.yaml b/charts/gitops-runtime/templates/tunnel-client.yaml index 8d5b0c70a..ecc3d90ea 100644 --- a/charts/gitops-runtime/templates/tunnel-client.yaml +++ b/charts/gitops-runtime/templates/tunnel-client.yaml @@ -4,7 +4,7 @@ to intruduce the subdomainPrefix to the tunnel. Since the prefix is comprised of -, we can tempalate it and thus reduce complexity of installation and number or mandatory values to provide for the installation to work. */}} -{{- if and ( not .Values.global.runtime.ingress.enabled) (index .Values "tunnel-client" "enabled") }} +{{- if and ( not .Values.global.runtime.ingress.enabled) ( not .Values.global.runtime.httpRoute.enabled) (index .Values "tunnel-client" "enabled") }} {{ $tunnelClientContext := (index .Subcharts "tunnel-client")}} {{ $accoundId := required "codefresh.accountId is required" .Values.global.codefresh.accountId }} {{ $runtimeName := required "runtime.name is required" .Values.global.runtime.name }} diff --git a/charts/gitops-runtime/tests/httproute_test.yaml b/charts/gitops-runtime/tests/httproute_test.yaml new file mode 100644 index 000000000..556899d91 --- /dev/null +++ b/charts/gitops-runtime/tests/httproute_test.yaml @@ -0,0 +1,104 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: httproute test +templates: + - templates/httproute.yaml + - templates/tunnel-client.yaml + - templates/codefresh-cm.yaml +tests: +- it: no httproute is rendered when tunnel runtime is configured + template: templates/httproute.yaml + values: + - ./values/mandatory-values.yaml + asserts: + - hasDocuments: + count: 0 + +- it: no tunnel when httproute is configured + template: templates/tunnel-client.yaml + values: + - ./values/mandatory-values-httproute.yaml + asserts: + - hasDocuments: + count: 0 + +- it: httproute is rendered correctly when enabled + template: templates/httproute.yaml + values: + - ./values/mandatory-values-httproute.yaml + asserts: + - hasDocuments: + count: 1 + - equal: + path: spec.parentRefs + value: + - name: traefik-gateway + namespace: traefik + - equal: + path: spec.hostnames + value: + - runtime.example.com + - equal: + path: spec.rules + value: + - matches: + - path: + type: PathPrefix + value: /webhooks + - path: + type: PathPrefix + value : /app-proxy + - path: + type: PathPrefix + value : /workflows + backendRefs: + - name: internal-router + port: 80 + +- it: httroute has custom labels and annotations + template: templates/httproute.yaml + values: + - ./values/mandatory-values-httproute.yaml + set: + global: + runtime: + httpRoute: + labels: + customLabel: customValue + annotations: + customAnnotation: customAnnotationValue + asserts: + - equal: + path: metadata.labels.customLabel + value: customValue + - equal: + path: metadata.annotations.customAnnotation + value: customAnnotationValue + +- it: codefresh-cm ingressHost is set correctly when httproute is enabled + template: templates/codefresh-cm.yaml + values: + - ./values/mandatory-values-httproute.yaml + asserts: + - equal: + path: data.ingressHost + value: https://runtime.example.com + +- it: error is thrown when httpRoute is enabled but parentRefs is missing + template: templates/httproute.yaml + values: + - ./values/mandatory-values-httproute.yaml + set: + global.runtime.httpRoute.parentRefs: null + asserts: + - failedTemplate: + errorMessage: "ERROR: global.runtime.httpRoute.parentRefs is required when httpRoute is enabled" + +- it: error is thrown when httpRoute is enabled but hostnames is missing + template: templates/httproute.yaml + values: + - ./values/mandatory-values-httproute.yaml + set: + global.runtime.httpRoute.hostnames: null + asserts: + - failedTemplate: + errorMessage: "ERROR: global.runtime.httpRoute.hostnames is required when httpRoute is enabled" diff --git a/charts/gitops-runtime/tests/ingress_test.yaml b/charts/gitops-runtime/tests/ingress_test.yaml index c054b09ac..e074e8225 100644 --- a/charts/gitops-runtime/tests/ingress_test.yaml +++ b/charts/gitops-runtime/tests/ingress_test.yaml @@ -42,18 +42,17 @@ tests: - failedTemplate: errorMessage: codefresh.accountId is required - - - it: when both tunnel-client and ingress are disabled fail rendering if ingressUrl is not provided template: templates/codefresh-cm.yaml values: - ./values/mandatory-values.yaml set: global.runtime.ingress.enabled: false + global.runtime.httpRoute.enabled: false tunnel-client.enabled: false asserts: - failedTemplate: - errorMessage: "ERROR: When global.runtime.ingress.enabled is false and tunnel-client.enabled is false - global.runtime.ingressUrl must be provided" + errorMessage: "ERROR: When global.runtime.ingress.enabled and global.runtime.httpRoute.enabled are false and tunnel-client.enabled is false - global.runtime.ingressUrl must be provided" - it: fail on ingressUrl that is not http or https template: templates/codefresh-cm.yaml diff --git a/charts/gitops-runtime/tests/values/mandatory-values-httproute.yaml b/charts/gitops-runtime/tests/values/mandatory-values-httproute.yaml new file mode 100644 index 000000000..67ab53848 --- /dev/null +++ b/charts/gitops-runtime/tests/values/mandatory-values-httproute.yaml @@ -0,0 +1,16 @@ +global: + codefresh: + accountId: 628a80b693a15c0f9c13ab75 + userToken: + token: 'dummy' + + runtime: + name: test-runtime1 + + httpRoute: + enabled: true + parentRefs: + - name: traefik-gateway + namespace: traefik + hostnames: + - runtime.example.com diff --git a/charts/gitops-runtime/tests/values/mandatory-values.yaml b/charts/gitops-runtime/tests/values/mandatory-values.yaml index 0d24e5a3a..b3bf2783a 100644 --- a/charts/gitops-runtime/tests/values/mandatory-values.yaml +++ b/charts/gitops-runtime/tests/values/mandatory-values.yaml @@ -8,3 +8,5 @@ global: name: test-runtime1 ingress: enabled: false + httpRoute: + enabled: false diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index b41229c3e..70e9f695b 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -65,6 +65,29 @@ global: labels: {} # -- Hosts for runtime ingress. Note that Codefresh platform will always use the first host in the list to access the runtime. hosts: [] + # -- HTTPRoute settings + httpRoute: + # -- Enable HTTPRoute + enabled: false + # -- The protocol that Codefresh platform will use to access the runtime. Can be http or https. + protocol: https + # -- Required! List of parent Gateway references this HTTPRoute should attach to + # ref: https://gateway-api.sigs.k8s.io/reference/api-spec/main/spec/#parentreference + # E.g. + # parentRefs: + # - name: traefik-gateway + # namespace: traefik + parentRefs: [] + # -- List of hostnames to be covered by this HTTPRoute + # ref: https://gateway-api.sigs.k8s.io/reference/api-spec/main/spec/#hostname + # E.g. + # hostnames: + # - runtime.example.com + hostnames: [] + # -- Set annotations on the HTTPRoute resource + annotations: {} + # -- Set labels on the HTTPRoute resource + labels: {} # -- Explicit url for runtime ingress. Provide this value only if you don't want the chart to create and ingress (global.runtime.ingress.enabled=false) and tunnel-client is not used (tunnel-client.enabled=false) ingressUrl: "" # -- is the runtime set as a "configuration runtime". From dcfd9f9a09255928a2d37f0c9e18f6b2b20dbba0 Mon Sep 17 00:00:00 2001 From: "codefresh-git-integration[bot]" <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Date: Fri, 5 Jun 2026 17:36:07 +0400 Subject: [PATCH 38/47] prepare-version(0.29.13): prepare chart content for release (#1213) --- charts/gitops-runtime/Chart.yaml | 8 +++----- charts/gitops-runtime/README.md | 17 ++++++++++++----- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 9a95de792..d793331a6 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -13,13 +13,11 @@ maintainers: url: https://codefresh-io.github.io/ annotations: artifacthub.io/alternativeName: "codefresh-gitops-runtime" - artifacthub.io/containsSecurityUpdates: "true" + artifacthub.io/containsSecurityUpdates: "false" # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: |- - - kind: changed - description: 'update argo-helm to 0.45.23' - - kind: security - description: 'fix various security vulnerabilities in argo-helm' + - kind: added + description: 'add HTTPRoute template' dependencies: # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version. # Don't forget to remove the image override after updating to a new version of the chart. diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index cf47889fd..9e40dc7cd 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.12](https://img.shields.io/badge/Version-0.29.12-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.13](https://img.shields.io/badge/Version-0.29.13-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.12 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.13 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.12 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.13 ``` ## Openshift @@ -712,7 +712,7 @@ global: | global.integrations.argo-cd.server.svc | string | `"argo-cd-server"` | Service name of the ArgoCD server | | global.noProxy | string | `""` | global NO_PROXY for all components | | global.nodeSelector | object | `{}` | Global nodeSelector for all components | -| global.runtime | object | `{"cluster":"https://kubernetes.default.svc","codefreshHosted":false,"gitCredentials":{"password":{"secretKeyRef":{},"value":null},"username":"username"},"ingress":{"annotations":{},"className":"nginx","enabled":false,"hosts":[],"labels":{},"protocol":"https","skipValidation":false,"tls":[]},"ingressUrl":"","isConfigurationRuntime":false,"name":null,"singleNamespace":false}` | Runtime level settings | +| global.runtime | object | `{"cluster":"https://kubernetes.default.svc","codefreshHosted":false,"gitCredentials":{"password":{"secretKeyRef":{},"value":null},"username":"username"},"httpRoute":{"annotations":{},"enabled":false,"hostnames":[],"labels":{},"parentRefs":[],"protocol":"https"},"ingress":{"annotations":{},"className":"nginx","enabled":false,"hosts":[],"labels":{},"protocol":"https","skipValidation":false,"tls":[]},"ingressUrl":"","isConfigurationRuntime":false,"name":null,"singleNamespace":false}` | Runtime level settings | | global.runtime.cluster | string | `"https://kubernetes.default.svc"` | Runtime cluster. Should not be changed. | | global.runtime.codefreshHosted | bool | `false` | Defines whether this is a Codefresh hosted runtime. Should not be changed. | | global.runtime.gitCredentials | object | `{"password":{"secretKeyRef":{},"value":null},"username":"username"}` | Git credentials runtime. Runtime is not fully functional without those credentials. If not provided through the installation, they must be provided through the Codefresh UI. | @@ -720,6 +720,13 @@ global: | global.runtime.gitCredentials.password.secretKeyRef | object | `{}` | secretKeyReference for Git credentials password. Provide name and key fields. | | global.runtime.gitCredentials.password.value | string | `nil` | Plain text password | | global.runtime.gitCredentials.username | string | `"username"` | Username. Optional when using token in password. | +| global.runtime.httpRoute | object | `{"annotations":{},"enabled":false,"hostnames":[],"labels":{},"parentRefs":[],"protocol":"https"}` | HTTPRoute settings | +| global.runtime.httpRoute.annotations | object | `{}` | Set annotations on the HTTPRoute resource | +| global.runtime.httpRoute.enabled | bool | `false` | Enable HTTPRoute | +| global.runtime.httpRoute.hostnames | list | `[]` | List of hostnames to be covered by this HTTPRoute ref: https://gateway-api.sigs.k8s.io/reference/api-spec/main/spec/#hostname E.g. hostnames: - runtime.example.com | +| global.runtime.httpRoute.labels | object | `{}` | Set labels on the HTTPRoute resource | +| global.runtime.httpRoute.parentRefs | list | `[]` | Required! List of parent Gateway references this HTTPRoute should attach to ref: https://gateway-api.sigs.k8s.io/reference/api-spec/main/spec/#parentreference E.g. parentRefs: - name: traefik-gateway namespace: traefik | +| global.runtime.httpRoute.protocol | string | `"https"` | The protocol that Codefresh platform will use to access the runtime. Can be http or https. | | global.runtime.ingress | object | `{"annotations":{},"className":"nginx","enabled":false,"hosts":[],"labels":{},"protocol":"https","skipValidation":false,"tls":[]}` | Ingress settings | | global.runtime.ingress.enabled | bool | `false` | Defines if ingress-based access mode is enabled for runtime. To use tunnel-based (ingressless) access mode, set to false. | | global.runtime.ingress.hosts | list | `[]` | Hosts for runtime ingress. Note that Codefresh platform will always use the first host in the list to access the runtime. | @@ -792,7 +799,7 @@ global: | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | | redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | | redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | -| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | | redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | From d0c587af57468810d9fb90815225f5e45378b608 Mon Sep 17 00:00:00 2001 From: Vasil Sudakou <160465134+vasil-cf@users.noreply.github.com> Date: Fri, 5 Jun 2026 23:59:52 +0400 Subject: [PATCH 39/47] fix(cf-argocd-extras): security fix, bump image tag to "71b7e7c" (#1215) * fix(cf-argocd-extras): security fix, bump image tag to "71b7e7c" * CI Automatic commit - align Chart version --------- Co-authored-by: codefresh-git-integration[bot] <151943927+codefresh-git-integration[bot]@users.noreply.github.com> --- charts/gitops-runtime/Chart.yaml | 2 +- charts/gitops-runtime/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index d793331a6..8f28b226e 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.13 +version: 0.29.14 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 70e9f695b..46792884f 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -159,7 +159,7 @@ global: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "7d96f83" + tag: "71b7e7c" nodeSelector: {} tolerations: [] affinity: {} @@ -705,7 +705,7 @@ argo-gateway: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "7d96f83" + tag: "71b7e7c" nodeSelector: {} tolerations: [] affinity: {} From d867118733edcb53f991581a9b2d9e8883687063 Mon Sep 17 00:00:00 2001 From: "codefresh-git-integration[bot]" <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Date: Mon, 8 Jun 2026 12:06:45 +0300 Subject: [PATCH 40/47] prepare-version(0.29.14): prepare chart content for release (#1216) * Update Chart.yaml and changelog for 0.29.14 release * chore: update docs --------- Co-authored-by: codefresh-git-integration[bot] <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Co-authored-by: Vasil Sudakou --- charts/gitops-runtime/Chart.yaml | 8 +++++--- charts/gitops-runtime/README.md | 10 +++++----- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 8f28b226e..68b4158ab 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -13,11 +13,13 @@ maintainers: url: https://codefresh-io.github.io/ annotations: artifacthub.io/alternativeName: "codefresh-gitops-runtime" - artifacthub.io/containsSecurityUpdates: "false" + artifacthub.io/containsSecurityUpdates: "true" # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: |- - - kind: added - description: 'add HTTPRoute template' + - kind: changed + description: 'update cf-argocd-extras to "71b7e7c"' + - kind: security + description: 'fix various security vulnerabilities in security' dependencies: # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version. # Don't forget to remove the image override after updating to a new version of the chart. diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 9e40dc7cd..70b9e862c 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.13](https://img.shields.io/badge/Version-0.29.13-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.14](https://img.shields.io/badge/Version-0.29.14-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.13 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.14 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.13 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.14 ``` ## Openshift @@ -602,7 +602,7 @@ global: | argo-cd.redis-ha.image.tag | string | `"8.2.2-alpine"` | Redis tag | | argo-cd.redis.image.repository | string | `"ecr-public.aws.com/docker/library/redis"` | Redis repository | | argo-cd.redis.image.tag | string | `"8.2.2-alpine"` | Redis tag | -| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"7d96f83"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | +| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"71b7e7c"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | | argo-workflows.crds.install | bool | `true` | Install and upgrade CRDs | | argo-workflows.enabled | bool | `true` | | | argo-workflows.executor.resources.requests.ephemeral-storage | string | `"10Mi"` | | @@ -694,7 +694,7 @@ global: | global.codefresh.userToken | object | `{"secretKeyRef":{},"token":""}` | User token. Used for runtime registration against the patform. One of token (for plain text value) or secretKeyRef must be provided. | | global.codefresh.userToken.secretKeyRef | object | `{}` | User token that references an existing secret containing the token. | | global.codefresh.userToken.token | string | `""` | User token in plain text. The chart creates and manages the secret for this token. | -| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"7d96f83"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform | +| global.event-reporters | object | `{"affinity":{},"config":{},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"71b7e7c"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"replicaCount":2,"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"ports":{"http":{"port":8088,"targetPort":8088},"metrics":{"port":8087,"targetPort":8087}},"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Global settings for event reporters Event reporters are used for reporting runtime and cluster resources to Codefresh platform | | global.httpProxy | string | `""` | global HTTP_PROXY for all components | | global.httpsProxy | string | `""` | global HTTPS_PROXY for all components | | global.imageRegistry | string | `""` | | From 23e7994931d9aca7c8505758565b9b94fb8826a1 Mon Sep 17 00:00:00 2001 From: alina-codefresh Date: Thu, 18 Jun 2026 14:00:18 +0300 Subject: [PATCH 41/47] fix: security vulnerabilities in gitops-runtime-installer (#1218) --- charts/gitops-runtime/Chart.yaml | 4 ++-- installer-image/Dockerfile | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 68b4158ab..a57343da5 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.14 +version: 0.29.15 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: @@ -32,7 +32,7 @@ dependencies: version: 0.45.23-v3.6.7-cap-CFS-7012 condition: argo-workflows.enabled - name: sealed-secrets - repository: https://bitnami-labs.github.io/sealed-secrets/ + repository: https://bitnami.github.io/sealed-secrets/ version: 2.18.0 condition: sealed-secrets.enabled - name: codefresh-tunnel-client diff --git a/installer-image/Dockerfile b/installer-image/Dockerfile index 5b0679556..ef2a40693 100644 --- a/installer-image/Dockerfile +++ b/installer-image/Dockerfile @@ -3,7 +3,7 @@ # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-golang/tags/1.25-debian13-dev FROM octopusdeploy/dhi-golang:1.25-debian13-dev@sha256:9df1a12a7a9ee811efe2929045a7eabb8617329e8ce01a3296f4af095f89522c AS build ARG TARGETARCH -ARG CF_CLI_VERSION=v1.0.3 +ARG CF_CLI_VERSION=v1.0.5 RUN go install github.com/davidrjonas/semver-cli@latest \ && cp $GOPATH/bin/semver-cli /tmp/semver-cli RUN apt-get update && apt-get install -y --no-install-recommends sed && rm -rf /var/lib/apt/lists/* @@ -11,7 +11,7 @@ ADD --unpack=true --chown=nonroot:nonroot --chmod=755 https://github.com/codefre # DHI source: https://hub.docker.com/repository/docker/octopusdeploy/dhi-debian-base/customizations/8106437942896324135 -FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:5de4afaf8d55ff711756e2ebd9e27fc05374c37d3805acf85dfed70ef07fbee2 AS production +FROM octopusdeploy/dhi-debian-base:trixie_cf-gitops-runtime-installer-debian13@sha256:f29cbe0661df45db3eeeac570c2c2c6dae30adfb53b9d89956d11d10699b7461 AS production ARG TARGETARCH COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/cf/cf-linux-${TARGETARCH} /usr/local/bin/cf COPY --from=build --chown=nonroot:nonroot --chmod=755 /tmp/semver-cli /usr/local/bin/semver-cli From 68c9154ccdbfc29573799f152ffe477dbcb8a98d Mon Sep 17 00:00:00 2001 From: vadim-kharin-codefresh Date: Thu, 18 Jun 2026 20:37:13 +0300 Subject: [PATCH 42/47] chore: fix various security vulnerabilities for argo-gateway, cap-app-proxy, codefresh-gitops-operator, csdp-image-enrichers (#1220) * chore: fix various security vulnerabilities for cap-app-proxy, csdp-image-enrichers * chore: fix various security vulnerabilities for codefresh-gitops-operator, argo-gateway --- charts/gitops-runtime/values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 46792884f..c7c5602c3 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -472,27 +472,27 @@ app-proxy: reportImage: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-report-image-info - tag: 1.1.27-main + tag: 1.1.28-main # Git enrichment task image gitEnrichment: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info - tag: 1.1.27-main + tag: 1.1.28-main # Jira enrichment task image jiraEnrichment: registry: quay.io repository: codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info - tag: 1.1.27-main + tag: 1.1.28-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.4093.0 + tag: 1.4103.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.4093.0 + tag: 1.4103.0 pullPolicy: IfNotPresent command: - ./init.sh @@ -673,7 +673,7 @@ gitops-operator: image: registry: quay.io repository: codefresh/codefresh-gitops-operator - tag: 79a7f3b + tag: c03bf91 env: !!merge <<: - *otel-config @@ -705,7 +705,7 @@ argo-gateway: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "71b7e7c" + tag: "3683869" nodeSelector: {} tolerations: [] affinity: {} From 9f4d9b251d3db8214dd2f7716f7cff30f8ae2202 Mon Sep 17 00:00:00 2001 From: "codefresh-git-integration[bot]" <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Date: Fri, 19 Jun 2026 10:24:23 +0300 Subject: [PATCH 43/47] prepare-version(0.29.15): prepare chart content for release (#1219) * Update Chart.yaml and changelog for 0.29.15 release * update docs * update changelog --------- Co-authored-by: codefresh-git-integration[bot] <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Co-authored-by: vadim-kharin-codefresh --- charts/gitops-runtime/Chart.yaml | 10 +++++++--- charts/gitops-runtime/README.md | 24 ++++++++++++------------ 2 files changed, 19 insertions(+), 15 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index a57343da5..9f2eb3a89 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -16,10 +16,14 @@ annotations: artifacthub.io/containsSecurityUpdates: "true" # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: |- - - kind: changed - description: 'update cf-argocd-extras to "71b7e7c"' - kind: security - description: 'fix various security vulnerabilities in security' + description: 'Update "argo-gateway" to "3683869". Security fixes' + - kind: security + description: 'Update "cap-app-proxy" to "1.4103.0". Security fixes' + - kind: security + description: 'Update "codefresh-gitops-operator" to "c03bf91". Security fixes' + - kind: security + description: 'Update "csdp-image-enrichers" to "1.1.28-main". Security fixes' dependencies: # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version. # Don't forget to remove the image override after updating to a new version of the chart. diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 70b9e862c..a9552cb07 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.14](https://img.shields.io/badge/Version-0.29.14-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.15](https://img.shields.io/badge/Version-0.29.15-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.14 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.15 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.14 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.15 ``` ## Openshift @@ -506,13 +506,13 @@ global: | app-proxy.extraVolumeMounts | list | `[]` | Extra volume mounts for main container | | app-proxy.extraVolumes | list | `[]` | extra volumes | | app-proxy.fullnameOverride | string | `"cap-app-proxy"` | | -| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.27-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.27-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration | -| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.27-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.27-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow | +| app-proxy.image-enrichment | object | `{"config":{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.28-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.28-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.28-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400},"enabled":true,"serviceAccount":{"annotations":null,"create":true,"name":"codefresh-image-enrichment-sa"}}` | Image enrichment process configuration | +| app-proxy.image-enrichment.config | object | `{"clientHeartbeatIntervalInSeconds":5,"concurrencyCmKey":"imageReportExecutor","concurrencyCmName":"workflow-synchronization-semaphores","images":{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.28-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.28-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.28-main"}},"podGcStrategy":"OnWorkflowCompletion","ttlActiveInSeconds":900,"ttlAfterCompletionInSeconds":86400}` | Configurations for image enrichment workflow | | app-proxy.image-enrichment.config.clientHeartbeatIntervalInSeconds | int | `5` | Client heartbeat interval in seconds for image enrichemnt workflow | | app-proxy.image-enrichment.config.concurrencyCmKey | string | `"imageReportExecutor"` | The name of the key in the configmap to use as synchronization semaphore | | app-proxy.image-enrichment.config.concurrencyCmName | string | `"workflow-synchronization-semaphores"` | The name of the configmap to use as synchronization semaphore, see https://argoproj.github.io/argo-workflows/synchronization/ | -| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.27-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.27-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}}` | Enrichemnt images | -| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.27-main"}` | Report image enrichment task image | +| app-proxy.image-enrichment.config.images | object | `{"gitEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-git-info","tag":"1.1.28-main"},"jiraEnrichment":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-image-enricher-jira-info","tag":"1.1.28-main"},"reportImage":{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.28-main"}}` | Enrichemnt images | +| app-proxy.image-enrichment.config.images.reportImage | object | `{"registry":"quay.io","repository":"codefreshplugins/argo-hub-codefresh-csdp-report-image-info","tag":"1.1.28-main"}` | Report image enrichment task image | | app-proxy.image-enrichment.config.podGcStrategy | string | `"OnWorkflowCompletion"` | Pod grabage collection strategy. By default all pods will be deleted when the enrichment workflow completes. | | app-proxy.image-enrichment.config.ttlActiveInSeconds | int | `900` | Maximum allowed runtime for the enrichment workflow | | app-proxy.image-enrichment.config.ttlAfterCompletionInSeconds | int | `86400` | Number of seconds to live after completion | @@ -523,14 +523,14 @@ global: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.4093.0"` | | +| app-proxy.image.tag | string | `"1.4103.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.4093.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.4103.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | | @@ -602,7 +602,7 @@ global: | argo-cd.redis-ha.image.tag | string | `"8.2.2-alpine"` | Redis tag | | argo-cd.redis.image.repository | string | `"ecr-public.aws.com/docker/library/redis"` | Redis repository | | argo-cd.redis.image.tag | string | `"8.2.2-alpine"` | Redis tag | -| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"71b7e7c"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | +| argo-gateway | object | `{"affinity":{},"hpa":{"enabled":true,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"3683869"},"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"nodeSelector":{},"pdb":{"enabled":true,"maxUnavailable":"","minAvailable":"50%"},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":10},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"service":{"type":"ClusterIP"},"serviceAccount":{"create":true},"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"scrapeTimeout":"10s"},"tolerations":[]}` | Argo Gateway Argo Gateway is used to perform operations on ArgoCD from Codefresh platform | | argo-workflows.crds.install | bool | `true` | Install and upgrade CRDs | | argo-workflows.enabled | bool | `true` | | | argo-workflows.executor.resources.requests.ephemeral-storage | string | `"10Mi"` | | @@ -664,7 +664,7 @@ global: | gitops-operator.env.<<[0].OTEL_TRACES_SAMPLER | string | `"parentbased_always_on"` | OTel sampler to be used for traces. Ref: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/ | | gitops-operator.env.GITOPS_OPERATOR_VERSION | string | `"0.11.1"` | | | gitops-operator.fullnameOverride | string | `""` | | -| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"79a7f3b"}` | GitOps operator image | +| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"c03bf91"}` | GitOps operator image | | gitops-operator.imagePullSecrets | list | `[]` | | | gitops-operator.nameOverride | string | `""` | | | gitops-operator.nodeSelector | object | `{}` | | @@ -799,7 +799,7 @@ global: | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | | redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | | redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | -| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | | redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | From e22741e81039d5fc844d6f5d7e6522679a8063e3 Mon Sep 17 00:00:00 2001 From: Vasil Sudakou <160465134+vasil-cf@users.noreply.github.com> Date: Thu, 25 Jun 2026 00:06:41 +0400 Subject: [PATCH 44/47] fix(internal-router): bump nginx-unprivileged for security fix (#1223) * fix(internal-router): bump nginx-unprivileged for security fix * chore: refresh docs * CI Automatic commit - align Chart version * fix(alpine/kubectl): bump kubectl to fix security vulnerabilities * fix(codefresh-tunnel-client): bump to fix security vulnerabilities * chore: trigger pipelines --------- Co-authored-by: codefresh-git-integration[bot] <151943927+codefresh-git-integration[bot]@users.noreply.github.com> --- charts/gitops-runtime/Chart.yaml | 4 ++-- charts/gitops-runtime/README.md | 2 +- charts/gitops-runtime/values.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 9f2eb3a89..342aa9c6a 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.15 +version: 0.29.16 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: @@ -41,7 +41,7 @@ dependencies: condition: sealed-secrets.enabled - name: codefresh-tunnel-client repository: oci://quay.io/codefresh/charts - version: 0.1.24 + version: 0.1.25 alias: tunnel-client condition: tunnel-client.enabled - name: redis-ha diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index a9552cb07..18c94f42e 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -748,7 +748,7 @@ global: | internal-router.fullnameOverride | string | `"internal-router"` | | | internal-router.image.pullPolicy | string | `"IfNotPresent"` | | | internal-router.image.repository | string | `"docker.io/nginxinc/nginx-unprivileged"` | | -| internal-router.image.tag | string | `"1.29-alpine3.23"` | | +| internal-router.image.tag | string | `"1.31.2-alpine3.23"` | | | internal-router.imagePullSecrets | list | `[]` | | | internal-router.ipv6 | object | `{"enabled":false}` | For ipv6 enabled clusters switch ipv6 enabled to true | | internal-router.nameOverride | string | `""` | | diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index c7c5602c3..00016bf5a 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -353,7 +353,7 @@ internal-router: image: repository: docker.io/nginxinc/nginx-unprivileged pullPolicy: IfNotPresent - tag: 1.29-alpine3.23 + tag: 1.31.2-alpine3.23 imagePullSecrets: [] nameOverride: "" fullnameOverride: "internal-router" @@ -748,7 +748,7 @@ redis-secret-init: image: registry: docker.io repository: alpine/kubectl - tag: 1.35.4 + tag: 1.36.2 nodeSelector: {} tolerations: [] affinity: {} From d9b5795a91261706dee5724a88df9d3c646b88b0 Mon Sep 17 00:00:00 2001 From: "codefresh-git-integration[bot]" <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Date: Thu, 25 Jun 2026 01:08:05 +0400 Subject: [PATCH 45/47] prepare-version(0.29.16): prepare chart content for release (#1224) * Update Chart.yaml and changelog for 0.29.16 release * chore: update release notes --------- Co-authored-by: codefresh-git-integration[bot] <151943927+codefresh-git-integration[bot]@users.noreply.github.com> Co-authored-by: Vasil Sudakou --- charts/gitops-runtime/Chart.yaml | 8 +++----- charts/gitops-runtime/README.md | 10 +++++----- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 342aa9c6a..4a981ecd0 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -17,13 +17,11 @@ annotations: # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: |- - kind: security - description: 'Update "argo-gateway" to "3683869". Security fixes' + description: 'Update "codefresh-tunnel-client" to 0.1.25. Security fixes' - kind: security - description: 'Update "cap-app-proxy" to "1.4103.0". Security fixes' + description: 'Update "nginx-unprivileged" to 1.31.2-alpine3.23. Security fixes' - kind: security - description: 'Update "codefresh-gitops-operator" to "c03bf91". Security fixes' - - kind: security - description: 'Update "csdp-image-enrichers" to "1.1.28-main". Security fixes' + description: 'Update "alpine/kubectl" to 1.36.2. Security fixes' dependencies: # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version. # Don't forget to remove the image override after updating to a new version of the chart. diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 18c94f42e..ccc25f22c 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -1,5 +1,5 @@ ## Codefresh gitops runtime -![Version: 0.29.15](https://img.shields.io/badge/Version-0.29.15-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) +![Version: 0.29.16](https://img.shields.io/badge/Version-0.29.16-informational?style=flat-square) ![AppVersion: 0.2.3](https://img.shields.io/badge/AppVersion-0.2.3-informational?style=flat-square) ## Table of Content @@ -205,7 +205,7 @@ We have created a helper utility to resolve this issue: The utility is packaged in a container image. Below are instructions on executing the utility using Docker: ``` -docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.15 +docker run -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.16 ``` `output_dir` - is a local directory where the utility will output files.
`local_registry` - is your local registry where you want to mirror the images to @@ -218,7 +218,7 @@ The utility will output 4 files into the folder: For usage with external ArgoCD run the utility with `EXTERNAL_ARGOCD` environment variable set to `true`. ``` -docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.15 +docker run -e EXTERNAL_ARGOCD=true -v :/output quay.io/codefresh/gitops-runtime-private-registry-utils:0.29.16 ``` ## Openshift @@ -799,12 +799,12 @@ global: | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | | redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | | redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | -| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. # https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ | | redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | | redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | | redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | | redis-ha.topologySpreadConstraints.whenUnsatisfiable | string | `""` (defaults to `ScheduleAnyway`) | Enforcement policy, hard or soft | -| redis-secret-init | object | `{"affinity":{},"image":{"registry":"docker.io","repository":"alpine/kubectl","tag":"1.35.4"},"nodeSelector":{},"tolerations":[]}` | Enable hook job to create redis secret | +| redis-secret-init | object | `{"affinity":{},"image":{"registry":"docker.io","repository":"alpine/kubectl","tag":"1.36.2"},"nodeSelector":{},"tolerations":[]}` | Enable hook job to create redis secret | | redis.image | object | `{"registry":"public.ecr.aws","repository":"docker/library/redis","tag":"8.2.1-alpine"}` | Redis image | | redis.metrics | object | `{"enabled":true,"env":{},"envFrom":[],"image":{"registry":"ghcr.io","repository":"oliver006/redis_exporter","tag":"v1.72.1"},"livenessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"readinessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"resources":{},"serviceMonitor":{"enabled":false}}` | Enable metrics sidecar | | redis.metrics.serviceMonitor | object | `{"enabled":false}` | Enable a prometheus ServiceMonitor | From 287cfd389370df416e86d7c0071f713c360a26b4 Mon Sep 17 00:00:00 2001 From: Alina Date: Fri, 26 Jun 2026 12:10:33 +0300 Subject: [PATCH 46/47] update image tag to fix security --- charts/gitops-runtime/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 00016bf5a..ef7c7a2d4 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -159,7 +159,7 @@ global: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "71b7e7c" + tag: "ace3860" nodeSelector: {} tolerations: [] affinity: {} @@ -705,7 +705,7 @@ argo-gateway: image: registry: quay.io repository: codefresh/cf-argocd-extras - tag: "3683869" + tag: "ace3860" nodeSelector: {} tolerations: [] affinity: {} From 6e81f0da325061267c58ce552637b885d1e9a98f Mon Sep 17 00:00:00 2001 From: Alina Date: Fri, 26 Jun 2026 12:19:29 +0300 Subject: [PATCH 47/47] bump version --- charts/gitops-runtime/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 4a981ecd0..22de01cfa 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: 0.2.3 description: A Helm chart for Codefresh gitops runtime name: gitops-runtime -version: 0.29.16 +version: 0.29.17 home: https://github.com/codefresh-io/gitops-runtime-helm icon: https://avatars1.githubusercontent.com/u/11412079?v=3 keywords: