chore: contains security fixes (#572)

vitalii-codefresh · web-flow · commit 631f655c5537 · 2025-04-25T11:35:22.000+03:00
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 7.5.10
+version: 7.5.11
 keywords:
   - codefresh
   - runner
@@ -14,11 +14,21 @@ maintainers:
     url: https://codefresh-io.github.io/
 annotations:
   # 💡 Do not forget to update this annotation:
-  artifacthub.io/containsSecurityUpdates: "false"
+  artifacthub.io/containsSecurityUpdates: "true"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
-    - kind: fixed
-      description: "fixed a bug in retrieving the list of repositories for Bitbucket through cf-app-proxy"
+    - kind: security
+      description: "updated k8s-agent with security fixes"
+    - kind: security
+      description: "updated docker-builder with security fixes"
+    - kind: security
+      description: "updated docker-puller with security fixes"
+    - kind: security
+      description: "updated docker-pusher with security fixes"
+    - kind: security
+      description: "updated template-engine with security fixes"
+    - kind: security
+      description: "updated kubectl with security fixes"
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts
diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 7.5.10](https://img.shields.io/badge/Version-7.5.10-informational?style=flat-square)
+![Version: 7.5.11](https://img.shields.io/badge/Version-7.5.11-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
 
@@ -1135,7 +1135,7 @@ Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](http
 | monitor.affinity | object | `{}` | Set affinity |
 | monitor.enabled | bool | `false` | Enable monitor Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component |
 | monitor.env | object | `{}` | Add additional env vars |
-| monitor.image | object | `{"digest":"sha256:3cc7b3d41f841604133197a44f016db499f3e91e26448da36ce739a0b1171d05","registry":"quay.io","repository":"codefresh/cf-k8s-agent","tag":"1.3.21"}` | Set image |
+| monitor.image | object | `{"digest":"sha256:2827aa2a274b186f7bfab3fab3dd0ff136a4ffadcc3b04c130beb5780caa3def","registry":"quay.io","repository":"codefresh/cf-k8s-agent","tag":"1.3.22"}` | Set image |
 | monitor.nodeSelector | object | `{}` | Set node selector |
 | monitor.podAnnotations | object | `{}` | Set pod annotations |
 | monitor.podSecurityContext | object | `{}` |  |
@@ -1177,7 +1177,7 @@ Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](http
 | runner.serviceAccount.annotations | object | `{}` | Additional service account annotations |
 | runner.serviceAccount.create | bool | `true` | Create service account |
 | runner.serviceAccount.name | string | `""` | Override service account name |
-| runner.sidecar | object | `{"enabled":false,"env":{"RECONCILE_INTERVAL":300},"image":{"digest":"sha256:e12f8af6f36bf72a4d660a6b39c6306cebd3f12a37030daae327c2de66ff8c63","registry":"quay.io","repository":"codefresh/kubectl","tag":"1.32.2"},"resources":{}}` | Sidecar container Reconciles runtime spec from Codefresh API for drift detection |
+| runner.sidecar | object | `{"enabled":false,"env":{"RECONCILE_INTERVAL":300},"image":{"digest":"sha256:da0c9d12b4772e6cd6c1ecb93883471e8785d4d61c9108c9f7d0dc9cc2f5a149","registry":"quay.io","repository":"codefresh/kubectl","tag":"1.33.0"},"resources":{}}` | Sidecar container Reconciles runtime spec from Codefresh API for drift detection |
 | runner.tolerations | list | `[]` | Set tolerations |
 | runner.updateStrategy | object | `{"type":"RollingUpdate"}` | Upgrade strategy |
 | runtime | object | See below | Set runtime parameters |
@@ -1209,7 +1209,7 @@ Go to [https://<YOUR_ONPREM_DOMAIN_HERE>/admin/runtime-environments/system](http
 | runtime.dind.userVolumeMounts | object | `{}` | Add extra volume mounts |
 | runtime.dind.userVolumes | object | `{}` | Add extra volumes |
 | runtime.dindDaemon | object | See below | DinD pod daemon config |
-| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:a7494db18df5f7541b32b9747c920dba4db3e11e6317de9827342d34ae32f6af","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.177.6"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"COMPOSE_IMAGE":"quay.io/codefresh/compose:v2.32.2-1.5.2@sha256:9177054614f6db006a3500d2b9b8d2cafac4073ce891929d93e117714fccbd4b","CONTAINER_LOGGER_IMAGE":"quay.io/codefresh/cf-container-logger:1.12.2@sha256:b3cbe2088f8fd0c48a0fa6df6c9ab8ad9d1d3c840a57f2c89520a655e2a8c116","COSIGN_IMAGE_SIGNER_IMAGE":"quay.io/codefresh/cf-cosign-image-signer:2.4.3-cf.1@sha256:667352652fa6d26053b504b85e885a6d8a28f884fdeb80e5704cdf73e6586146","CR_6177_FIXER":"alpine:edge@sha256:115729ec5cb049ba6359c3ab005ac742012d92bbaa5b8bc1a878f1e8f62c0cb8","DEFAULT_QEMU_IMAGE":"tonistiigi/binfmt:qemu-v9.2.2@sha256:1b804311fe87047a4c96d38b4b3ef6f62fca8cd125265917a9e3dc3c996c39e6","DOCKER_BUILDER_IMAGE":"quay.io/codefresh/cf-docker-builder:1.4.3@sha256:cf9b5a70448af54d00642790dd46d6c19a084b96ee26b40ad6dabfc1c1b780d5","DOCKER_PULLER_IMAGE":"quay.io/codefresh/cf-docker-puller:8.0.18@sha256:1a15c3ae0952d3986de7866a3def8ac7e3e39f668fe87fd46c63d886ca06c6d7","DOCKER_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-pusher:6.0.16@sha256:05efc1af8b1196f1b9b3f0781b4dcc1aa2cdd0ffc1347ee5fa81b16d029ec5c2","DOCKER_TAG_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-tag-pusher:1.3.15@sha256:3a3e90cd10801c7ec0d3cf3816d0dcc90894d5d1771448c43f67215d90da5eca","FS_OPS_IMAGE":"quay.io/codefresh/fs-ops:1.2.8@sha256:dc05888d84a959787a738caef914f83aa7392ff49c16767e612a29e180826f35","GC_BUILDER_IMAGE":"quay.io/codefresh/cf-gc-builder:0.5.3@sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875","GIT_CLONE_IMAGE":"quay.io/codefresh/cf-git-cloner:10.2.0@sha256:a3ec854823f17d0fd817d978219122e644b1abd6db778fd835688fcb6d88c515","KUBE_DEPLOY":"quay.io/codefresh/cf-deploy-kubernetes:16.1.11@sha256:b6b3fc6cc5fad3ba9e36055278ce99a74a86876be116574503c6fbb4c1b4aa76","PIPELINE_DEBUGGER_IMAGE":"quay.io/codefresh/cf-debugger:1.3.7@sha256:3391822b7ad9835cc2a3a0ce5aaa55774ca110a8682d9512205dea24f438718a","TEMPLATE_ENGINE":"quay.io/codefresh/pikolo:0.14.2@sha256:97874aefc46b58caf5b9d0edcfd2d6742db247e671424433363a1367020a8a65"},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). |
+| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:a7494db18df5f7541b32b9747c920dba4db3e11e6317de9827342d34ae32f6af","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.177.6"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"COMPOSE_IMAGE":"quay.io/codefresh/compose:v2.32.2-1.5.2@sha256:9177054614f6db006a3500d2b9b8d2cafac4073ce891929d93e117714fccbd4b","CONTAINER_LOGGER_IMAGE":"quay.io/codefresh/cf-container-logger:1.12.2@sha256:b3cbe2088f8fd0c48a0fa6df6c9ab8ad9d1d3c840a57f2c89520a655e2a8c116","COSIGN_IMAGE_SIGNER_IMAGE":"quay.io/codefresh/cf-cosign-image-signer:2.4.3-cf.1@sha256:667352652fa6d26053b504b85e885a6d8a28f884fdeb80e5704cdf73e6586146","CR_6177_FIXER":"alpine:edge@sha256:115729ec5cb049ba6359c3ab005ac742012d92bbaa5b8bc1a878f1e8f62c0cb8","DEFAULT_QEMU_IMAGE":"tonistiigi/binfmt:qemu-v9.2.2@sha256:1b804311fe87047a4c96d38b4b3ef6f62fca8cd125265917a9e3dc3c996c39e6","DOCKER_BUILDER_IMAGE":"quay.io/codefresh/cf-docker-builder:1.4.4@sha256:b145e726d604c19a72bfbce2339df8e41169c9e226b5c3205612d8c4d914a2c3","DOCKER_PULLER_IMAGE":"quay.io/codefresh/cf-docker-puller:8.0.20@sha256:8423ba18902e4a95c946a9732296e9f01d74c8b152537ff90b8a535365c85488","DOCKER_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-pusher:6.0.17@sha256:d6ce0bf1d77c326b5480ece780f2f4277c31b15b5d7b4e7de20d4d64756d8a8f","DOCKER_TAG_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-tag-pusher:1.3.15@sha256:3a3e90cd10801c7ec0d3cf3816d0dcc90894d5d1771448c43f67215d90da5eca","FS_OPS_IMAGE":"quay.io/codefresh/fs-ops:1.2.8@sha256:dc05888d84a959787a738caef914f83aa7392ff49c16767e612a29e180826f35","GC_BUILDER_IMAGE":"quay.io/codefresh/cf-gc-builder:0.5.3@sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875","GIT_CLONE_IMAGE":"quay.io/codefresh/cf-git-cloner:10.2.0@sha256:a3ec854823f17d0fd817d978219122e644b1abd6db778fd835688fcb6d88c515","KUBE_DEPLOY":"quay.io/codefresh/cf-deploy-kubernetes:16.1.11@sha256:b6b3fc6cc5fad3ba9e36055278ce99a74a86876be116574503c6fbb4c1b4aa76","PIPELINE_DEBUGGER_IMAGE":"quay.io/codefresh/cf-debugger:1.3.7@sha256:3391822b7ad9835cc2a3a0ce5aaa55774ca110a8682d9512205dea24f438718a","TEMPLATE_ENGINE":"quay.io/codefresh/pikolo:0.14.3@sha256:7f11960d65cbc63cdb444bfa6ccb5b5eb29cfc517a1290be3998ea5444087e1f"},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). |
 | runtime.engine.affinity | object | `{}` | Set affinity |
 | runtime.engine.command | list | `["npm","run","start"]` | Set container command. |
 | runtime.engine.env | object | `{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100,"METRICS_PROMETHEUS_SCRAPE_TIMEOUT":"15000","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"}` | Set additional env vars. |
diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml
@@ -95,8 +95,8 @@ runner:
     image:
       registry: quay.io
       repository: codefresh/kubectl
-      tag: 1.32.2
-      digest: sha256:e12f8af6f36bf72a4d660a6b39c6306cebd3f12a37030daae327c2de66ff8c63
+      tag: 1.33.0
+      digest: sha256:da0c9d12b4772e6cd6c1ecb93883471e8785d4d61c9108c9f7d0dc9cc2f5a149
     env:
       RECONCILE_INTERVAL: 300
     resources: {}
@@ -516,15 +516,15 @@ runtime:
     runtimeImages:
       COMPOSE_IMAGE: quay.io/codefresh/compose:v2.32.2-1.5.2@sha256:9177054614f6db006a3500d2b9b8d2cafac4073ce891929d93e117714fccbd4b
       CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:1.12.2@sha256:b3cbe2088f8fd0c48a0fa6df6c9ab8ad9d1d3c840a57f2c89520a655e2a8c116
-      DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.4.3@sha256:cf9b5a70448af54d00642790dd46d6c19a084b96ee26b40ad6dabfc1c1b780d5
-      DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.18@sha256:1a15c3ae0952d3986de7866a3def8ac7e3e39f668fe87fd46c63d886ca06c6d7
-      DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.16@sha256:05efc1af8b1196f1b9b3f0781b4dcc1aa2cdd0ffc1347ee5fa81b16d029ec5c2
+      DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.4.4@sha256:b145e726d604c19a72bfbce2339df8e41169c9e226b5c3205612d8c4d914a2c3
+      DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.20@sha256:8423ba18902e4a95c946a9732296e9f01d74c8b152537ff90b8a535365c85488
+      DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.17@sha256:d6ce0bf1d77c326b5480ece780f2f4277c31b15b5d7b4e7de20d4d64756d8a8f
       DOCKER_TAG_PUSHER_IMAGE: quay.io/codefresh/cf-docker-tag-pusher:1.3.15@sha256:3a3e90cd10801c7ec0d3cf3816d0dcc90894d5d1771448c43f67215d90da5eca
       FS_OPS_IMAGE: quay.io/codefresh/fs-ops:1.2.8@sha256:dc05888d84a959787a738caef914f83aa7392ff49c16767e612a29e180826f35
       GIT_CLONE_IMAGE: quay.io/codefresh/cf-git-cloner:10.2.0@sha256:a3ec854823f17d0fd817d978219122e644b1abd6db778fd835688fcb6d88c515
       KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:16.1.11@sha256:b6b3fc6cc5fad3ba9e36055278ce99a74a86876be116574503c6fbb4c1b4aa76
       PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:1.3.7@sha256:3391822b7ad9835cc2a3a0ce5aaa55774ca110a8682d9512205dea24f438718a
-      TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.2@sha256:97874aefc46b58caf5b9d0edcfd2d6742db247e671424433363a1367020a8a65
+      TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.3@sha256:7f11960d65cbc63cdb444bfa6ccb5b5eb29cfc517a1290be3998ea5444087e1f
       CR_6177_FIXER: alpine:edge@sha256:115729ec5cb049ba6359c3ab005ac742012d92bbaa5b8bc1a878f1e8f62c0cb8
       GC_BUILDER_IMAGE: quay.io/codefresh/cf-gc-builder:0.5.3@sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875
       COSIGN_IMAGE_SIGNER_IMAGE: quay.io/codefresh/cf-cosign-image-signer:2.4.3-cf.1@sha256:667352652fa6d26053b504b85e885a6d8a28f884fdeb80e5704cdf73e6586146
@@ -625,8 +625,8 @@ runtime:
     image:
       registry: quay.io
       repository: codefresh/kubectl
-      tag: 1.32.2
-      digest: sha256:e12f8af6f36bf72a4d660a6b39c6306cebd3f12a37030daae327c2de66ff8c63
+      tag: 1.33.0
+      digest: sha256:da0c9d12b4772e6cd6c1ecb93883471e8785d4d61c9108c9f7d0dc9cc2f5a149
     rbac:
       enabled: true
     annotations: {}
@@ -746,8 +746,8 @@ monitor:
   image:
     registry: quay.io
     repository: codefresh/cf-k8s-agent
-    tag: 1.3.21
-    digest: sha256:3cc7b3d41f841604133197a44f016db499f3e91e26448da36ce739a0b1171d05
+    tag: 1.3.22
+    digest: sha256:2827aa2a274b186f7bfab3fab3dd0ff136a4ffadcc3b04c130beb5780caa3def
   # -- Add additional env vars
   env: {}
   # -- Service Account parameters
