Merge branch 'master' into getting-started-phase-2

.gitleaksignore

@@ -114,3 +114,4 @@ e4040084011d4d7935a589959b96ebc5cfba7a94:docs/docs-content/integrations/kubernet
 969ac609f82bacb36093c429adfc096c5a97e10f:docs/docs-content/tutorials/cluster-deployment/pde/deploy-app.md:generic-api-key:1195
 969ac609f82bacb36093c429adfc096c5a97e10f:docs/docs-content/tutorials/cluster-deployment/pde/deploy-app.md:generic-api-key:1232
 969ac609f82bacb36093c429adfc096c5a97e10f:docs/docs-content/tutorials/edge/deploy-cluster.md:generic-api-key:240
+8f515d46ce2bb80b7173bf9684ed8e87cb96fd83:docs/docs-content/tutorials/edge/deploy-cluster-virtualbox.md:generic-api-key:229

docs/docs-content/byoos/capi-image-builder/config-reference.md

@@ -13,8 +13,7 @@ Review these parameters to understand how to tailor the CAPI Image Builder to yo
 
 :::warning
 
-At this time, VMware vSphere is the only supported infrastructure provider for the CAPI Image Builder, and only
-non-airgap workflows are available.
+At this time, VMware vSphere is the only supported infrastructure provider for the CAPI Image Builder.
 
 :::
 

docs/docs-content/clusters/cluster-management/compliance-scan.md

@@ -163,30 +163,33 @@ page for that particular vulnerability.
 
 ## Scan Options
 
-The following options are available for running cluster scans:
+The following options are available cluster scans.
 
-## On Demand
+- **On Demand**: Start a scan immediately.
+- **Scheduled**: Schedule a scan to start at a specific time.
 
-A cluster scan of any type can be started by navigating to the **Scans** tab of a cluster in Palette. Scan progress
-displays as 'Initiated' and transitions to 'Completed' when the scan is complete.
+#### On Demand
 
-| **On Demand Scan**                                         |
-| ---------------------------------------------------------- |
-| Select the cluster to scan -> Scan(top panel) -> Run Scan. |
+On demand scans can be initiated by navigating to the **Scans** tab of a cluster's details page in Palette. The scan
+progress displays as **Initiated** and changes to **Completed** when the scan is complete.
 
-## Scheduled
+| **On Demand Scan**                                                                                  |
+| --------------------------------------------------------------------------------------------------- |
+| From the cluster details page. Select the Scan tab. Click on **Run Scan** on the desired scan type. |
 
-You can set a schedule for each scan type when you deploy the cluster, and you can change the schedule at a later time.
+#### Scheduled
 
-| **During Cluster Deployment**                                                       |
-| ----------------------------------------------------------------------------------- |
-| Add New Cluster -> Settings -> Schedule scans -> Enable and schedule desired scans. |
+You can set a fixed schedule for a scan when you deploy the cluster. You can also change the schedule at a later time.
 
-| **Running Cluster**                                                                                                      |
-| ------------------------------------------------------------------------------------------------------------------------ |
-| Select the cluster to scan -> Settings -> Cluster Settings -> Scan Policies -> Enable and schedule scans of your choice. |
+| **Cluster Deployment**                                                                                |
+| ----------------------------------------------------------------------------------------------------- |
+| From the cluster creation settings page. Click on **Schedule scans** tab and configured the schedule. |
 
-### Schedule Options Available
+| **Active Cluster**                                                                                                                                                                                     |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| From the cluster details page. Click on the **Settings drop-down Menu**. Select **Cluster Settings**, followed by clicking on the **Scan Policies** tab. Enable and schedule the scans of your choice. |
+
+#### Schedule Options Available
 
 This operation can be performed on all cluster types across all clouds. Schedule your compliance scan for month, day,
 hour, or minute. The following options are available:
@@ -195,3 +198,43 @@ hour, or minute. The following options are available:
 - Every two weeks at midnight.
 - Every month on the first day of the month at midnight.
 - Every two months on the first day of the month at midnight
+
+## Scan reports
+
+All scan reports are available in the Palette UI. You can download them in CSV or PDF formats.
+
+The Palette agent stores reports in the Kubernetes cluster as a Kubernetes resource. You can list all available reports
+in the cluster and gather each report's status. To retrieve the list of all available reports, use the admin kubeconfig
+file downloaded and kubectl. Refer to the [Kubectl](./palette-webctl.md) to learn how to download the kubeconfig file
+and configure kubectl.
+
+To list all available reports, use the following command.
+
+```
+kubectl get audits.cluster.spectrocloud.com --all-namespaces
+```
+
+The output of this command provides the list of all reports executed on this Kubernetes cluster with the status for each
+report.
+
+```shell hideClipboard
+NAMESPACE                          NAME                                         AGE     STATUS
+cluster-66d8a761ed405e70b86a8a17   kube-bench-66df28ab3c13fb7876674c98-xscvq    5h14m   Complete
+cluster-66d8a761ed405e70b86a8a17   kube-hunter-66df65dced406e0856d8536a-zetys   53m     Complete
+cluster-66d8a761ed405e70b86a8a17   syft-66df6d437cda16db7074cefe-czfxq          21m     Complete
+```
+
+To check the details for a particular report, including report content. Issue the following command and replace the
+`<cluster-uuid>` with the actual cluster UUID and `<name of the report>` with the name of the report from the list.
+
+```shell
+kubectl get audits.cluster.spectrocloud.com --namespace cluster-<cluster-uuid> <name of the report> --output yaml
+```
+
+Below is an example of the command to get the details of the kube-bench report.
+
+```shell
+kubectl get audits.cluster.spectrocloud.com --namespace cluster-66d8a761ed405e70b86a8a17 kube-bench-66df28ab3c13fb7876674c98-xscvq --output yaml
+```
+
+The scan report content is available in the output block `status.results.<scan name>.scanReport.Worker.reportData`.

docs/docs-content/clusters/cluster-management/platform-settings/pause-platform-upgrades.md

@@ -7,12 +7,81 @@ sidebar_position: 0
 tags: ["clusters", "cluster management"]
 ---
 
-Palette supports the **Pause Agent Upgrades** feature to exclude a cluster or a group of clusters from getting
-automatically upgraded when Palette is upgraded. The three ways to activate this feature are:
+Palette supports the **Pause Agent Upgrades** feature to exclude a cluster or a group of clusters from having their
+Palette agent automatically upgraded when Palette is upgraded.
 
-- Pause Upgrades for a Single Cluster
-- Pause Upgrades for all Clusters within Project Scope
-- Pause Upgrades for all Clusters within Tenant Scope
+:::info
+
+This feature only pauses upgrades for Palette agents, not updates to the clusters themselves.
+
+:::
+
+## Pause Agent Upgrade Scopes
+
+Agent upgrades can be paused and resumed in the following scopes:
+
+- Pause agent upgrades for a single cluster
+- Pause agent upgrades for all clusters within a project
+- Pause agent upgrades for all clusters within a tenant
+
+When determining if the agent upgrades for one cluster is paused or not, you only need to look at the setting for the
+cluster itself. Agent upgrade settings are always applied based on individual cluster settings. Project and tenant agent
+upgrade settings are not inherited - instead cluster level settings are set to match _each time_ project and tenant
+level settings are changed.
+
+Pausing or resuming agent upgrades at a higher-level scope will automatically pause or resume agent upgrades in the
+lower-level scopes. For example, if you pause agent upgrades at the tenant level, then agent upgrades will be paused for
+all projects within that tenant, and all clusters within those projects. Similarly, if you resume upgrades at the
+project level, then all clusters within that project will have their agent upgrades resumed.
+
+This is a one-time change that happens at the moment when you pause or resume upgrades in the project or tenant scope,
+and it does not mandate that the same setting be kept at the lower scopes. If you pause or resume agent upgrades in a
+lower-level scope, it will override the setting from the higher-level scope. For example, even if all agent upgrades are
+paused at the tenant level, you can override the tenant-level pause by resuming upgrades in a specific project or a
+specific cluster.
+
+:::warning
+
+Overrides of agent upgrade settings are not permanent. When the pause agent settings at the project or tenant scope
+change, the agent upgrade setting in the cluster or project scopes will always be set to match the higher-level scope
+setting regardless. If you want to override the project or tenant level agent upgrade setting, you must change the agent
+upgrade setting in the lower scope _after_ the change in the higher scope.
+
+:::
+
+The following table lists some example upgrade configurations and whether the Palette agent will be upgrades in those
+settings. Note that only the settings at the cluster level determines whether the Palette agent will be upgraded.
+
+| Tenant           | Project          | Cluster          | Outcome                                   |
+| ---------------- | ---------------- | ---------------- | ----------------------------------------- |
+| Upgrades paused  | Upgrades paused  | Upgrades enabled | Palette agent will upgrade automatically. |
+| Upgrades enabled | Upgrades enabled | Upgrade paused   | Palette agent upgrades are paused.        |
+
+## Agent Upgrades for PCG and Edge Hosts
+
+Aside from clusters, you can also pause the agent upgrades on Private Cloud Gateways (PCG) and Edge hosts that are
+registered with Palette but are not part of a cluster.
+
+Since PCGs are scoped to tenants, you can pause the agent upgrades on a PCG by pausing agent upgrades on the tenant to
+which the PCG is associated. You can also pause or resume upgrades for a PCG in the PCG details page through **Cluster
+Settings**. Similar to clusters, pausing and resuming upgrades at the tenant level will pause or resume agent upgrades
+for all PCGs in the tenant. Pausing and resuming upgrades for a PCG individually will override the tenant-level setting.
+
+Edge hosts that are part of a cluster have their agent upgrades managed by the settings of their cluster. Edge hosts
+that are not part of a cluster have their agent upgrades managed at the project and tenant level. Similar to clusters,
+pausing or resuming agent upgrades at the tenant level will automatically pause or resume agent upgrades for all
+projects within that tenant. However, you can override the tenant level setting by manually changing the upgrade setting
+at the project level.
+
+The following is a table showing the scopes at which you can pause agent upgrades for different objects. The same
+relationship between the scopes applies: Changing the setting in a higher scope will trigger a one-time change to the
+lower scopes, and changing the setting at the lower scope will override the setting in the higher scope.
+
+|                 | Individual Cluster/PCG | Project | Tenant |
+| --------------- | ---------------------- | ------- | ------ |
+| Cluster         | ✅                     | ✅      | ✅     |
+| PCG             | ✅                     | ❌      | ✅     |
+| Idle Edge hosts | ❌                     | ✅      | ✅     |
 
 ## Prerequisites
 
@@ -71,6 +140,24 @@ clusters within the project scope, or all within the tenant scope.
 
 </TabItem>
 
+<TabItem value="singlePcg" label="Single PCG" >
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant administrator.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Select **Private Cloud Gateways** from the **Tenant Settings Menu**
+
+4. Click on the PCG you want to pause or resume upgrades for.
+
+5. From the PCG details page, click **Settings** > **Cluster Settings**.
+
+6. Toggle the **Pause Agent Upgrades** button to pause upgrades for the PCG.
+
+7. A pop-up box will ask you to confirm the action. Click **OK**.
+
+</TabItem>
+
 </Tabs>
 
 ## Validate
@@ -93,6 +180,9 @@ clusters within the project scope, or all within the tenant scope.
 
 <TabItem value="projectScope" label="All Clusters - Project Scope">
 
+Pausing upgrades in a project also pauses agent upgrades for all Edge hosts in the project that are not part of a
+cluster.
+
 1. Log in to [Palette](https://console.spectrocloud.com).
 
 2. Navigate to the left **Main Menu** and click on **Project Settings**.
@@ -105,6 +195,9 @@ clusters within the project scope, or all within the tenant scope.
 
 <TabItem value="tenantScope" label="All Clusters - Tenant Scope">
 
+Pausing upgrades in a Tenant also pauses agent upgrades for all Edge hosts in the tenant that are not part of a cluster,
+as well as PCGs in the tenant.
+
 1. Log in to [Palette](https://console.spectrocloud.com).
 
 2. Navigate to the left **Main Menu** and click on **Tenant Settings**.
@@ -115,4 +208,20 @@ clusters within the project scope, or all within the tenant scope.
 
 </TabItem>
 
+<TabItem value="singlePcg" label="Single PCG" >
+
+1. Log in to [Palette](https://console.spectrocloud.com) as a tenant administrator.
+
+2. Navigate to the left **Main Menu** and select **Tenant Settings**.
+
+3. Select **Private Cloud Gateways** from the **Tenant Settings Menu**
+
+4. Click on the PCG you want to pause or resume upgrades for.
+
+5. From the PCG details page, click **Settings** > **Cluster Settings**.
+
+6. The **Pause Agent Upgrades** toggle button is checked.
+
+</TabItem>
+
 </Tabs>

docs/docs-content/clusters/edge/edge-configuration/installer-reference.md

@@ -42,6 +42,11 @@ listed in alphabetical order.
 You can point the Edge Installer to a non-default registry to load content from another source. Use the
 `registryCredentials` parameter object to specify the registry configurations.
 
+If you are using an external registry and want to use content bundles when deploying your Edge cluster, you must also
+enable the local Harbor registry. For more information, refer to
+[Build Content Bundles](../edgeforge-workflow/palette-canvos/build-content-bundle.md) and
+[Enable Local Harbor Registry](../site-deployment/deploy-custom-registries/local-registry.md).
+
 | Parameter                                    | Description                                                                                                                                                                                                                                                                                                   | Default |
 | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
 | `stylus.registryCredentials.domain`          | The domain of the registry. You can use an IP address plus the port or a domain name.                                                                                                                                                                                                                         |         |

docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/build-content-bundle.md

@@ -41,6 +41,15 @@ Creating a content bundle provides several benefits that may address common use
 - Organizations that want better control over the software used by their Edge hosts can use content bundles to ensure
   that only approved software is consumed.
 
+## Limitation
+
+- You cannot use content bundles with an external registry if you do not enable the local Harbor registry on your Edge
+  host. If you specify a external registry without enabling the local Harbor registry, the images will be downloaded
+  from the external registry even if you provide a content bundle, and deployment will fail if the necessary images
+  cannot be located in the external registry. For more information, refer to
+  [Deploy Cluster with External Registry](../../site-deployment/deploy-custom-registries/deploy-external-registry.md)
+  and [Enable Local Harbor Registry](../../site-deployment/deploy-custom-registries/local-registry.md).
+
 ## Prerequisites
 
 - Linux Machine (Physical or VM) with an AMD64 architecture.

docs/docs-content/clusters/edge/site-deployment/deploy-custom-registries/deploy-external-registry.md

@@ -38,6 +38,13 @@ information, refer to [Enable Local Harbor Registry](./local-registry.md).
 - Palette Edge supports basic username/password authentication. Token authentication schemes used by services such as
   AWS ECR and Google Artifact Registry are not supported.
 
+- You cannot use content bundles with an external registry if you do not enable the local Harbor registry on your Edge
+  host. If you specify a external registry without enabling the local Harbor registry, the images will be downloaded
+  from the external registry even if you provide a content bundle, and deployment will fail if the necessary images
+  cannot be located in the external registry. For more information, refer to
+  [Build Content Bundles](../../edgeforge-workflow/palette-canvos/build-content-bundle.md) and
+  [Enable Local Harbor Registry](../../site-deployment/deploy-custom-registries/local-registry.md).
+
 ## Prerequisites
 
 - Specifying the external registry and providing credentials happens during the EdgeForge process. You should become

docs/docs-content/security-bulletins/reports/cve-2005-2541.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-8/16/2024
+9/23/24
 
 ## NIST CVE Summary
 
@@ -31,7 +31,7 @@ Waiting on a fix from third party mongodb vendor.
 
 ## Status
 
-Ongoing
+Resolved
 
 ## Affected Products & Versions
 
@@ -41,3 +41,4 @@ Ongoing
 
 - 1.0 08/16/2024 Initial Publication
 - 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products
+- 3.0 09/23/2024 Changed CVE status to Resolved

docs/docs-content/security-bulletins/reports/cve-2015-20107.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-08/16/2024
+9/23/24
 
 ## NIST CVE Summary
 
@@ -33,7 +33,7 @@ Waiting on a fix from third party mongodb vendor
 
 ## Status
 
-Ongoing
+Resolved
 
 ## Affected Products & Versions
 
@@ -43,3 +43,4 @@ Ongoing
 
 - 1.0 08/16/2024 Initial Publication
 - 2.0 08/17/2024 Added palette VerteX 4.4.14 to Affected Products
+- 3.0 09/23/2024 Changed CVE status to Resolved

docs/docs-content/security-bulletins/reports/cve-2015-8855.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-7/31/2024
+9/23/24
 
 ## NIST CVE Summary
 
@@ -32,7 +32,7 @@ application.
 
 ## Status
 
-Ongoing
+Resolved
 
 ## Affected Products & Versions
 
@@ -42,3 +42,4 @@ Ongoing
 
 - 1.0 07/31/2024 Initial Publication
 - 2.0 08/17/2024 Remediated in Palette VerteX 4.4.14
+- 3.0 09/23/2024 Changed CVE status to Resolved

docs/docs-content/security-bulletins/reports/cve-2016-1585.md

@@ -14,7 +14,7 @@ tags: ["security", "cve"]
 
 ## Last Update
 
-8/16/2024
+9/23/24
 
 ## NIST CVE Summary
 
@@ -30,7 +30,7 @@ Spectro Cloud Official Summary coming soon.
 
 ## Status
 
-Ongoing
+Resolved
 
 ## Affected Products & Versions
 
@@ -40,3 +40,4 @@ Ongoing
 
 - 1.0 08/16/2024 Initial Publication
 - 2.0 08/17/2024 Added Palette VerteX 4.4.14 to Affected Products
+- 3.0 09/23/2024 Changed CVE status to Resolved