Merge branch 'main' of https://github.com/codefresh-io/venona into CR…

…-25384-runner-report-status-of-task-execution-to-cf-api

.gitignore

@@ -42,10 +42,10 @@ venona/venona
 **/*.tgz
 **/charts/**/charts
 **/dry-run.yaml
-**/values-dev.yaml
+**/values-dev**.yaml
 
 # coverage
 **/cover
 
 # debug
-**/debug
+**/.debug

charts/cf-runtime/.ci/values-ci.yaml

@@ -23,8 +23,6 @@ runner:
     enabled: true
 runtime:
   dind:
-    image:
-      tag: 26.0.0-1.28.6-rootless
     podLabels:
       key: dind
     resources:

charts/cf-runtime/.ci/values-rootless.yaml

@@ -0,0 +1,32 @@
+volumeProvisioner:
+  env:
+    IS_ROOTLESS: true
+  dind-lv-monitor:
+    image:
+      tag: 1.30.0-rootless
+      digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479
+    containerSecurityContext:
+      runAsUser: 1000
+    podSecurityContext:
+      fsGroup: 1000
+      fsGroupChangePolicy: "OnRootMismatch"
+    volumePermissions:
+      enabled: true
+
+runtime:
+  dind:
+    image:
+      tag: 26.1.4-1.28.10-rootless
+      digest: sha256:59dfc004eb22a8f09c8a3d585271a055af9df4591ab815bca418c24a2077f5c8
+    userVolumeMounts:
+      dind:
+        name: dind
+        mountPath: /home/rootless/.local/share/docker
+    containerSecurityContext:
+      privileged: true
+      runAsUser: 1000
+    podSecurityContext:
+      fsGroup: 1000
+      fsGroupChangePolicy: "OnRootMismatch"
+    volumePermissions:
+      enabled: true

charts/cf-runtime/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 7.0.1
+version: 7.1.8
 keywords:
   - codefresh
   - runner
@@ -14,11 +14,11 @@ maintainers:
     url: https://codefresh-io.github.io/
 annotations:
   # 💡 Do not forget to update this annotation:
-  artifacthub.io/containsSecurityUpdates: "false"
+  artifacthub.io/containsSecurityUpdates: "true"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
     - kind: security
-      description: "updating k8s-agent"
+      description: "Upgrade docker-tag-pusher to the latest version with multiple security fixes"
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts

charts/cf-runtime/README.md.gotmpl

@@ -717,14 +717,48 @@ volumeProvisioner:
 ### Rootless DinD
 
 DinD pod runs a `priviliged` container with **rootfull** docker.
-To run the docker daemon as non-root user (**rootless** mode), change dind image tag:
 
-`values.yaml`
+To run the docker daemon as non-root user (**rootless** mode), refer to `values-rootless.yaml`:
+
 ```yaml
+volumeProvisioner:
+  env:
+    IS_ROOTLESS: true
+  # -- Only if local volumes are used as backend storage (ignored for ebs/ebs-csi disks)
+  dind-lv-monitor:
+    image:
+      tag: 1.30.0-rootless
+      digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479
+    containerSecurityContext:
+      runAsUser: 1000
+    podSecurityContext:
+      fsGroup: 1000
+      # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
+      fsGroupChangePolicy: "OnRootMismatch"
+    # -- Enable initContainer to run chmod for /var/lib/codefresh/dind-volumes on host nodes
+    volumePermissions:
+      enabled: false
+
 runtime:
   dind:
     image:
-      tag: rootless
+      tag: 26.1.4-1.28.10-rootless
+      digest: sha256:59dfc004eb22a8f09c8a3d585271a055af9df4591ab815bca418c24a2077f5c8
+    userVolumeMounts:
+      dind:
+        name: dind
+        mountPath: /home/rootless/.local/share/docker
+    containerSecurityContext:
+      privileged: true
+      runAsUser: 1000
+    podSecurityContext:
+      fsGroup: 1000
+      # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
+      fsGroupChangePolicy: "OnRootMismatch"
+    # -- Enable initContainer to run chmod for /home/rootless in DinD pod
+    # !!! Will slow down dind pod startup
+    volumePermissions:
+      enabled: true
 ```
 
 ### ARM

charts/cf-runtime/templates/_components/volume-provisioner/_daemonset.yaml

@@ -37,7 +37,7 @@ spec:
         args:
          - -ec
          - |
-           chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
+           chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
         volumeMounts:
         - mountPath: {{ $localVolumeParentDir }}
           name: dind-volume-dir
@@ -95,4 +95,4 @@ spec:
         {{- toYaml . | nindent 6 }}
       {{- end }}
 {{- end }}
-{{- end -}}
+{{- end -}}

charts/cf-runtime/templates/runtime/runtime-env-spec-tmpl.yaml

@@ -183,6 +183,34 @@ dockerDaemonScheduler:
       secret:
         secretName: codefresh-certs-server
   {{- end }}
+  {{- with $dindContext.podSecurityContext }}
+  podSecurityContext: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.containerSecurityContext }}
+  containerSecurityContext: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $dindContext.volumePermissions.enabled }}
+  initContainers:
+  - name: volume-permissions
+    image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.volumePermissions.image "context" .) }}
+    imagePullPolicy: {{ $dindContext.volumePermissions.image.pullPolicy | default "Always" }}
+    command:
+      - /bin/sh
+    args:
+      - -ec
+      - |
+        chown -R {{ $dindContext.containerSecurityContext.runAsUser }}:{{ $dindContext.podSecurityContext.fsGroup }} /home/rootless/.local/share/docker
+    volumeMounts:
+    - mountPath: /home/rootless/.local/share/docker
+      name: dind
+    {{- if eq ( toString ( $dindContext.volumePermissions.securityContext.runAsUser )) "auto" }}
+    securityContext: {{- omit $dindContext.volumePermissions.securityContext "runAsUser" | toYaml | nindent 6 }}
+    {{- else }}
+    securityContext: {{- $dindContext.volumePermissions.securityContext | toYaml | nindent 6 }}
+    {{- end }}
+    resources:
+      {{- toYaml $dindContext.volumePermissions.resources | nindent 6 }}
+  {{- end }}
 extends: {{- toYaml .Values.runtime.runtimeExtends | nindent 2 }}
   {{- if .Values.runtime.description }}
 description: {{ .Values.runtime.description }}

charts/cf-runtime/tests/private-registry/private_registry_test.yaml

@@ -4,21 +4,15 @@ values:
   - ../values.yaml
   - ../values-private-registry.yaml
 templates:
-  - templates/hooks/post-install/cm-update-runtime.yaml
-  - templates/runner/deployment.yaml
-  - templates/volume-provisioner/deployment.yaml
-  - templates/volume-provisioner/daemonset.yaml
-  - templates/volume-provisioner/cronjob.yaml
-  - templates/monitor/deployment.yaml
-  - templates/app-proxy/deployment.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
-chart:
-  version: 1.0.0
-  appVersion: 1.0.0
+# chart:
+#   version: 1.0.0
+#   appVersion: 1.0.0
 tests:
   - it: Test private registry in runtime spec
     template: templates/hooks/post-install/cm-update-runtime.yaml
@@ -48,6 +42,7 @@ tests:
                 METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS: 'false'
                 METRICS_PROMETHEUS_HOST: '0.0.0.0'
                 METRICS_PROMETHEUS_PORT: '9100'
+                TRUSTED_QEMU_IMAGES: ''
                 COMPOSE_IMAGE: 'somedomain.io/codefresh/compose:tagoverride'
                 CONTAINER_LOGGER_IMAGE: 'somedomain.io/codefresh/cf-container-logger:tagoverride'
                 DOCKER_BUILDER_IMAGE: 'somedomain.io/codefresh/cf-docker-builder:tagoverride'

charts/cf-runtime/tests/runner/runner_test.yaml

@@ -3,16 +3,13 @@ suite: runner test
 values:
   - ../values.yaml
 templates:
-  - templates/runner/deployment.yaml
-  - templates/runner/rbac.yaml
-  - templates/runner/secret.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
 chart:
-  version: 1.0.0
   appVersion: 1.0.0
 tests:
   - it: Test runner default metadata
@@ -24,14 +21,12 @@ tests:
           of: Deployment
       - isNull:
           path: metadata.annotations
-      - equal:
+      - isSubset:
           path: metadata.labels
-          value:
+          content:
             app.kubernetes.io/instance: cf-runtime
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: cf-runtime
-            app.kubernetes.io/version: 1.0.0
-            helm.sh/chart: cf-runtime-1.0.0
             codefresh.io/application: runner
       - equal:
           path: metadata.name

charts/cf-runtime/tests/runtime/runtime_onprem_test.yaml

@@ -1,16 +1,13 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/quintush/helm-unittest/master/schema/helm-testsuite.json
 suite: runtime onprem test
 templates:
-  - templates/hooks/post-install/job-update-runtime.yaml
-  - templates/hooks/post-install/cm-update-runtime.yaml
-  - templates/runtime/secret.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
 chart:
-  version: 1.0.0
   appVersion: 1.0.0
 tests:
   - it: Test default runtime spec metadata
@@ -58,6 +55,7 @@ tests:
                 METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS: 'false'
                 METRICS_PROMETHEUS_HOST: '0.0.0.0'
                 METRICS_PROMETHEUS_PORT: '9100'
+                TRUSTED_QEMU_IMAGES: ''
                 COMPOSE_IMAGE: 'quay.io/codefresh/compose:tagoverride'
                 CONTAINER_LOGGER_IMAGE: 'quay.io/codefresh/cf-container-logger:tagoverride'
                 DOCKER_BUILDER_IMAGE: 'quay.io/codefresh/cf-docker-builder:tagoverride'

charts/cf-runtime/tests/runtime/runtime_test.yaml

@@ -3,16 +3,13 @@ suite: runtime test
 values:
   - ../values.yaml
 templates:
-  - templates/hooks/post-install/job-update-runtime.yaml
-  - templates/hooks/post-install/cm-update-runtime.yaml
-  - templates/runtime/secret.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
 chart:
-  version: 1.0.0
   appVersion: 1.0.0
 tests:
   - it: Test default runtime spec metadata
@@ -59,6 +56,7 @@ tests:
                 METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS: 'false'
                 METRICS_PROMETHEUS_HOST: '0.0.0.0'
                 METRICS_PROMETHEUS_PORT: '9100'
+                TRUSTED_QEMU_IMAGES: 'my-registry/tonistiigi/binfmt'
                 COMPOSE_IMAGE: 'quay.io/codefresh/compose:tagoverride'
                 CONTAINER_LOGGER_IMAGE: 'quay.io/codefresh/cf-container-logger:tagoverride'
                 DOCKER_BUILDER_IMAGE: 'quay.io/codefresh/cf-docker-builder:tagoverride'

charts/cf-runtime/tests/runtime/runtime_values.yaml

@@ -87,6 +87,7 @@ runtime:
       FOO: BAR
       INT_AS_STRING: "123"
       FLOAT: 12.34
+      TRUSTED_QEMU_IMAGES: 'my-registry/tonistiigi/binfmt'
     userEnvVars:
     - name: ALICE
       valueFrom:

charts/cf-runtime/tests/volume-provisioner/cronjob_test.yaml

@@ -3,15 +3,13 @@ suite: dind-volume-cleanup test
 values:
   - ../values.yaml
 templates:
-  - templates/volume-provisioner/cronjob.yaml
-  - templates/volume-provisioner/storageclass.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
 chart:
-  version: 1.0.0
   appVersion: 1.0.0
 tests:
   - it: Test dind-volume-cleanup default metadata
@@ -25,14 +23,12 @@ tests:
           of: CronJob
       - isNull:
           path: metadata.annotations
-      - equal:
+      - isSubset:
           path: metadata.labels
-          value:
+          content:
             app.kubernetes.io/instance: cf-runtime
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: cf-runtime
-            app.kubernetes.io/version: 1.0.0
-            helm.sh/chart: cf-runtime-1.0.0
             codefresh.io/application: pv-cleanup
       - equal:
           path: metadata.name

charts/cf-runtime/tests/volume-provisioner/dind-lv-monitor_test.yaml

@@ -3,14 +3,13 @@ suite: dind-lv-monitor test
 values:
   - ../values.yaml
 templates:
-  - templates/volume-provisioner/daemonset.yaml
+  - templates/**.yaml
 release:
   name: cf-runtime
   namespace: codefresh
   revision: 1
   upgrade: true
 chart:
-  version: 1.0.0
   appVersion: 1.0.0
 tests:
   - it: Test dind-lv-monitor default metadata
@@ -24,14 +23,12 @@ tests:
           of: DaemonSet
       - isNull:
           path: metadata.annotations
-      - equal:
+      - isSubset:
           path: metadata.labels
-          value:
+          content:
             app.kubernetes.io/instance: cf-runtime
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: cf-runtime
-            app.kubernetes.io/version: 1.0.0
-            helm.sh/chart: cf-runtime-1.0.0
             codefresh.io/application: lv-monitor
       - equal:
           path: metadata.name