chore(CR-30054): bump dind to 28.1.1-3.0.1 (#596)

vitalii-codefresh · masontikhonov · web-flow · commit b6688fe38773 · 2025-07-16T19:19:49.000+03:00
Co-authored-by: Zhenya Tikhonov &lt;zhenya.tikhonov@octopus.com&gt;
diff --git a/charts/cf-runtime/.ci/values-ci.yaml b/charts/cf-runtime/.ci/values-ci.yaml
@@ -32,8 +32,6 @@ runtime:
     limits:
         cpu: 1000m
         memory: 1024Mi
-    env:
-      DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: true
   engine:
     podLabels:
       key: engine
diff --git a/charts/cf-runtime/.ci/values-rootless.yaml b/charts/cf-runtime/.ci/values-rootless.yaml
@@ -16,8 +16,8 @@ volumeProvisioner:
 runtime:
   dind:
     image:
-      tag: 26.1.4-1.28.10-rootless
-      digest: sha256:59dfc004eb22a8f09c8a3d585271a055af9df4591ab815bca418c24a2077f5c8
+      tag: 28.1.1-3.0.1-rootless
+      digest: sha256:4140e74134a5dd2874731ea5de852d9d23698965b16fa3bb947a36ca806e01a2
     userVolumeMounts:
       dind:
         name: dind
diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A Helm chart for Codefresh Runner
 name: cf-runtime
-version: 7.9.4
+version: 8.0.0
 keywords:
   - codefresh
   - runner
@@ -17,8 +17,12 @@ annotations:
   artifacthub.io/containsSecurityUpdates: "true"
   # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`:
   artifacthub.io/changes: |
-    - kind: fixed
-      description: "Attach runtime to agent when existing agent token is provided."
+    - kind: changed
+      description: Updated dind image to version 28.1.1-3.0.1
+    - kind: deprecated
+      description: Deprecated pushing and pulling images manifest v2 schema 1 and "Docker Image v1"
+    - kind: security
+      description: Fixed some vulnerabilities in dind
 dependencies:
   - name: cf-common
     repository: oci://quay.io/codefresh/charts
diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md
@@ -1,6 +1,6 @@
 ## Codefresh Runner
 
-![Version: 7.9.4](https://img.shields.io/badge/Version-7.9.4-informational?style=flat-square)
+![Version: 8.0.0](https://img.shields.io/badge/Version-8.0.0-informational?style=flat-square)
 
 Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes.
 
@@ -19,6 +19,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
   - [To 6.x](#to-6-x)
   - [To 7.x](#to-7-x)
   - [To 7.9.x](#to-7-9-x)
+  - [To 8.x](#to-8-x)
 - [Architecture](#architecture)
 - [Configuration](#configuration)
   - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration)
@@ -302,6 +303,16 @@ runtime:
         digest: sha256:e74494370100678ccb1c1058e6ef3ddcf67b21fcd37da8b3482376c8282549ad
 ```
 
+### To 8.x
+
+⚠️⚠️⚠️ **BREAKING CHANGE** ⚠️⚠️⚠️
+
+Docker engine in `dind` component is upgraded to 28.x. The main change is that in this version the image manifest v2 schema 1 and "Docker Image v1" formats were deprecated in favor of the v2 schema 2 and OCI image spec formats. Read [the official Docker documentation](https://docs.docker.com/engine/deprecated/#pushing-and-pulling-with-image-manifest-v2-schema-1) for more details.
+
+This means that any existing images in your pipelines that were created using these older formats will no longer be pulled after upgrade. **This may affect pipelines operation.**
+
+To avoid operation disruption, you have to identify and convert such deprecated images to modern formats. Tutorial: [https://codefresh.io/docs/docs/kb/articles/upgrade-deprecated-docker-images/](https://codefresh.io/docs/docs/kb/articles/upgrade-deprecated-docker-images/)
+
 ## Architecture
 
 [Codefresh Runner architecture](https://codefresh.io/docs/docs/installation/codefresh-runner/#codefresh-runner-architecture)
@@ -1264,11 +1275,11 @@ Install the Helm chart
 | runtime.accounts | list | `[]` | (for On-Premise only) Assign accounts to runtime (list of account ids) |
 | runtime.agent | bool | `true` | (for On-Premise only) Enable agent |
 | runtime.description | string | `""` | Runtime description |
-| runtime.dind | object | `{"affinity":{},"containerSecurityContext":{},"env":{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true},"image":{"digest":"sha256:33c343dd01e8a24f0b4a872bbe62884320719f9d9dc27b7a8fed9f7e9fc7e80e","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.8"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","registry":"docker.io","repository":"alpine","tag":3.18},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
+| runtime.dind | object | `{"affinity":{},"containerSecurityContext":{},"env":{},"image":{"digest":"sha256:e6f8044b6963b3d1fbf728853aa31edff0bb26ce7613595d3b2a470482bd2cc3","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.1.1-3.0.1"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{},"volumePermissions":{"enabled":false,"image":{"digest":"sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","registry":"docker.io","repository":"alpine","tag":3.18},"resources":{},"securityContext":{"runAsUser":0}}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). |
 | runtime.dind.affinity | object | `{}` | Set affinity |
 | runtime.dind.containerSecurityContext | object | `{}` | Set container security context. |
-| runtime.dind.env | object | `{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true}` | Set additional env vars. |
-| runtime.dind.image | object | `{"digest":"sha256:33c343dd01e8a24f0b4a872bbe62884320719f9d9dc27b7a8fed9f7e9fc7e80e","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.8"}` | Set dind image. |
+| runtime.dind.env | object | `{}` | Set additional env vars. |
+| runtime.dind.image | object | `{"digest":"sha256:e6f8044b6963b3d1fbf728853aa31edff0bb26ce7613595d3b2a470482bd2cc3","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"28.1.1-3.0.1"}` | Set dind image. |
 | runtime.dind.nodeSelector | object | `{}` | Set node selector. |
 | runtime.dind.podAnnotations | object | `{}` | Set pod annotations. |
 | runtime.dind.podLabels | object | `{}` | Set pod labels. |
diff --git a/charts/cf-runtime/README.md.gotmpl b/charts/cf-runtime/README.md.gotmpl
@@ -19,6 +19,7 @@ Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/insta
   - [To 6.x](#to-6-x)
   - [To 7.x](#to-7-x)
   - [To 7.9.x](#to-7-9-x)
+  - [To 8.x](#to-8-x)
 - [Architecture](#architecture)
 - [Configuration](#configuration)
   - [EBS backend volume configuration in AWS](#ebs-backend-volume-configuration)
@@ -302,6 +303,16 @@ runtime:
         digest: sha256:e74494370100678ccb1c1058e6ef3ddcf67b21fcd37da8b3482376c8282549ad
 ```
 
+### To 8.x
+
+⚠️⚠️⚠️ **BREAKING CHANGE** ⚠️⚠️⚠️
+
+Docker engine in `dind` component is upgraded to 28.x. The main change is that in this version the image manifest v2 schema 1 and "Docker Image v1" formats were deprecated in favor of the v2 schema 2 and OCI image spec formats. Read [the official Docker documentation](https://docs.docker.com/engine/deprecated/#pushing-and-pulling-with-image-manifest-v2-schema-1) for more details.
+
+This means that any existing images in your pipelines that were created using these older formats will no longer be pulled after upgrade. **This may affect pipelines operation.**
+
+To avoid operation disruption, you have to identify and convert such deprecated images to modern formats. Tutorial: [https://codefresh.io/docs/docs/kb/articles/upgrade-deprecated-docker-images/](https://codefresh.io/docs/docs/kb/articles/upgrade-deprecated-docker-images/)
+
 ## Architecture
 
 [Codefresh Runner architecture](https://codefresh.io/docs/docs/installation/codefresh-runner/#codefresh-runner-architecture)
diff --git a/charts/cf-runtime/tests/private-registry/private_registry_test.yaml b/charts/cf-runtime/tests/private-registry/private_registry_test.yaml
@@ -88,8 +88,6 @@ tests:
               dindImage: 'somedomain.io/codefresh/dind:tagoverride'
               imagePullPolicy: IfNotPresent
               userAccess: true
-              envVars:
-                DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: 'true'
               cluster:
                 namespace: codefresh
                 serviceAccount: codefresh-engine
diff --git a/charts/cf-runtime/tests/runtime/runtime_onprem_test.yaml b/charts/cf-runtime/tests/runtime/runtime_onprem_test.yaml
@@ -120,7 +120,6 @@ tests:
               userAccess: true
               envVars:
                 ALICE: 'BOB'
-                DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: 'true'
                 FLOAT_AS_STRING: '12.34'
                 INT: '123'
               cluster:
@@ -307,7 +306,6 @@ tests:
               userAccess: true
               envVars:
                 ALICE: 'BOB'
-                DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: 'true'
                 FLOAT_AS_STRING: '12.34'
                 INT: '123'
               cluster:
diff --git a/charts/cf-runtime/tests/runtime/runtime_test.yaml b/charts/cf-runtime/tests/runtime/runtime_test.yaml
@@ -131,7 +131,6 @@ tests:
               userAccess: true
               envVars:
                 ALICE: 'BOB'
-                DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: 'true'
                 FLOAT: '12.34'
                 INT_AS_STRING: '123'
               cluster:
diff --git a/charts/cf-runtime/values-rootless.yaml b/charts/cf-runtime/values-rootless.yaml
@@ -19,8 +19,8 @@ volumeProvisioner:
 runtime:
   dind:
     image:
-      tag: 26.1.4-1.28.10-rootless
-      digest: sha256:59dfc004eb22a8f09c8a3d585271a055af9df4591ab815bca418c24a2077f5c8
+      tag: 28.1.1-3.0.1-rootless
+      digest: sha256:4140e74134a5dd2874731ea5de852d9d23698965b16fa3bb947a36ca806e01a2
     userVolumeMounts:
       dind:
         name: dind
diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml
@@ -413,9 +413,9 @@ runtime:
     image:
       registry: quay.io
       repository: codefresh/dind
-      tag: 26.1.4-1.28.8 # use `latest-rootless/rootless/26.1.4-1.28.8-rootless` tags for rootless-dind
+      tag: 28.1.1-3.0.1 # use `latest-rootless/rootless/28.1.1-3.0.1-rootless` tags for rootless-dind
       pullPolicy: IfNotPresent
-      digest: sha256:33c343dd01e8a24f0b4a872bbe62884320719f9d9dc27b7a8fed9f7e9fc7e80e
+      digest: sha256:e6f8044b6963b3d1fbf728853aa31edff0bb26ce7613595d3b2a470482bd2cc3
     # -- Set dind resources.
     resources:
       requests: null
@@ -446,8 +446,7 @@ runtime:
         # annotations:
         #   codefresh.io/volume-retention: 7d
     # -- Set additional env vars.
-    env:
-      DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: true
+    env: {}
     # -- Set pod annotations.
     podAnnotations: {}
     # -- Set pod labels.
