Merge branch 'main' into edit-configuring-helmchart-v2

Author: paigecalvert

.github/workflows/app-manager-release-notes.yml

@@ -55,7 +55,7 @@ jobs:
         echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 
     - name: Slack Notification
-      uses: slackapi/[email protected].0
+      uses: slackapi/[email protected].1
       with:
         webhook: ${{ secrets.KOTS_RELEASE_NOTES_SLACK_WEBHOOK }}
         webhook-type: webhook-trigger

.github/workflows/embedded-cluster-release-notes.yml

@@ -86,7 +86,7 @@ jobs:
           echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 
       - name: Slack Notification
-        uses: slackapi/[email protected].0
+        uses: slackapi/[email protected].1
         with:
           webhook: ${{ secrets.EMBEDDED_CLUSTER_RELEASE_NOTES_SLACK_WEBHOOK }}
           webhook-type: webhook-trigger

.github/workflows/kubernetes-installer-release-notes.yml

@@ -55,7 +55,7 @@ jobs:
         echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 
     - name: Slack Notification
-      uses: slackapi/[email protected].0
+      uses: slackapi/[email protected].1
       with:
         webhook: ${{ secrets.KURL_RELEASE_NOTES_SLACK_WEBHOOK }}
         webhook-type: webhook-trigger

.github/workflows/replicated-sdk-release-notes.yml

@@ -59,7 +59,7 @@ jobs:
         echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 
     - name: Slack Notification
-      uses: slackapi/[email protected].0
+      uses: slackapi/[email protected].1
       with:
         webhook: ${{ secrets.REPLICATED_SDK_RELEASE_NOTES_SLACK_WEBHOOK }}
         webhook-type: webhook-trigger

.github/workflows/vendor-portal-release-notes.yml

@@ -62,7 +62,7 @@ jobs:
           echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
 
       - name: Slack Notification
-        uses: slackapi/[email protected].0
+        uses: slackapi/[email protected].1
         with:
           webhook: ${{ secrets.VENDOR_PORTAL_RELEASE_NOTES_SLACK_WEBHOOK }}
           webhook-type: webhook-trigger

docs/partials/helm/_helm-install-prereqs.mdx

@@ -2,6 +2,6 @@
 
 * The customer used to install must have the **Existing Cluster (Helm CLI)** install type enabled. If installing into an air gap environment, additionally enable the **Helm CLI Air Gap Instructions** option for the customer. For more information about enabling install types for customers in the Vendor Portal, see [Manage Install Types for a License](licenses-install-types).
 
-* To ensure that the Replicated proxy registry can be used to grant proxy access to your application images during Helm installations, you must create an image pull secret for the proxy registry and add it to your Helm chart. To do so, follow the steps in [Using the Proxy Registry with Helm Installations](/vendor/helm-image-registry).
+* To ensure that the Replicated proxy registry can be used to grant proxy access to your application images during Helm installations, you must create an image pull secret for the proxy registry and add it to your Helm chart. To do so, follow the steps in [Use the Proxy Registry with Helm CLI Installations](/vendor/helm-image-registry).
 
 * Declare the SDK as a dependency in your Helm chart. For more information, see [Install the SDK as a Subchart](replicated-sdk-installing#install-the-sdk-as-a-subchart) in _Installing the Replicated SDK_.

docs/partials/proxy-service/_step-additional-ns.mdx

@@ -0,0 +1 @@
+If you are deploying Pods to namespaces other than the application namespace, add the namespace to the `additionalNamespaces` attribute of the KOTS Application custom resource. This ensures that KOTS can provision the `imagePullSecret` in the namespace to allow the Pod to pull the image. For instructions, see [Define Additional Namespaces](operator-defining-additional-namespaces).

docs/release-notes/rn-embedded-cluster.md

@@ -12,6 +12,32 @@ Additionally, these release notes list the versions of Kubernetes and Replicated
 
 <!--RELEASE_NOTES_PLACEHOLDER-->
 
+## 2.7.2
+
+Released on July 11, 2025
+
+<table>
+  <tr>
+    <th>Version</th>
+    <td id="center">2.7.2+k8s-1.31</td>
+    <td id="center">2.7.2+k8s-1.30</td>
+    <td id="center">2.7.2+k8s-1.29</td>
+  </tr>
+  <tr>
+    <th>Kubernetes Version</th>
+    <td id="center">1.31.8</td>
+    <td id="center">1.30.9</td>
+    <td id="center">1.29.14</td>
+  </tr>
+  <tr>
+    <th>KOTS Version</th>
+    <td id="center" colspan="3">1.124.18</td>
+  </tr>
+</table>
+
+### Improvements {#improvements-2-7-2}
+* Addresses CVE-2025-53547, CVE-2025-22870, and CVE-2025-22872.
+
 ## 2.7.1
 
 Released on July 2, 2025

docs/vendor/helm-image-registry.mdx

@@ -1,64 +1,32 @@
 import StepCreds from "../partials/proxy-service/_step-creds.mdx"
 import StepCustomDomain from "../partials/proxy-service/_step-custom-domain.mdx"
+import RewriteHelmValues from "../partials/proxy-service/_step-rewrite-helm-values.mdx"
 
-# Use the Proxy Registry with Helm Installations
+# Use the Proxy Registry with Helm CLI Installations
 
-This topic describes how to use the Replicated proxy registry to proxy images for installations with the Helm CLI. For more information about the proxy registry, see [About the Replicated Proxy Registry](private-images-about).
+This topic describes how to configure your application to use the Replicated proxy registry with Helm CLI installations. For more information about the proxy registry, see [About the Replicated Proxy Registry](private-images-about). For more information about installing applications distributed with Replicated using Helm, see [About Helm Installations with Replicated](/vendor/helm-install-overview).
 
 ## Overview
 
-With the Replicated proxy registry, each customer's unique license can grant proxy access to images in an external private registry.
+During Helm CLI installations with Replicated, after customers provide their unique license ID, a `global.replicated.dockerconfigjson` field that contains a base64 encoded Docker configuration file is automatically injected in the Helm chart values.
 
-During Helm installations, after customers provide their license ID, a `global.replicated.dockerconfigjson` field that contains a base64 encoded Docker configuration file is automatically injected in the Helm chart values. You can use this `global.replicated.dockerconfigjson` field to create the pull secret required to authenticate with the proxy registry, allowing you to use the proxy registry for images in your Helm charts.
+You can use this `global.replicated.dockerconfigjson` field to create the pull secret required to authenticate with the proxy registry. For more information about how Kubernetes uses the `kubernetes.io/dockerconfigjson` Secret type to provide authentication for a private registry, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) in the Kubernetes documentation.
 
-Additionally, if you include the Replicated SDK as a dependency in your Helm chart, the image used by the Replicated SDK is automatically proxied through the proxy registry.
+:::note
+For Helm charts that include the Replicated SDK as a dependency, the image used by the Replicated SDK is automatically proxied through the proxy registry. No additional configuration is required. For more information, see [About the Replicated SDK](/vendor/replicated-sdk-overview).
+:::
 
-## Pull Private Images Through the Proxy Registry in Helm Installations
+## Configure Your Application to Use the Proxy Registry
 
-To use the Replicated proxy registry for applications installed with Helm:
+To configure your application to use the proxy registry with Helm CLI installations:
 
 1. <StepCreds/>
 
 1. <StepCustomDomain/>
 
-1. In your Helm chart values file, set your image repository URL to the location of the image on the proxy registry. If you added a custom domain, use your custom domain. Otherwise, use `proxy.replicated.com`.
+1. <RewriteHelmValues/>
 
-      The proxy registry URL has the following format: `DOMAIN/proxy/APP_SLUG/EXTERNAL_REGISTRY_IMAGE_URL`
-      
-      Where:
-      * `DOMAIN` is either `proxy.replicated.com` or your custom domain.
-      * `APP_SLUG` is the unique slug of your application.
-      * `EXTERNAL_REGISTRY_IMAGE_URL` is the path to the private image on your external registry.
-      
-      **Example:**
-
-      ```yaml
-      # values.yaml
-      api:
-        image:
-          # proxy.replicated.com or your custom domain
-          registry: proxy.replicated.com
-          repository: proxy/your-app/ghcr.io/cloudnative-pg/cloudnative-pg
-          tag: catalog-1.24.0
-      ```
-
-1. Ensure that any references to the image in your Helm chart access the field from your values file.  
-
-   **Example**:
-
-    ```yaml
-    apiVersion: v1
-    kind: Pod
-    spec:
-      containers:
-        - name: api 
-            # Access the registry, repository, and tag fields from the values file
-            image: {{ .Values.images.api.registry }}/{{ .Values.images.api.repository }}:{{ .Values.images.api.tag }}
-    ```
-
-1. In your Helm chart templates, create a Kubernetes Secret to evaluate if the `global.replicated.dockerconfigjson` value is set and then write the rendered value into a Secret on the cluster, as shown below.
-
-   This Secret is used to authenticate with the proxy registry. For information about how Kubernetes uses the `kubernetes.io/dockerconfigjson` Secret type to provide authentication for a private registry, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) in the Kubernetes documentation. 
+1. In your Helm chart templates, add a YAML file that evaluates if the `global.replicated.dockerconfigjson` value is set, and then writes the rendered value into a Secret on the cluster, as shown below.
 
    :::note
    Do not use `replicated` for the name of the image pull secret because the Replicated SDK automatically creates a Secret named `replicated`. Using the same name causes an error.
@@ -79,8 +47,7 @@ To use the Replicated proxy registry for applications installed with Helm:
    {{ end }}
    ```
 
-
-1. Add the image pull secret that you created to any manifests that reference the image:
+1. Add the image pull secret that you created to any manifests that reference the image.
 
    **Example:**
 

docs/vendor/packaging-public-images.mdx

@@ -6,7 +6,7 @@ For more information about the Replicated proxy registry, see [About the Replica
 
 ## Pull Public Images Through the Replicated Proxy Registry
 
-You can use the Replicated proxy registry to pull both public and private images. Using the Replicated proxy registry for public images can simplify network access requirements for your customers, as they only need to whitelist a single domain (either `proxy.replicated.com` or your custom domain) instead of multiple registry domains. These are authenticated requests to avoid the proxy from hitting rate limits and preventing pulls. For more information about how to reference these in your values, see [Use the Proxy Registry with Helm Installations](/vendor/helm-image-registry).
+You can use the Replicated proxy registry to pull both public and private images. Using the Replicated proxy registry for public images can simplify network access requirements for your customers, as they only need to whitelist a single domain (either `proxy.replicated.com` or your custom domain) instead of multiple registry domains. These are authenticated requests to avoid the proxy from hitting rate limits and preventing pulls. For more information about how to reference these in your values, see [Use the Proxy Registry with Helm CLI Installations](/vendor/helm-image-registry).
 
 > [!IMPORTANT]  
 > For public images, you need to first configure registry credentials.