Merge branch 'master' into update-packs-tutorial

.github/workflows/api_format.yaml

@@ -0,0 +1,87 @@
+name: API Format
+
+on:
+  pull_request_target:
+    types: ["labeled", "closed"]
+
+env:
+  GITHUB_BRANCH: ${{ github.ref_name }} 
+  NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+  NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
+  FULLSTORY_ORGID: ${{ secrets.FULLSTORY_ORGID }}
+  ALGOLIA_ADMIN_KEY: ${{ secrets.ALGOLIA_ADMIN_KEY }}
+  ALGOLIA_APP_ID: ${{ secrets.ALGOLIA_APP_ID }}
+  ALGOLIA_SEARCH_KEY: ${{ secrets.ALGOLIA_SEARCH_KEY }}
+  ALGOLIA_INDEX_NAME: ${{ secrets.ALGOLIA_INDEX_NAME }}
+  PALETTE_API_KEY: ${{ secrets.PALETTE_API_KEY }}
+
+jobs:
+  backport:
+    name: Format API PR
+    runs-on: ubuntu-latest
+    if: |
+      github.event.action == 'labeled'
+      && github.event.label.name == 'api-format'
+      && github.event.pull_request.draft == false
+  
+
+    steps:
+      - name: Retrieve Credentials
+        id: import-secrets
+        uses: hashicorp/[email protected]
+        with:
+          url: https://vault.prism.spectrocloud.com
+          method: approle
+          roleId: ${{ secrets.VAULT_ROLE_ID }}
+          secretId: ${{ secrets.VAULT_SECRET_ID }}
+          secrets: /providers/github/organizations/spectrocloud/token?org_name=spectrocloud token | VAULT_GITHUB_TOKEN
+
+
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.import-secrets.outputs.VAULT_GITHUB_TOKEN }}
+
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+
+      - name: Determine branch name
+        id: extract_branch
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            echo "GITHUB_BRANCH=${{ github.head_ref }}" >> $GITHUB_ENV
+          else
+            echo "GITHUB_BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
+          fi
+
+      - run: npm ci
+
+      - name: Format API
+        run: make api
+
+
+      - name: Commit Changes
+        uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          commit_message: "ci: auto-formatting API changes"        
+
+
+      - name: Slack Notification
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_PRIVATE_TEAM_WEBHOOK }}
+          SLACK_USERNAME: "spectromate"
+          SLACK_ICON_EMOJI: ":robot_panic:"
+          SLACK_COLOR: ${{ job.status }}
+          SLACK_MESSAGE: ' The PR for branch ${{env.GITHUB_BRANCH}} failed when attempting to format the API. Review the GitHub Actions logs for more details.'
+
+      - name: Post Netlify progress
+        uses: mshick/add-pr-comment@v2
+        with:
+          message: |
+              🤖 The API has been formated and is ready for merging.
+          refresh-message-position: false

docs/docs-content/byoos/capi-image-builder/config-reference.md

@@ -13,8 +13,7 @@ Review these parameters to understand how to tailor the CAPI Image Builder to yo
 
 :::warning
 
-At this time, VMware vSphere is the only supported infrastructure provider for the CAPI Image Builder, and only
-non-airgap workflows are available.
+At this time, VMware vSphere is the only supported infrastructure provider for the CAPI Image Builder.
 
 :::
 

docs/docs-content/security-bulletins/reports/cve-2022-41725.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-09/15/2024
+09/19/2024
 
 ## NIST CVE Summary
 
@@ -39,7 +39,10 @@ consumed by temporary files. Callers can limit the size of form data with http.M
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+A denial-of-service vulnerability has been identified in the Go standard library affecting the mime/multipart package.
+This vulnerability could allow an attacker to conduct a denial-of-service attack through excessive resource consumption
+in net/http and mime/multipart. This vulnerability affects multiple 3rd party images. Images will be upgraded to newer
+versions available.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2023-24539.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-09/15/2024
+09/19/2024
 
 ## NIST CVE Summary
 
@@ -24,7 +24,10 @@ injection of unexpected HTML, if executed with untrusted input.
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+A vulnerability was found in html-template up to 1.19.8/1.20.3 on Go. The affected component is the CSS Handler.
+Manipulation with an unknown input could lead to a cross-site scripting vulnerability. If the input contains special
+characters such as `"<", ">"`, and `"&"` that could be interpreted as web-scripting elements when they are sent to a
+downstream component that processes web pages. A fix for the images affected will be investigated.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2023-45287.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-09/15/2024
+09/19/2024
 
 ## NIST CVE Summary
 
@@ -26,7 +26,10 @@ exhibits any timing side channels.
 
 ## Our Official Summary
 
-Investigation is ongoing to determine how this vulnerability affects our products.
+This vulnerability exists in older versions of Golang for RSA based TLS exchanges. All the images in which this is
+detected are using older versions of Golang with updates available with a fix. In order to exploit the vulnerability,
+attackers need to obtain privileged access to the cluster and handcraft specific calls to these containers. Images will
+be upgraded to newer versions.
 
 ## CVE Severity
 

docs/docs-content/security-bulletins/reports/cve-2023-49569.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-9/6/24
+9/19/24
 
 ## NIST CVE Summary
 
@@ -43,8 +43,9 @@ Ongoing
 
 ## Affected Products & Versions
 
-- Palette Enterprise 4.4.15
+- Palette Enterprise 4.4.14
 
 ## Revision History
 
 - 1.0 9/6/24 Initial Publication
+- 2.0 9/19/24 Added Palette Enterprise 4.4.14 to Affected Products

docs/docs-content/security-bulletins/reports/reports.md

@@ -149,19 +149,20 @@ Click on the CVE ID to view the full details of the vulnerability.
 | [CVE-2022-28357](./cve-2022-28357.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: NATS             | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2022-28357)   | :mag: Ongoing |
 | [CVE-2022-28948](./cve-2022-28948.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go-Yaml          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-28948)   | :mag: Ongoing |
 | [CVE-2022-41724](./cve-2022-41724.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41724)   | :mag: Ongoing |
-| [CVE-2022-41725](./cve-2022-41725.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725)   | :mag: Ongoing |
+| [CVE-2022-41725](./cve-2022-41725.md)           | 9/15/24          | 9/19/24       | 4.4.18                   | Third-party component: Go Project       | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2022-41725)   | :mag: Ongoing |
 | [CVE-2023-24534](./cve-2023-24534.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24534)   | :mag: Ongoing |
 | [CVE-2023-24536](./cve-2023-24536.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24536)   | :mag: Ongoing |
 | [CVE-2023-24537](./cve-2023-24537.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-24537)   | :mag: Ongoing |
 | [CVE-2023-24538](./cve-2023-24538.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24538)   | :mag: Ongoing |
-| [CVE-2023-24539](./cve-2023-24539.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-24539)   | :mag: Ongoing |
+| [CVE-2023-24539](./cve-2023-24539.md)           | 9/15/24          | 9/19/24       | 4.4.18                   | Third-party component: Go Project       | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-24539)   | :mag: Ongoing |
 | [CVE-2023-24540](./cve-2023-24540.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-24540)   | :mag: Ongoing |
 | [CVE-2023-29400](./cve-2023-29400.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [7.3](https://nvd.nist.gov/vuln/detail/CVE-2023-29400)   | :mag: Ongoing |
 | [CVE-2023-29403](./cve-2023-29403.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [7.8](https://nvd.nist.gov/vuln/detail/CVE-2023-29403)   | :mag: Ongoing |
-| [CVE-2023-45287](./cve-2023-45287.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Go Project       | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287)   | :mag: Ongoing |
+| [CVE-2023-45287](./cve-2023-45287.md)           | 9/15/24          | 9/19/24       | 4.4.18                   | Third-party component: Go Project       | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-45287)   | :mag: Ongoing |
 | [CVE-2023-52356](./cve-2023-52356.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Libtiff          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52356)   | :mag: Ongoing |
 | [CVE-2024-0743](./cve-2024-0743.md)             | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Mozilla          | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-0743)    | :mag: Ongoing |
 | [CVE-2024-32002](./cve-2024-32002.md)           | 9/15/24          | 9/15/24       | 4.4.18                   | Third-party component: Github           | [9.0](https://nvd.nist.gov/vuln/detail/CVE-2024-32002)   | :mag: Ongoing |
+| [CVE-2023-49569](./cve-2023-49569.md)           | 9/15/24          | 9/19/24       | 4.4.14                   | Third-party component: Bitdefender      | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2023-49569)   | :mag: Ongoing |
 
 </TabItem>
 </Tabs>

docs/docs-content/troubleshooting/enterprise-install.md

@@ -121,7 +121,7 @@ automatically resolve this issue. If you have self-hosted instances of Palette i
 8. Issue the following command to verify that the script has updated the cluster ID.
 
    ```bash
-   kubectl describe configmap vsphere-cloud-config --namespace=kube-syste
+   kubectl describe configmap vsphere-cloud-config --namespace=kube-system
    ```
 
    If the update is successful, the cluster ID in the ConfigMap will have a unique ID assigned instead of