build: upgrade dind (#607)

masontikhonov · web-flow · commit 1912d849c974 · 2025-08-25T16:21:57.000+04:00
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 8.2.3
+version: 8.2.4
 keywords:
   - codefresh
   - runner
@@ -14,11 +14,13 @@ maintainers:
     url: https://codefresh-io.github.io/
 annotations:
   # 💡 Do not forget to update this annotation:
-  artifacthub.io/containsSecurityUpdates: "false"
+  artifacthub.io/containsSecurityUpdates: "true"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
-    - kind: added
-      description: "Add CLEAN_DOCKER env var to dind pod spec"
+    - kind: changed
+      description: "Update \"dind\" to version 28.3.3-3.0.2."
+    - kind: security
+      description: "Fix CVE-2025-48060, CVE-2024-23337, CVE-2024-53427, GO-2025-3787, CVE-2025-32728, CVE-2025-5025."
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts
diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 8.2.3](https://img.shields.io/badge/Version-8.2.3-informational?style=flat-square)
+![Version: 8.2.4](https://img.shields.io/badge/Version-8.2.4-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
 
@@ -1299,12 +1299,12 @@ Install the Helm chart
 | runtime.accounts | list | `[]` | (for On-Premise only) Assign accounts to runtime (list of account ids) |
 | runtime.agent | bool | `true` | (for On-Premise only) Enable agent |
 | runtime.description | string | `""` | Runtime description |
-| runtime.dind | object | `{"affinity":{},"containerSecurityContext":{},"env":{"CLEAN_DOCKER":true},"image":{"digest":"sha256:e6f8044b6963b3d1fbf728853aa31edff0bb26ce7613595d3b2a470482bd2cc3","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.1.1-3.0.1"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","registry":"docker.io","repository":"alpine","tag":3.18},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
+| runtime.dind | object | `{"affinity":{},"containerSecurityContext":{},"env":{"CLEAN_DOCKER":true},"image":{"digest":"sha256:0f2a83603e27e6d88768a6ab8ead3e2426eaf989cd93919fa1128d98a7c617c6","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.3.3-3.0.2"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","registry":"docker.io","repository":"alpine","tag":3.18},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
 | runtime.dind.affinity | object | `{}` | Set affinity |
 | runtime.dind.containerSecurityContext | object | `{}` | Set container security context. |
 | runtime.dind.env | object | `{"CLEAN_DOCKER":true}` | Set additional env vars. |
 | runtime.dind.env.CLEAN_DOCKER | bool | `true` | Enable in-docker cleaner |
-| runtime.dind.image | object | `{"digest":"sha256:e6f8044b6963b3d1fbf728853aa31edff0bb26ce7613595d3b2a470482bd2cc3","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.1.1-3.0.1"}` | Set dind image. |
+| runtime.dind.image | object | `{"digest":"sha256:0f2a83603e27e6d88768a6ab8ead3e2426eaf989cd93919fa1128d98a7c617c6","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.3.3-3.0.2"}` | Set dind image. |
 | runtime.dind.nodeSelector | object | `{}` | Set node selector. |
 | runtime.dind.podAnnotations | object | `{}` | Set pod annotations. |
 | runtime.dind.podLabels | object | `{}` | Set pod labels. |
diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml
@@ -413,9 +413,9 @@ runtime:
     image:
       registry: quay.io
       repository: codefresh/dind
-      tag: 28.1.1-3.0.1 # use `latest-rootless/rootless/28.1.1-3.0.1-rootless` tags for rootless-dind
+      tag: 28.3.3-3.0.2 # use `latest-rootless/rootless/28.3.3-3.0.2-rootless` tags for rootless-dind
       pullPolicy: IfNotPresent
-      digest: sha256:e6f8044b6963b3d1fbf728853aa31edff0bb26ce7613595d3b2a470482bd2cc3
+      digest: sha256:0f2a83603e27e6d88768a6ab8ead3e2426eaf989cd93919fa1128d98a7c617c6
     # -- Set dind resources.
     resources:
       requests: null
