Merge branch 'release/v1.29.4-4'

nfranzeck · cesmarvin · commit b6db19cf7845 · 2026-02-13T14:11:35.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.29.4-4] - 2026-02-13
+### Security
+- [#138] fixed [CVE-2025-68121](https://avd.aquasec.com/nvd/2025/cve-2025-68121/)
+
 ## [v1.29.4-3] - 2026-01-29
 
 ### Security
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@ FROM node:lts-alpine as templating
 
 ENV WORKDIR=/template \
     # Used in template to invalidate caches - do not remove. The release script will auto update this line
-    VERSION="1.29.4-3"
+    VERSION="1.29.4-4"
 
 RUN mkdir -p ${WORKDIR}
 WORKDIR ${WORKDIR}
@@ -14,14 +14,14 @@ RUN yarn install
 RUN node template-colors.js  ${WORKDIR}/resources/var/www/html/styles/default.css.tpl ${WORKDIR}/build/default.css
 RUN node template-error-pages.js ${WORKDIR}/resources/var/www/html/errors/error-page.html.tpl ${WORKDIR}/build/errors
 
-FROM registry.cloudogu.com/official/base:3.22.0-5 as builder
+FROM registry.cloudogu.com/official/base:3.23.3-3 as builder
 LABEL maintainer="hello@cloudogu.com"
 
 # dockerfile is based on https://github.com/dockerfile/nginx and https://github.com/bellycard/docker-loadbalancer
 ENV NGINX_VERSION=1.29.4 \
     NGINX_TAR_SHA256="5a7d37eee505866fbab5810fa9f78247d6d5d9157a595c4e7a72043141ddab25" \
-    CES_CONFD_VERSION=0.11.0 \
-    CES_CONFD_TAR_SHA256="85809a3e9e0b56d58c53f958872809eab1026124a73a06eedfcdeba9ca73ec9a" \
+    CES_CONFD_VERSION=0.12.0 \
+    CES_CONFD_TAR_SHA256="fb5ddd8aab1893d92c525b906e1a027b602b51cdf58fec0aff55f72c8a729b1a" \
     WARP_MENU_VERSION=2.0.3 \
     WARP_MENU_ZIP_SHA256="8dfd023579728b6786bdb4664fb6d3e629717d9d2d27cdd4b365f9a844f1858c" \
     CES_ABOUT_VERSION="0.7.0" \
@@ -65,14 +65,14 @@ RUN wget --progress=bar:force:noscroll -O /tmp/warp.zip https://github.com/cloud
     && echo "${WARP_MENU_ZIP_SHA256} */tmp/warp.zip" | sha256sum -c - \
     && unzip /tmp/warp.zip -d /build/var/www/html
 
-FROM registry.cloudogu.com/official/base:3.22.0-5
+FROM registry.cloudogu.com/official/base:3.23.3-3
 LABEL maintainer="hello@cloudogu.com" \
       NAME="official/nginx" \
-      VERSION="1.29.4-3"
+      VERSION="1.29.4-4"
 
 ENV CES_MAINTENANCE_MODE=false \
     # Used in template to invalidate caches - do not remove. The release script will auto update this line
-    VERSION="1.29.4-3"
+    VERSION="1.29.4-4"
 
 RUN set -x -o errexit \
  && set -o nounset \
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -12,6 +12,7 @@ def pipe = new com.cloudogu.sos.pipebuildlib.DoguPipe(this, [
                           ''',
     checkMarkdown       : true,
     cypressImage        : 'cypress/included:13.14.0',
+	defaultBranch       : "master",
     runIntegrationTests : true,
     dependedDogus       : ['cas']
 
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-MAKEFILES_VERSION=10.1.1
+MAKEFILES_VERSION=10.6.0
 
 .DEFAULT_GOAL:=dogu-release
 
@@ -7,6 +7,7 @@ include build/make/self-update.mk
 include build/make/release.mk
 include build/make/prerelease.mk
 include build/make/version-sha.mk
+include build/make/trivyscan.mk
 
 NGINX_VERSION=$(shell grep NGINX_VERSION= Dockerfile | sed 's/.*NGINX_VERSION=\([^ ]*\).*/\1/g')
 CES_CONFD_VERSION=$(shell grep CES_CONFD_VERSION= Dockerfile | sed 's/.*CES_CONFD_VERSION=\([^ ]*\).*/\1/g')
diff --git a/build/make/bats.mk b/build/make/bats.mk
@@ -9,7 +9,7 @@ BATS_SUPPORT=$(BATS_LIBRARY_DIR)/bats-support
 BATS_FILE=$(BATS_LIBRARY_DIR)/bats-file
 BATS_BASE_IMAGE?=bats/bats
 BATS_CUSTOM_IMAGE?=cloudogu/bats
-BATS_TAG?=1.11.0
+BATS_TAG?=1.12.0
 BATS_DIR=build/make/bats
 BATS_WORKDIR="${WORKDIR}"/"${BATS_DIR}"
 
@@ -18,15 +18,19 @@ unit-test-shell: unit-test-shell-$(ENVIRONMENT)
 
 $(BATS_ASSERT):
 	@git clone --depth 1 https://github.com/bats-core/bats-assert $@
+	@rm -rf $@/.git
 
 $(BATS_MOCK):
 	@git clone --depth 1 https://github.com/grayhemp/bats-mock $@
+	@rm -rf $@/.git
 
 $(BATS_SUPPORT):
 	@git clone --depth 1 https://github.com/bats-core/bats-support $@
+	@rm -rf $@/.git
 
 $(BATS_FILE):
 	@git clone --depth 1 https://github.com/bats-core/bats-file $@
+	@rm -rf $@/.git
 
 $(BASH_SRC):
 	BASH_SRC:=$(shell find "${WORKDIR}" -type f -name "*.sh")
@@ -49,10 +53,10 @@ unit-test-shell-local: $(BASH_SRC) $(PASSWD) $(ETCGROUP) $(HOME_DIR) buildTestIm
 		"${BATS_DIR}"/customBatsEntrypoint.sh make unit-test-shell-generic-no-junit
 
 unit-test-shell-generic:
-	@bats --formatter junit --output ${BASH_TEST_REPORT_DIR} ${TESTS_DIR}
+	@bats --report-formatter junit --formatter junit --output ${BASH_TEST_REPORT_DIR} ${TESTS_DIR}
 
 unit-test-shell-generic-no-junit:
-	@bats ${TESTS_DIR}
+	@bats --report-formatter junit --output ${BASH_TEST_REPORT_DIR} ${TESTS_DIR}
 
 .PHONY buildTestImage:
 buildTestImage:
diff --git a/build/make/bats/Dockerfile b/build/make/bats/Dockerfile
@@ -1,7 +1,7 @@
 ARG BATS_BASE_IMAGE
 ARG BATS_TAG
 
-FROM ${BATS_BASE_IMAGE:-bats/bats}:${BATS_TAG:-1.11.0}
+FROM ${BATS_BASE_IMAGE:-bats/bats}:${BATS_TAG:-1.12.0}
 
 # Make bash more findable by scripts and tests
 RUN apk add make git bash
diff --git a/build/make/bats/customBatsEntrypoint.sh b/build/make/bats/customBatsEntrypoint.sh
@@ -3,4 +3,11 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-"$@"
+targetReportDir="${PWD}"/target/shell_test_reports
+uidgid=1000:1000
+exitcode=0
+"$@" || exitcode=$?
+echo "Resetting file ownership to ${uidgid} in ${targetReportDir}/"
+chown -R ${uidgid} "${targetReportDir}"/*
+echo "exiting with code ${exitcode}"
+exit ${exitcode}
diff --git a/build/make/build.mk b/build/make/build.mk
@@ -3,7 +3,7 @@
 ADDITIONAL_LDFLAGS?=-extldflags -static
 LDFLAGS?=-ldflags "$(ADDITIONAL_LDFLAGS) -X main.Version=$(VERSION) -X main.CommitID=$(COMMIT_ID)"
 GOIMAGE?=golang
-GOTAG?=1.24
+GOTAG?=1.25
 GOOS?=linux
 GOARCH?=amd64
 PRE_COMPILE?=
diff --git a/build/make/k8s-component.mk b/build/make/k8s-component.mk
@@ -1,4 +1,5 @@
-COMPONENT_DEV_VERSION?=${VERSION}-dev
+COMPONENT_BUILD_VERSION := $(shell date +%s)
+COMPONENT_DEV_VERSION?=${VERSION}-dev.${COMPONENT_BUILD_VERSION}
 
 include ${BUILD_DIR}/make/k8s.mk
 
@@ -15,8 +16,9 @@ HELM_RELEASE_TGZ=${HELM_TARGET_DIR}/${ARTIFACT_ID}-${VERSION}.tgz
 HELM_DEV_RELEASE_TGZ=${HELM_TARGET_DIR}/${ARTIFACT_ID}-${COMPONENT_DEV_VERSION}.tgz
 HELM_ARTIFACT_NAMESPACE?=k8s
 ifeq (${RUNTIME_ENV}, remote)
-	HELM_ARTIFACT_NAMESPACE?=testing/k8s
+	HELM_ARTIFACT_NAMESPACE=testing/k8s
 endif
+$(info HELM_ARTIFACT_NAMESPACE=$(HELM_ARTIFACT_NAMESPACE))
 
 K8S_RESOURCE_COMPONENT ?= "${K8S_RESOURCE_TEMP_FOLDER}/component-${ARTIFACT_ID}-${VERSION}.yaml"
 K8S_RESOURCE_COMPONENT_CR_TEMPLATE_YAML ?= $(BUILD_DIR)/make/k8s-component.tpl
@@ -93,10 +95,10 @@ helm-reinstall: helm-delete helm-apply ## Uninstalls the current helm chart and
 .PHONY: helm-chart-import
 helm-chart-import: ${CHECK_VAR_TARGETS} helm-generate helm-package ${IMAGE_IMPORT_TARGET} ## Imports the currently available chart into the cluster-local registry.
 	@if [[ ${STAGE} == "development" ]]; then \
-		echo "Import ${HELM_DEV_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \
+		echo "Import ${HELM_DEV_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE}..."; \
 		${BINARY_HELM} push ${HELM_DEV_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \
 	else \
-	  	echo "Import ${HELM_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \
+	  	echo "Import ${HELM_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE}..."; \
         ${BINARY_HELM} push ${HELM_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \
     fi
 	@echo "Done."
@@ -142,7 +144,7 @@ ${K8S_RESOURCE_COMPONENT_CR_TEMPLATE_YAML}: ${K8S_RESOURCE_TEMP_FOLDER}
 	fi
 
 .PHONY: component-apply
-component-apply: isLocal check-k8s-namespace-env-var ${COMPONENT_PRE_APPLY_TARGETS} ${IMAGE_IMPORT_TARGET} helm-generate helm-chart-import component-generate ## Applies the component yaml resource to the actual defined context.
+component-apply: isProduction check-k8s-namespace-env-var ${COMPONENT_PRE_APPLY_TARGETS} ${IMAGE_IMPORT_TARGET} helm-generate helm-chart-import component-generate ## Applies the component yaml resource to the actual defined context.
 	@kubectl apply -f "${K8S_RESOURCE_COMPONENT}" --namespace="${NAMESPACE}" --context="${KUBE_CONTEXT_NAME}"
 	@echo "Done."
 
diff --git a/build/make/k8s-crd.mk b/build/make/k8s-crd.mk
@@ -5,7 +5,8 @@ ifeq ($(APPEND_CRD_SUFFIX), true)
 else ifeq ($(APPEND_CRD_SUFFIX), false)
 	ARTIFACT_CRD_ID = $(ARTIFACT_ID)
 endif
-DEV_CRD_VERSION ?= ${VERSION}-dev
+CRD_BUILD_VERSION := $(shell date +%s).$(TIMESTAMP)
+DEV_CRD_VERSION ?= ${VERSION}-dev.${COMPONENT_BUILD_VERSION}
 HELM_CRD_SOURCE_DIR ?= ${WORKDIR}/k8s/helm-crd
 HELM_CRD_TARGET_DIR ?= $(K8S_RESOURCE_TEMP_FOLDER)/helm-crd
 HELM_CRD_RELEASE_TGZ = ${HELM_CRD_TARGET_DIR}/${ARTIFACT_CRD_ID}-${VERSION}.tgz
@@ -89,10 +90,10 @@ ${HELM_CRD_RELEASE_TGZ}: ${BINARY_HELM} crd-helm-generate ## Generates and packa
 .PHONY: crd-helm-chart-import
 crd-helm-chart-import: ${CHECK_VAR_TARGETS} check-k8s-artifact-id crd-helm-generate crd-helm-package ## Imports the currently available Helm CRD chart into the cluster-local registry.
 	@if [[ ${STAGE} == "development" ]]; then \
-		echo "Import ${HELM_CRD_DEV_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \
+		echo "Import ${HELM_CRD_DEV_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE}..."; \
 		${BINARY_HELM} push ${HELM_CRD_DEV_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \
 	else \
-	  	echo "Import ${HELM_CRD_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}..."; \
+	  	echo "Import ${HELM_CRD_RELEASE_TGZ} into K8s cluster ${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE}..."; \
         ${BINARY_HELM} push ${HELM_CRD_RELEASE_TGZ} oci://${CES_REGISTRY_HOST}/${HELM_ARTIFACT_NAMESPACE} ${BINARY_HELM_ADDITIONAL_PUSH_ARGS}; \
     fi
 	@echo "Done."
@@ -111,7 +112,7 @@ crd-component-generate: ${K8S_RESOURCE_TEMP_FOLDER} ## Generate the CRD componen
 	fi
 
 .PHONY: crd-component-apply
-crd-component-apply: isLocal check-k8s-namespace-env-var crd-helm-chart-import crd-component-generate ## Applies the CRD component YAML resource to the actual defined context.
+crd-component-apply: isProduction check-k8s-namespace-env-var crd-helm-chart-import crd-component-generate ## Applies the CRD component YAML resource to the actual defined context.
 	@kubectl apply -f "${K8S_RESOURCE_CRD_COMPONENT}" --namespace="${NAMESPACE}" --context="${KUBE_CONTEXT_NAME}"
 	@echo "Done."
 
diff --git a/build/make/k8s.mk b/build/make/k8s.mk
@@ -11,7 +11,7 @@ BINARY_YQ_4_VERSION?=v4.40.3
 BINARY_HELM = $(UTILITY_BIN_PATH)/helm
 BINARY_HELM_VERSION?=v3.13.0
 CONTROLLER_GEN = $(UTILITY_BIN_PATH)/controller-gen
-CONTROLLER_GEN_VERSION?=v0.14.0
+CONTROLLER_GEN_VERSION?=v0.19.0
 
 # Setting SHELL to bash allows bash commands to be executed by recipes.
 # Options are set to exit when a recipe line exits non-zero or a piped command fails.
@@ -35,12 +35,16 @@ K3S_CLUSTER_FQDN?=k3ces.local
 K3S_LOCAL_REGISTRY_PORT?=30099
 
 # The URL of the container-registry to use. Defaults to the registry of the local-cluster.
-# If RUNTIME_ENV is "remote" it is "registry.cloudogu.com/testing"
+# If RUNTIME_ENV is "remote" it is "registry.cloudogu.com/testing", if ENVIRONMENT is "ci" it is "registry.cloudogu.com/ci"
+# if run on ci (jenkins) the images must be pushed to a separate namespace in order to free space every night after the build.
 CES_REGISTRY_HOST?=${K3S_CLUSTER_FQDN}:${K3S_LOCAL_REGISTRY_PORT}
 CES_REGISTRY_NAMESPACE ?=
 ifeq (${RUNTIME_ENV}, remote)
 	CES_REGISTRY_HOST=registry.cloudogu.com
 	CES_REGISTRY_NAMESPACE=/testing
+	ifeq ($(ENVIRONMENT), ci)
+		CES_REGISTRY_NAMESPACE=/ci
+	endif
 endif
 $(info CES_REGISTRY_HOST=$(CES_REGISTRY_HOST))
 
@@ -204,12 +208,13 @@ envtest: ${ENVTEST} ## Download envtest-setup locally if necessary.
 ${ENVTEST}:
 	$(call go-get-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
 
-.PHONY: isLocal
-isLocal:
-	@if [[ ! ("${RUNTIME_ENV}" == "remote" || "${STAGE}" == "production") ]]; then \
-		echo "command executed locally, command continue execution."; \
+.PHONY: isProduction
+isProduction:
+	@if [[ "${STAGE}" == "production" ]]; then \
+		echo "Command executed in production stage. Aborting."; \
+		exit 1; \
 	else \
-		echo "command executed remotely or on production, command aborted"; exit 1; \
+		echo "Command executed in development stage. Continuing."; \
 	fi
 
 
diff --git a/build/make/release.sh b/build/make/release.sh
@@ -45,13 +45,15 @@ else
   CURRENT_TOOL_VERSION=$(get_current_version_by_makefile)
 fi
 
+BASE_VERSION=$(get_base_version_by_makefile)
+
 NEW_RELEASE_VERSION="$(read_new_version)"
 
 validate_new_version "${NEW_RELEASE_VERSION}"
 if [[ -n "${DRY_RUN}" ]]; then
   start_dry_run_release "${NEW_RELEASE_VERSION}"
 else
-  start_git_flow_release "${NEW_RELEASE_VERSION}"
+  start_git_flow_release "${NEW_RELEASE_VERSION}" "${BASE_VERSION}"
 fi
 
 update_versions "${NEW_RELEASE_VERSION}"
@@ -60,9 +62,9 @@ update_releasenotes "${NEW_RELEASE_VERSION}"
 show_diff
 
 if [[ -n "${DRY_RUN}" ]]; then
-  abort_dry_run_release "${NEW_RELEASE_VERSION}"
+  abort_dry_run_release "${NEW_RELEASE_VERSION}" "${BASE_VERSION}"
 else
-  finish_release_and_push "${CURRENT_TOOL_VERSION}" "${NEW_RELEASE_VERSION}"
+  finish_release_and_push "${CURRENT_TOOL_VERSION}" "${NEW_RELEASE_VERSION}" "${BASE_VERSION}"
 fi
 
 echo "=====Finished Release process====="
diff --git a/build/make/release_functions.sh b/build/make/release_functions.sh
diff --git a/build/make/static-analysis.mk b/build/make/static-analysis.mk
diff --git a/docs/gui/release_notes_de.md b/docs/gui/release_notes_de.md
diff --git a/docs/gui/release_notes_en.md b/docs/gui/release_notes_en.md
diff --git a/dogu.json b/dogu.json
