fix(cf-argocd-extras): security fix, bump image tag to ace3860

charts/gitops-runtime/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 0.1.72
+appVersion: 0.2.3
 description: A Helm chart for Codefresh gitops runtime
 name: gitops-runtime
-version: 0.0.0
+version: 0.29.17
 home: https://github.com/codefresh-io/gitops-runtime-helm
 icon: https://avatars1.githubusercontent.com/u/11412079?v=3
 keywords:
@@ -13,22 +13,33 @@ maintainers:
     url: https://codefresh-io.github.io/
 annotations:
   artifacthub.io/alternativeName: "codefresh-gitops-runtime"
+  artifacthub.io/containsSecurityUpdates: "true"
+  # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
+  artifacthub.io/changes: |-
+    - kind: security
+      description: 'Update "codefresh-tunnel-client" to 0.1.25. Security fixes'
+    - kind: security
+      description: 'Update "nginx-unprivileged" to 1.31.2-alpine3.23. Security fixes'
+    - kind: security
+      description: 'Update "alpine/kubectl" to 1.36.2. Security fixes'
 dependencies:
+  # The image for this chart was overridden because argocd doesn’t release the chart for 3.3.10 version.
+  # Don't forget to remove the image override after updating to a new version of the chart.
   - name: argo-cd
     repository: https://argoproj.github.io/argo-helm
     condition: argo-cd.enabled
-    version: 9.4.4
+    version: 9.5.11
   - name: argo-workflows
     repository: https://codefresh-io.github.io/argo-helm
-    version: 0.45.18-v3.6.7-cap-CR-32333
+    version: 0.45.23-v3.6.7-cap-CFS-7012
     condition: argo-workflows.enabled
   - name: sealed-secrets
-    repository: https://bitnami-labs.github.io/sealed-secrets/
+    repository: https://bitnami.github.io/sealed-secrets/
     version: 2.18.0
     condition: sealed-secrets.enabled
   - name: codefresh-tunnel-client
     repository: oci://quay.io/codefresh/charts
-    version: 0.1.24
+    version: 0.1.25
     alias: tunnel-client
     condition: tunnel-client.enabled
   - name: redis-ha

charts/gitops-runtime/README.md.gotmpl

@@ -8,6 +8,7 @@
 - [Codefresh official documentation](#codefresh-official-documentation)
 - [Argo-workflows artifact and log storage](#argo-workflows-artifact-and-log-storage)
 - [Installation with External ArgoCD](#installation-with-external-argocd)
+  - [ArgoCD compatibility](#argocd-compatibility)
 - [Using with private registries - Helper utility](#using-with-private-registries---helper-utility)
 - [Openshift](#openshift)
 - [High Availability](#high-availability)
@@ -185,6 +186,17 @@ data:
   admin.enabled: "true"
 ```
 
+### ArgoCD compatibility
+
+| GitOps Runtime version | Supported ArgoCD versions |
+|------------------------|---------------------------|
+| 0.29.x                 | >=3.1 <=3.3               |
+| 0.28.x                 | >=3.0 <=3.2               |
+| 0.27.x                 | >=3.0 <=3.2               |
+| 0.26.x                 | >=3.0 <=3.2               |
+| 0.25.x                 | >=2.12 <=3.0              |
+| 0.24.x                 | >=2.12 <=3.0              |
+
 ## Using with private registries - Helper utility
 The GitOps Runtime comprises multiple subcharts and container images. Subcharts also vary in values structure, making it difficult to override image specific values to use private registries.
 We have created a helper utility to resolve this issue:

charts/gitops-runtime/ci/argocd-values.yaml

@@ -0,0 +1,3 @@
+configs:
+  cm:
+    accounts.admin: apiKey,login

charts/gitops-runtime/ci/default-values.yaml

@@ -1,22 +1,25 @@
 global:
+  imagePullSecrets:
+    - name: dockerhub-creds
   codefresh:
-    accountId: 628a80b693a15c0f9c13ab75 # Codefresh Account id for ilia-codefresh for now, needs to be some test account
+    accountId: 63dbba4928d5fd1ef065b781 # `gitops-helm-test` Codefresh account (see "gitops-runtime-helm CI" note in 1Password)
     userToken:
-      secretKeyRef:
-        name: mysecret
-        key: myvalue
-        optional: true
+      token: "dummy" # set in `gitops-runtime-helm/ci` pipeline (see "gitops-runtime-helm CI" note in 1Password)
 
   runtime:
-    name: default
-    cluster: test-cluster
+    name: "dummy" # set in `gitops-runtime-helm/ci` pipeline
 
     ingress:
-      className: "nginx"
+      enabled: true
+      className: haproxy-ingress
       hosts:
-      - runtime.codefresh.local
+        - "runtime.example.com" # set in `gitops-runtime-helm/ci` pipeline
 
     repoCredentialsTemplate:
       url: 'https://github.com'
       username: 'username'
       password: 'dummy'
+
+internal-router:
+  imagePullSecrets:
+    - name: dockerhub-creds

charts/gitops-runtime/ci/values-external-argocd.yaml

@@ -1,28 +1,30 @@
-# Values file used to render all image values
 global:
   codefresh:
-    accountId: 628a80b693a15c0f9c13ab75 # Codefresh Account id for ilia-codefresh for now, needs to be some test account
-    gitIntegration:
-      provider:
-        name: 'GITHUB'
-        apiUrl: 'https://api.github.com'
+    accountId: 63dbba4928d5fd1ef065b781 # `gitops-helm-test` Codefresh account
     userToken:
-      secretKeyRef:
-        name: mysecret
-        key: myvalue
-        optional: true
+      token: "dummy" # set in `gitops-runtime-helm/ci` pipeline
 
   runtime:
-    name: default
+    name: "dummy" # set in `gitops-runtime-helm/ci` pipeline
 
     ingress:
-      enabled: false
+      enabled: true
+      className: haproxy-ingress
+      hosts:
+        - "runtime.example.com" # set in `gitops-runtime-helm/ci` pipeline
 
     repoCredentialsTemplate:
       url: 'https://github.com'
       username: 'username'
       password: 'dummy'
 
+  integrations:
+    argo-cd:
+      server:
+        svc: argocd-server
+      repoServer:
+        svc: argocd-repo-server
+
 argo-cd:
   enabled: false
 

charts/gitops-runtime/ci/versions.json

@@ -0,0 +1,7 @@
+[
+  {
+    "argo-cd": {
+      "chartVersion": "8.0.0"
+    }
+  }
+]

charts/gitops-runtime/templates/_components/gitops-operator/crds/restrictedgitsources.yaml

@@ -286,6 +286,14 @@ spec:
                         description: SkipCrds skips custom resource definition installation
                           step (Helm's --skip-crds)
                         type: boolean
+                      skipSchemaValidation:
+                        description: SkipSchemaValidation skips JSON schema validation
+                          (Helm's --skip-schema-validation)
+                        type: boolean
+                      skipTests:
+                        description: SkipTests skips test manifest installation step
+                          (Helm's --skip-tests).
+                        type: boolean
                       valueFiles:
                         description: ValuesFiles is a list of Helm value files to
                           use when generating a template
@@ -348,6 +356,11 @@ spec:
                         description: ForceCommonLabels specifies whether to force
                           applying common labels to resources for Kustomize apps
                         type: boolean
+                      ignoreMissingComponents:
+                        description: IgnoreMissingComponents prevents kustomize from
+                          failing when components do not exist locally by not appending
+                          them to kustomization file
+                        type: boolean
                       images:
                         description: Images is a list of Kustomize image override
                           specifications
@@ -361,6 +374,10 @@ spec:
                           KubeVersion specifies the Kubernetes API version to pass to Helm when templating manifests. By default, Argo CD
                           uses the Kubernetes version of the target cluster.
                         type: string
+                      labelIncludeTemplates:
+                        description: LabelIncludeTemplates specifies whether to apply
+                          common labels to resource templates or not
+                        type: boolean
                       labelWithoutSelector:
                         description: LabelWithoutSelector specifies whether to apply
                           common labels to resource selectors or not
@@ -432,6 +449,10 @@ spec:
                           use for rendering manifests
                         type: string
                     type: object
+                  name:
+                    description: Name is used to refer to a source and is displayed
+                      in the UI. It is used in multi-source Applications.
+                    type: string
                   path:
                     description: Path is a directory path within the Git repository,
                       and is only valid for applications sourced from Git.
@@ -519,6 +540,10 @@ spec:
                         description: 'AllowEmpty allows apps have zero live resources
                           (default: false)'
                         type: boolean
+                      enabled:
+                        description: Enable allows apps to explicitly control automated
+                          sync
+                        type: boolean
                       prune:
                         description: 'Prune specifies whether to delete resources
                           from the cluster that are not found in the sources anymore
@@ -570,6 +595,10 @@ spec:
                           a failed sync. If set to 0, no retries will be performed.
                         format: int64
                         type: integer
+                      refresh:
+                        description: 'Refresh indicates if the latest revision should
+                          be used on retry instead of the initial one (default: false)'
+                        type: boolean
                     type: object
                   syncOptions:
                     description: Options allow you to specify whole app sync-options