This document contains all release notes pertaining to the v0.16.x releases of Vela.
- When upgrading from
v0.15, please take note of the migration information
Full release notes available on github.com/go-vela
- (server) chore: remove unused admin collect all endpoints (#734)
This release contains dependency updates.
Greetings, Vela Community!
This new release is a security-focused release that addresses some default settings and introduces a new enhancement. It contains fixes for CVE-2022-39395.
The behavior of the VELA_REPO_ALLOWLIST (https://go-vela.github.io/docs/installation/server/reference/#vela_repo_allowlist) setting on the go-vela/server component has changed. Previously, an empty list (the default setting) would allow anyone with a GitHub account to add a repository to a connected Vela installation. With this release, the default remains an empty list, but now honors the empty list by not allowing any repository to be enabled. Administrators will have to opt in the repositories they intend to allow to be enabled for their installation. To note, a Vela admin can provide a value of * to allow any repository to be enabled. This is equivalent to the prior behavior with the empty list value.
- (server): modify allowlist, default pull request to false 05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4
The value for VELA_RUNTIME_PRIVILEGED_IMAGES (https://go-vela.github.io/docs/installation/worker/reference/#vela_runtime_privileged_images) previously defaulted to target/vela-docker, allowing that plugin to be run in privileged mode. In this release, the default value is empty. Vela admins will have to opt in for any plugin to be allowed to run in privileged mode by providing a list for any allowed plugins in this setting.
- (worker): don't supply default privileged image a40039059d713c96275c0427a695a09f79195f29
Previously, the trusted field in Vela for Repositories was unused. In this release, Vela admins can leverage the trusted field to control which repositories are allowed to run plugins in privileged mode. Only Vela admins can toggle this flag per repository. Only when a repository has the trusted field set to true and the plugin is listed in VELA_RUNTIME_PRIVILEGED_IMAGES will that plugin be able to run in privileged mode. It is recommended that Vela admins ensure that all currently enabled repositories in their Vela installation have the trusted field set to the appropriate setting. Vela admins can toggle the trusted field value through the update repo endpoint on the api (see https://go-vela.github.io/docs/reference/api/repo/update/). This feature can be toggled on the go-vela/worker component via the VELA_EXECUTOR_ENFORCE_TRUSTED_REPOS flag. The default value for this is true.
- (worker) feat!: gate privileged images behind trusted repos #391
Prior to this release, newly enabled repositories automatically enabled the push and pull_request events. With this release, only the push event will be enabled when repositories are enabled. Users will have to opt in to pull_request events. In the UI, a new notice will appear to notify users of potential security implications of enabling pull_request events for their repository.
- (server): modify allowlist, default pull request to false 05558ee99d70f7d6f83bed7c8f78ac0b35fa26f4
- (ui): add pull request language [885efce30b84486357554eadef9c5fec84011c6c][https://github.com/go-vela/ui/commit/885efce30b84486357554eadef9c5fec84011c6c]
Builds in this release may fail if a plugin was expected to run in privileged mode (such as the target/vela-docker plugin). Work with your Vela platform administrators to adjust the trusted setting on your repository.
- (worker) feat!: gate privileged images behind trusted repos #391
- (server) enhance(repo): allow platform admins to update repo.trusted #742
- (worker) feat!: gate privileged images behind trusted repos #391
- @ecrupper
- @plyr4
- @wass3r
Thank you!