From 4731e40786ae15f3121ad2e3ef0f560a3aeb3c99 Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Thu, 23 Apr 2026 11:09:09 +0300 Subject: [PATCH 1/5] chore: fix various security vulnerabilities in compose and dind --- charts/cf-runtime/Chart.yaml | 10 ++++++---- charts/cf-runtime/README.md | 6 +++--- charts/cf-runtime/values.yaml | 8 ++++---- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml index 33209d85..a922e98b 100644 --- a/charts/cf-runtime/Chart.yaml +++ b/charts/cf-runtime/Chart.yaml @@ -17,12 +17,14 @@ annotations: artifacthub.io/containsSecurityUpdates: "true" # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: | + - kind: changed + description: 'update "compose" to v5.1.3-1.6.3' - kind: security - description: 'update "k8s-agent" to 1.3.34' + description: 'fix various security vulnerabilities in compose.' + - kind: changed + description: 'update "dind" to 29.4.1-3.0.14' - kind: security - description: 'update "engine" to 3.2.5' - - kind: security - description: 'update "app-proxy" to 0.0.65' + description: 'fix various security vulnerabilities in dind.' dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md index a0ce85f5..76e906bd 100644 --- a/charts/cf-runtime/README.md +++ b/charts/cf-runtime/README.md @@ -1319,7 +1319,7 @@ Install the Helm chart | runtime.accounts | list | `[]` | (for On-Premise only) Assign accounts to runtime (list of account ids) | | runtime.agent | bool | `true` | (for On-Premise only) Enable agent | | runtime.description | string | `""` | Runtime description | -| runtime.dind | object | `{"affinity":{},"containerSecurityContext":{},"env":{"CLEAN_DOCKER":true,"CLEAN_PERIOD_BUILDS":"5","CLEAN_PERIOD_SECONDS":"21600","DISK_USAGE_THRESHOLD":"0.8","IMAGE_RETAIN_PERIOD":"14400","INODES_USAGE_THRESHOLD":"0.8","VOLUMES_RETAIN_PERIOD":"14400"},"image":{"digest":"sha256:6514b6d5f23cb12677914bb153364957094c7ec07e1dffa18d5a51edc7112968","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"29.4.0-3.0.13"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11","registry":"docker.io","repository":"alpine","tag":3.23},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). | +| runtime.dind | object | `{"affinity":{},"containerSecurityContext":{},"env":{"CLEAN_DOCKER":true,"CLEAN_PERIOD_BUILDS":"5","CLEAN_PERIOD_SECONDS":"21600","DISK_USAGE_THRESHOLD":"0.8","IMAGE_RETAIN_PERIOD":"14400","INODES_USAGE_THRESHOLD":"0.8","VOLUMES_RETAIN_PERIOD":"14400"},"image":{"digest":"sha256:a2c82dcac0652f3d724f187b3d1081e1a81cdef4f8a37fc0216b900cb6a74749","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"29.4.1-3.0.14"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11","registry":"docker.io","repository":"alpine","tag":3.23},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). | | runtime.dind.affinity | object | `{}` | Set affinity | | runtime.dind.containerSecurityContext | object | `{}` | Set container security context. | | runtime.dind.env | object | `{"CLEAN_DOCKER":true,"CLEAN_PERIOD_BUILDS":"5","CLEAN_PERIOD_SECONDS":"21600","DISK_USAGE_THRESHOLD":"0.8","IMAGE_RETAIN_PERIOD":"14400","INODES_USAGE_THRESHOLD":"0.8","VOLUMES_RETAIN_PERIOD":"14400"}` | Set additional env vars. | @@ -1330,7 +1330,7 @@ Install the Helm chart | runtime.dind.env.IMAGE_RETAIN_PERIOD | string | `"14400"` | Do not delete Docker images if they have events newer than `NOW minus IMAGE_RETAIN_PERIOD` | | runtime.dind.env.INODES_USAGE_THRESHOLD | string | `"0.8"` | Run cleanup if current inodes usage exceeds INODES_USAGE_THRESHOLD | | runtime.dind.env.VOLUMES_RETAIN_PERIOD | string | `"14400"` | Do not delete Docker volumes if they have events newer than `NOW minus VOLUMES_RETAIN_PERIOD` | -| runtime.dind.image | object | `{"digest":"sha256:6514b6d5f23cb12677914bb153364957094c7ec07e1dffa18d5a51edc7112968","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"29.4.0-3.0.13"}` | Set dind image. | +| runtime.dind.image | object | `{"digest":"sha256:a2c82dcac0652f3d724f187b3d1081e1a81cdef4f8a37fc0216b900cb6a74749","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"29.4.1-3.0.14"}` | Set dind image. | | runtime.dind.nodeSelector | object | `{}` | Set node selector. | | runtime.dind.podAnnotations | object | `{}` | Set pod annotations. | | runtime.dind.podLabels | object | `{}` | Set pod labels. | @@ -1351,7 +1351,7 @@ Install the Helm chart | runtime.dind.userVolumeMounts | object | `{}` | Add extra volume mounts | | runtime.dind.userVolumes | object | `{}` | Add extra volumes | | runtime.dindDaemon | object | See below | DinD pod daemon config | -| runtime.engine | object | `{"affinity":{},"command":["node","dist/server/index.js"],"env":{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:c264a5f83156cbca2124930286bb584be09c060cd1b9739d6d0e0ebf0aa94065","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"3.2.5"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:9a341ff2287c54b86425cbee0141114d811ae69d88a36019087be6d896cef241","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:af852ffa311163c614b340294547c72de9a275ef7350610fddb9ffeef15f754f","registry":"quay.io","repository":"codefresh/compose","tag":"v5.1.1-1.6.2"},"container-logger":{"digest":"sha256:d5c028973cdb9ec7250014a2ced1ed31106fc5c1010207a7d08cd7099058aaf2","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"2.0.10"},"cosign-image-signer":{"digest":"sha256:85ce347ad7b11a7e324ca64e38b0701bc6fb739bfcbb67a3b4657ef36939e623","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"3.0.6-cf.1"},"default-qemu":{"digest":"sha256:8f58e6214f4cc9dc83ce8f5acad1ece508eb6b20e696a8c1e9f274481982c541","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v10.0.4"},"docker-builder":{"digest":"sha256:94a34c7e749392d7b6e7d7764d0c0b84abc6fff6811ffce29f5d2888770244ef","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.5.7"},"docker-puller":{"digest":"sha256:a518ca194d85d5f254954f201e33f6cd4cd1a82d552fce8cdceabbaf12786cb3","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.26"},"docker-pusher":{"digest":"sha256:199053e81fbba18363f4f7081b48b6da61b02d794ff8a914707710cd867bed96","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.24"},"fs-ops":{"digest":"sha256:5f954c1f4618dbcebf1c3ef7b9185c6e1c9bb14b0aad3d2830cfeb715541bf47","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.12"},"gc-builder":{"digest":"sha256:73d0bab42a59381b7b4894c6461f579083f48895906e17a3ac4e828044217fe0","registry":"quay.io","repository":"codefresh/gcloud-builder","tag":"0.5.8"},"git-cloner":{"digest":"sha256:7270f5c451b72fce34d358a1a7b377c43bc9a28959f3771d5dd666959fb18177","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.10"},"kube-deploy":{"digest":"sha256:beb578bbe5bbf66c034c51937c909d16faf473225815ce416188176d363ec15d","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"17.0.4"},"pipeline-debugger":{"digest":"sha256:2dbf79a87f641507fc2111d4ff01e046954bca2f31e41ebc1e9cda96b1189780","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.13"},"template-engine":{"digest":"sha256:fc1dc409ceef47ffdc5a8779851ac201c8c0322fea1b80d0cb6a0a99da9c4c6b","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.11"}},"runtimeImagesRegistry":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_POST_STEPS_GRACE_PERIOD_MINUTES":30,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). | +| runtime.engine | object | `{"affinity":{},"command":["node","dist/server/index.js"],"env":{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:c264a5f83156cbca2124930286bb584be09c060cd1b9739d6d0e0ebf0aa94065","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"3.2.5"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:9a341ff2287c54b86425cbee0141114d811ae69d88a36019087be6d896cef241","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:950ab2a3d8986f95ac84c0d67e5052f97c426bc487470c7b6f46c846a9bd78ac","registry":"quay.io","repository":"codefresh/compose","tag":"v5.1.3-1.6.3"},"container-logger":{"digest":"sha256:d5c028973cdb9ec7250014a2ced1ed31106fc5c1010207a7d08cd7099058aaf2","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"2.0.10"},"cosign-image-signer":{"digest":"sha256:85ce347ad7b11a7e324ca64e38b0701bc6fb739bfcbb67a3b4657ef36939e623","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"3.0.6-cf.1"},"default-qemu":{"digest":"sha256:8f58e6214f4cc9dc83ce8f5acad1ece508eb6b20e696a8c1e9f274481982c541","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v10.0.4"},"docker-builder":{"digest":"sha256:94a34c7e749392d7b6e7d7764d0c0b84abc6fff6811ffce29f5d2888770244ef","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.5.7"},"docker-puller":{"digest":"sha256:a518ca194d85d5f254954f201e33f6cd4cd1a82d552fce8cdceabbaf12786cb3","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.26"},"docker-pusher":{"digest":"sha256:199053e81fbba18363f4f7081b48b6da61b02d794ff8a914707710cd867bed96","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.24"},"fs-ops":{"digest":"sha256:5f954c1f4618dbcebf1c3ef7b9185c6e1c9bb14b0aad3d2830cfeb715541bf47","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.12"},"gc-builder":{"digest":"sha256:73d0bab42a59381b7b4894c6461f579083f48895906e17a3ac4e828044217fe0","registry":"quay.io","repository":"codefresh/gcloud-builder","tag":"0.5.8"},"git-cloner":{"digest":"sha256:7270f5c451b72fce34d358a1a7b377c43bc9a28959f3771d5dd666959fb18177","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.10"},"kube-deploy":{"digest":"sha256:beb578bbe5bbf66c034c51937c909d16faf473225815ce416188176d363ec15d","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"17.0.4"},"pipeline-debugger":{"digest":"sha256:2dbf79a87f641507fc2111d4ff01e046954bca2f31e41ebc1e9cda96b1189780","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.13"},"template-engine":{"digest":"sha256:fc1dc409ceef47ffdc5a8779851ac201c8c0322fea1b80d0cb6a0a99da9c4c6b","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.11"}},"runtimeImagesRegistry":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_POST_STEPS_GRACE_PERIOD_MINUTES":30,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). | | runtime.engine.affinity | object | `{}` | Set affinity | | runtime.engine.command | list | `["node","dist/server/index.js"]` | Set container command. | | runtime.engine.env | object | `{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"}` | Set additional env vars. | diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml index e6f1dc04..cfbdf8e5 100644 --- a/charts/cf-runtime/values.yaml +++ b/charts/cf-runtime/values.yaml @@ -401,9 +401,9 @@ runtime: image: registry: quay.io repository: codefresh/dind - tag: 29.4.0-3.0.13 # use `latest-rootless/rootless/29.2.0-3.0.11-rootless` tags for rootless-dind + tag: 29.4.1-3.0.14 # use `latest-rootless/rootless/29.2.0-3.0.11-rootless` tags for rootless-dind pullPolicy: IfNotPresent - digest: sha256:6514b6d5f23cb12677914bb153364957094c7ec07e1dffa18d5a51edc7112968 + digest: sha256:a2c82dcac0652f3d724f187b3d1081e1a81cdef4f8a37fc0216b900cb6a74749 # -- Set dind resources. resources: requests: null @@ -530,8 +530,8 @@ runtime: compose: registry: quay.io repository: codefresh/compose - tag: v5.1.1-1.6.2 - digest: sha256:af852ffa311163c614b340294547c72de9a275ef7350610fddb9ffeef15f754f + tag: v5.1.3-1.6.3 + digest: sha256:950ab2a3d8986f95ac84c0d67e5052f97c426bc487470c7b6f46c846a9bd78ac container-logger: registry: quay.io repository: codefresh/cf-container-logger From 9c090a6ff08a79dc1a1c072153c5d4fa0bcdd2a6 Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Thu, 23 Apr 2026 11:16:22 +0300 Subject: [PATCH 2/5] chore: fix various security vulnerabilities in cf-docker-builder, compose and dind --- charts/cf-runtime/Chart.yaml | 6 +++--- charts/cf-runtime/README.md | 2 +- charts/cf-runtime/values.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml index a922e98b..e68b08f6 100644 --- a/charts/cf-runtime/Chart.yaml +++ b/charts/cf-runtime/Chart.yaml @@ -17,14 +17,14 @@ annotations: artifacthub.io/containsSecurityUpdates: "true" # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: | + - kind: changed + description: 'update "cf-docker-builder" to v1.6.0' - kind: changed description: 'update "compose" to v5.1.3-1.6.3' - - kind: security - description: 'fix various security vulnerabilities in compose.' - kind: changed description: 'update "dind" to 29.4.1-3.0.14' - kind: security - description: 'fix various security vulnerabilities in dind.' + description: 'fix various security vulnerabilities in cf-docker-builder, compose and dind.' dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md index 76e906bd..6b4cd816 100644 --- a/charts/cf-runtime/README.md +++ b/charts/cf-runtime/README.md @@ -1351,7 +1351,7 @@ Install the Helm chart | runtime.dind.userVolumeMounts | object | `{}` | Add extra volume mounts | | runtime.dind.userVolumes | object | `{}` | Add extra volumes | | runtime.dindDaemon | object | See below | DinD pod daemon config | -| runtime.engine | object | `{"affinity":{},"command":["node","dist/server/index.js"],"env":{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:c264a5f83156cbca2124930286bb584be09c060cd1b9739d6d0e0ebf0aa94065","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"3.2.5"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:9a341ff2287c54b86425cbee0141114d811ae69d88a36019087be6d896cef241","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:950ab2a3d8986f95ac84c0d67e5052f97c426bc487470c7b6f46c846a9bd78ac","registry":"quay.io","repository":"codefresh/compose","tag":"v5.1.3-1.6.3"},"container-logger":{"digest":"sha256:d5c028973cdb9ec7250014a2ced1ed31106fc5c1010207a7d08cd7099058aaf2","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"2.0.10"},"cosign-image-signer":{"digest":"sha256:85ce347ad7b11a7e324ca64e38b0701bc6fb739bfcbb67a3b4657ef36939e623","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"3.0.6-cf.1"},"default-qemu":{"digest":"sha256:8f58e6214f4cc9dc83ce8f5acad1ece508eb6b20e696a8c1e9f274481982c541","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v10.0.4"},"docker-builder":{"digest":"sha256:94a34c7e749392d7b6e7d7764d0c0b84abc6fff6811ffce29f5d2888770244ef","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.5.7"},"docker-puller":{"digest":"sha256:a518ca194d85d5f254954f201e33f6cd4cd1a82d552fce8cdceabbaf12786cb3","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.26"},"docker-pusher":{"digest":"sha256:199053e81fbba18363f4f7081b48b6da61b02d794ff8a914707710cd867bed96","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.24"},"fs-ops":{"digest":"sha256:5f954c1f4618dbcebf1c3ef7b9185c6e1c9bb14b0aad3d2830cfeb715541bf47","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.12"},"gc-builder":{"digest":"sha256:73d0bab42a59381b7b4894c6461f579083f48895906e17a3ac4e828044217fe0","registry":"quay.io","repository":"codefresh/gcloud-builder","tag":"0.5.8"},"git-cloner":{"digest":"sha256:7270f5c451b72fce34d358a1a7b377c43bc9a28959f3771d5dd666959fb18177","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.10"},"kube-deploy":{"digest":"sha256:beb578bbe5bbf66c034c51937c909d16faf473225815ce416188176d363ec15d","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"17.0.4"},"pipeline-debugger":{"digest":"sha256:2dbf79a87f641507fc2111d4ff01e046954bca2f31e41ebc1e9cda96b1189780","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.13"},"template-engine":{"digest":"sha256:fc1dc409ceef47ffdc5a8779851ac201c8c0322fea1b80d0cb6a0a99da9c4c6b","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.11"}},"runtimeImagesRegistry":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_POST_STEPS_GRACE_PERIOD_MINUTES":30,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). | +| runtime.engine | object | `{"affinity":{},"command":["node","dist/server/index.js"],"env":{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:c264a5f83156cbca2124930286bb584be09c060cd1b9739d6d0e0ebf0aa94065","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"3.2.5"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:9a341ff2287c54b86425cbee0141114d811ae69d88a36019087be6d896cef241","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:950ab2a3d8986f95ac84c0d67e5052f97c426bc487470c7b6f46c846a9bd78ac","registry":"quay.io","repository":"codefresh/compose","tag":"v5.1.3-1.6.3"},"container-logger":{"digest":"sha256:d5c028973cdb9ec7250014a2ced1ed31106fc5c1010207a7d08cd7099058aaf2","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"2.0.10"},"cosign-image-signer":{"digest":"sha256:85ce347ad7b11a7e324ca64e38b0701bc6fb739bfcbb67a3b4657ef36939e623","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"3.0.6-cf.1"},"default-qemu":{"digest":"sha256:8f58e6214f4cc9dc83ce8f5acad1ece508eb6b20e696a8c1e9f274481982c541","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v10.0.4"},"docker-builder":{"digest":"sha256:31c605a6df7898e1e35ca57dcbe47ee314903ba28aab651cb6913ba43ade21a2","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.6.0"},"docker-puller":{"digest":"sha256:a518ca194d85d5f254954f201e33f6cd4cd1a82d552fce8cdceabbaf12786cb3","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.26"},"docker-pusher":{"digest":"sha256:199053e81fbba18363f4f7081b48b6da61b02d794ff8a914707710cd867bed96","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.24"},"fs-ops":{"digest":"sha256:5f954c1f4618dbcebf1c3ef7b9185c6e1c9bb14b0aad3d2830cfeb715541bf47","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.12"},"gc-builder":{"digest":"sha256:73d0bab42a59381b7b4894c6461f579083f48895906e17a3ac4e828044217fe0","registry":"quay.io","repository":"codefresh/gcloud-builder","tag":"0.5.8"},"git-cloner":{"digest":"sha256:7270f5c451b72fce34d358a1a7b377c43bc9a28959f3771d5dd666959fb18177","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.10"},"kube-deploy":{"digest":"sha256:beb578bbe5bbf66c034c51937c909d16faf473225815ce416188176d363ec15d","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"17.0.4"},"pipeline-debugger":{"digest":"sha256:2dbf79a87f641507fc2111d4ff01e046954bca2f31e41ebc1e9cda96b1189780","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.13"},"template-engine":{"digest":"sha256:fc1dc409ceef47ffdc5a8779851ac201c8c0322fea1b80d0cb6a0a99da9c4c6b","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.11"}},"runtimeImagesRegistry":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_POST_STEPS_GRACE_PERIOD_MINUTES":30,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). | | runtime.engine.affinity | object | `{}` | Set affinity | | runtime.engine.command | list | `["node","dist/server/index.js"]` | Set container command. | | runtime.engine.env | object | `{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"}` | Set additional env vars. | diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml index cfbdf8e5..12a0f796 100644 --- a/charts/cf-runtime/values.yaml +++ b/charts/cf-runtime/values.yaml @@ -540,8 +540,8 @@ runtime: docker-builder: registry: quay.io repository: codefresh/cf-docker-builder - tag: 1.5.7 - digest: sha256:94a34c7e749392d7b6e7d7764d0c0b84abc6fff6811ffce29f5d2888770244ef + tag: 1.6.0 + digest: sha256:31c605a6df7898e1e35ca57dcbe47ee314903ba28aab651cb6913ba43ade21a2 docker-puller: registry: quay.io repository: codefresh/cf-docker-puller From e15bb2f1fd82e2964df94cd93d6fa365c3b9cbd7 Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Thu, 23 Apr 2026 14:09:51 +0300 Subject: [PATCH 3/5] update tonistiigi/binfmt to qemu-v10.2.1 --- charts/cf-runtime/Chart.yaml | 2 ++ charts/cf-runtime/README.md | 2 +- charts/cf-runtime/values.yaml | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml index e68b08f6..7ccbcec8 100644 --- a/charts/cf-runtime/Chart.yaml +++ b/charts/cf-runtime/Chart.yaml @@ -25,6 +25,8 @@ annotations: description: 'update "dind" to 29.4.1-3.0.14' - kind: security description: 'fix various security vulnerabilities in cf-docker-builder, compose and dind.' + - kind: changed + description: 'update "tonistiigi/binfmt" to qemu-v10.2.1' dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md index 6b4cd816..7b018f68 100644 --- a/charts/cf-runtime/README.md +++ b/charts/cf-runtime/README.md @@ -1351,7 +1351,7 @@ Install the Helm chart | runtime.dind.userVolumeMounts | object | `{}` | Add extra volume mounts | | runtime.dind.userVolumes | object | `{}` | Add extra volumes | | runtime.dindDaemon | object | See below | DinD pod daemon config | -| runtime.engine | object | `{"affinity":{},"command":["node","dist/server/index.js"],"env":{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:c264a5f83156cbca2124930286bb584be09c060cd1b9739d6d0e0ebf0aa94065","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"3.2.5"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:9a341ff2287c54b86425cbee0141114d811ae69d88a36019087be6d896cef241","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:950ab2a3d8986f95ac84c0d67e5052f97c426bc487470c7b6f46c846a9bd78ac","registry":"quay.io","repository":"codefresh/compose","tag":"v5.1.3-1.6.3"},"container-logger":{"digest":"sha256:d5c028973cdb9ec7250014a2ced1ed31106fc5c1010207a7d08cd7099058aaf2","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"2.0.10"},"cosign-image-signer":{"digest":"sha256:85ce347ad7b11a7e324ca64e38b0701bc6fb739bfcbb67a3b4657ef36939e623","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"3.0.6-cf.1"},"default-qemu":{"digest":"sha256:8f58e6214f4cc9dc83ce8f5acad1ece508eb6b20e696a8c1e9f274481982c541","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v10.0.4"},"docker-builder":{"digest":"sha256:31c605a6df7898e1e35ca57dcbe47ee314903ba28aab651cb6913ba43ade21a2","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.6.0"},"docker-puller":{"digest":"sha256:a518ca194d85d5f254954f201e33f6cd4cd1a82d552fce8cdceabbaf12786cb3","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.26"},"docker-pusher":{"digest":"sha256:199053e81fbba18363f4f7081b48b6da61b02d794ff8a914707710cd867bed96","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.24"},"fs-ops":{"digest":"sha256:5f954c1f4618dbcebf1c3ef7b9185c6e1c9bb14b0aad3d2830cfeb715541bf47","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.12"},"gc-builder":{"digest":"sha256:73d0bab42a59381b7b4894c6461f579083f48895906e17a3ac4e828044217fe0","registry":"quay.io","repository":"codefresh/gcloud-builder","tag":"0.5.8"},"git-cloner":{"digest":"sha256:7270f5c451b72fce34d358a1a7b377c43bc9a28959f3771d5dd666959fb18177","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.10"},"kube-deploy":{"digest":"sha256:beb578bbe5bbf66c034c51937c909d16faf473225815ce416188176d363ec15d","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"17.0.4"},"pipeline-debugger":{"digest":"sha256:2dbf79a87f641507fc2111d4ff01e046954bca2f31e41ebc1e9cda96b1189780","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.13"},"template-engine":{"digest":"sha256:fc1dc409ceef47ffdc5a8779851ac201c8c0322fea1b80d0cb6a0a99da9c4c6b","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.11"}},"runtimeImagesRegistry":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_POST_STEPS_GRACE_PERIOD_MINUTES":30,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). | +| runtime.engine | object | `{"affinity":{},"command":["node","dist/server/index.js"],"env":{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"},"image":{"digest":"sha256:c264a5f83156cbca2124930286bb584be09c060cd1b9739d6d0e0ebf0aa94065","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"3.2.5"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"alpine":{"digest":"sha256:9a341ff2287c54b86425cbee0141114d811ae69d88a36019087be6d896cef241","registry":"docker.io","repository":"alpine","tag":"edge"},"compose":{"digest":"sha256:950ab2a3d8986f95ac84c0d67e5052f97c426bc487470c7b6f46c846a9bd78ac","registry":"quay.io","repository":"codefresh/compose","tag":"v5.1.3-1.6.3"},"container-logger":{"digest":"sha256:d5c028973cdb9ec7250014a2ced1ed31106fc5c1010207a7d08cd7099058aaf2","registry":"quay.io","repository":"codefresh/cf-container-logger","tag":"2.0.10"},"cosign-image-signer":{"digest":"sha256:85ce347ad7b11a7e324ca64e38b0701bc6fb739bfcbb67a3b4657ef36939e623","registry":"quay.io","repository":"codefresh/cf-cosign-image-signer","tag":"3.0.6-cf.1"},"default-qemu":{"digest":"sha256:d3b963f787999e6c0219a48dba02978769286ff61a5f4d26245cb6a6e5567ea3","registry":"docker.io","repository":"tonistiigi/binfmt","tag":"qemu-v10.2.1"},"docker-builder":{"digest":"sha256:31c605a6df7898e1e35ca57dcbe47ee314903ba28aab651cb6913ba43ade21a2","registry":"quay.io","repository":"codefresh/cf-docker-builder","tag":"1.6.0"},"docker-puller":{"digest":"sha256:a518ca194d85d5f254954f201e33f6cd4cd1a82d552fce8cdceabbaf12786cb3","registry":"quay.io","repository":"codefresh/cf-docker-puller","tag":"8.0.26"},"docker-pusher":{"digest":"sha256:199053e81fbba18363f4f7081b48b6da61b02d794ff8a914707710cd867bed96","registry":"quay.io","repository":"codefresh/cf-docker-pusher","tag":"6.0.24"},"fs-ops":{"digest":"sha256:5f954c1f4618dbcebf1c3ef7b9185c6e1c9bb14b0aad3d2830cfeb715541bf47","registry":"quay.io","repository":"codefresh/fs-ops","tag":"1.2.12"},"gc-builder":{"digest":"sha256:73d0bab42a59381b7b4894c6461f579083f48895906e17a3ac4e828044217fe0","registry":"quay.io","repository":"codefresh/gcloud-builder","tag":"0.5.8"},"git-cloner":{"digest":"sha256:7270f5c451b72fce34d358a1a7b377c43bc9a28959f3771d5dd666959fb18177","registry":"quay.io","repository":"codefresh/cf-git-cloner","tag":"10.3.10"},"kube-deploy":{"digest":"sha256:beb578bbe5bbf66c034c51937c909d16faf473225815ce416188176d363ec15d","registry":"quay.io","repository":"codefresh/cf-deploy-kubernetes","tag":"17.0.4"},"pipeline-debugger":{"digest":"sha256:2dbf79a87f641507fc2111d4ff01e046954bca2f31e41ebc1e9cda96b1189780","registry":"quay.io","repository":"codefresh/cf-debugger","tag":"1.3.13"},"template-engine":{"digest":"sha256:fc1dc409ceef47ffdc5a8779851ac201c8c0322fea1b80d0cb6a0a99da9c4c6b","registry":"quay.io","repository":"codefresh/pikolo","tag":"0.14.11"}},"runtimeImagesRegistry":"","schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_POST_STEPS_GRACE_PERIOD_MINUTES":30,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). | | runtime.engine.affinity | object | `{}` | Set affinity | | runtime.engine.command | list | `["node","dist/server/index.js"]` | Set container command. | | runtime.engine.env | object | `{"CF_TELEMETRY_LOGS_LEVEL":"debug","CF_TELEMETRY_OTEL_ALLOW_HTTP_INSTRUMENTATION":"false","CF_TELEMETRY_OTEL_ENABLE":"true","CF_TELEMETRY_PROMETHEUS_ENABLE":"false","CF_TELEMETRY_PROMETHEUS_ENABLE_PROCESS_METRICS":"false","CF_TELEMETRY_PROMETHEUS_HOST":"0.0.0.0","CF_TELEMETRY_PROMETHEUS_PORT":"9100","CF_TELEMETRY_PYROSCOPE_ENABLE":"false","CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_SCRAPE_TIMEOUT_MS":"0","OTEL_EXPORTER_OTLP_COMPRESSION":"gzip","OTEL_EXPORTER_OTLP_ENDPOINT":"http://localhost:4317","OTEL_EXPORTER_OTLP_PROTOCOL":"grpc","OTEL_EXPORTER_PROMETHEUS_HOST":"0.0.0.0","OTEL_EXPORTER_PROMETHEUS_PORT":"9464","OTEL_LOGS_EXPORTER":"none","OTEL_METRICS_EXPORTER":"otlp","OTEL_METRIC_EXPORT_INTERVAL":"10000","OTEL_METRIC_EXPORT_TIMEOUT":"5000","OTEL_SEMCONV_STABILITY_OPT_IN":"http","OTEL_TRACES_EXPORTER":"none","OTEL_TRACES_SAMPLER":"parentbased_always_on","PYROSCOPE_SERVER_ADDRESS":"","TRUSTED_QEMU_IMAGES":"tonistiigi/binfmt"}` | Set additional env vars. | diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml index 12a0f796..d9ae6909 100644 --- a/charts/cf-runtime/values.yaml +++ b/charts/cf-runtime/values.yaml @@ -590,8 +590,8 @@ runtime: default-qemu: registry: docker.io repository: tonistiigi/binfmt - tag: qemu-v10.0.4 - digest: sha256:8f58e6214f4cc9dc83ce8f5acad1ece508eb6b20e696a8c1e9f274481982c541 + tag: qemu-v10.2.1 + digest: sha256:d3b963f787999e6c0219a48dba02978769286ff61a5f4d26245cb6a6e5567ea3 alpine: registry: docker.io repository: alpine From d5821c23c1e6edf1298f25ded5874b88a7fb6ab7 Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Thu, 23 Apr 2026 14:14:23 +0300 Subject: [PATCH 4/5] bump version --- charts/cf-runtime/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml index 7ccbcec8..15934096 100644 --- a/charts/cf-runtime/Chart.yaml +++ b/charts/cf-runtime/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: A Helm chart for Codefresh Runner name: cf-runtime -version: 10.0.15 +version: 10.0.16 keywords: - codefresh - runner From c4437aa6940c4f100f072f16501d1b08ca34b94e Mon Sep 17 00:00:00 2001 From: Vadim Kharin Date: Thu, 23 Apr 2026 14:24:53 +0300 Subject: [PATCH 5/5] update docs --- charts/cf-runtime/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md index 7b018f68..b90cc85f 100644 --- a/charts/cf-runtime/README.md +++ b/charts/cf-runtime/README.md @@ -1,6 +1,6 @@ ## Codefresh Runner -![Version: 10.0.15](https://img.shields.io/badge/Version-10.0.15-informational?style=flat-square) +![Version: 10.0.16](https://img.shields.io/badge/Version-10.0.16-informational?style=flat-square) Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.