Add vast-cosi 2.6.5 community pack (VAST COSI S3 driver)#254
Add vast-cosi 2.6.5 community pack (VAST COSI S3 driver)#254blik616287 wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
✅ CVE scan completed successfully.
Scan Summary:
- Total images scanned: 3
- Clean images: 1
- Images with CVEs: 2
- Total CVEs found: 4780
🔴 Critical CVEs: 19
🟠 High CVEs: 675
🟡 Medium CVEs: 2336
🟢 Low CVEs: 1750
Images with CVEs:
- gcr.io/k8s-staging-sig-storage/objectstorage-controller:v20220915-v0.1.0-8-g0e0ba7c: 143 CVEs (Critical: 8, High: 43, Medium: 21, Low: 71)
Critical CVEs: CVE-2023-24538, CVE-2023-24540, CVE-2023-29402, CVE-2023-29404, CVE-2023-29405, CVE-2024-24790, CVE-2025-68121, CVE-2026-27143 - vastdataorg/csi:v2.6.5: 4637 CVEs (Critical: 11, High: 632, Medium: 2315, Low: 1679)
Critical CVEs: CVE-2024-47685, CVE-2025-14087, CVE-2026-23112, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-7210
Image / CVE note (re: reported vulnerabilities)Two reasons vast-cosi shows more CVEs than vast-csi/vast-block:
The Go COSI sidecar itself is craned onto 0-CVE Additional validation evidenceConventions Bundled (so BucketClaim -> Bucket works out of the box, no separate COSI install): Live (Palette-deployed AWS IaaS cluster -> VAST VoC), end-to-end: |
There was a problem hiding this comment.
✅ CVE scan completed successfully.
Scan Summary:
- Total images scanned: 3
- Clean images: 1
- Images with CVEs: 2
- Total CVEs found: 4842
🔴 Critical CVEs: 19
🟠 High CVEs: 676
🟡 Medium CVEs: 2337
🟢 Low CVEs: 1810
Images with CVEs:
- gcr.io/k8s-staging-sig-storage/objectstorage-controller:v20220915-v0.1.0-8-g0e0ba7c: 143 CVEs (Critical: 8, High: 43, Medium: 21, Low: 71)
Critical CVEs: CVE-2023-24538, CVE-2023-24540, CVE-2023-29402, CVE-2023-29404, CVE-2023-29405, CVE-2024-24790, CVE-2025-68121, CVE-2026-27143 - vastdataorg/csi:v2.6.5: 4699 CVEs (Critical: 11, High: 633, Medium: 2316, Low: 1739)
Critical CVEs: CVE-2024-47685, CVE-2025-14087, CVE-2026-23112, CVE-2026-31789, CVE-2026-33845, CVE-2026-42010, CVE-2026-7210
Purpose
New community pack: VAST Data COSI Driver (S3) (
vast-cosi, v2.6.5). Provisions S3 object-storage buckets on a VAST Data cluster via the Kubernetes Container Object Storage Interface (COSI) — aBucketClaimis satisfied by a VAST view with the S3 protocol on a tenant VIP pool. Helm-based with build-on-deploy (0-CVEwolfi-baseas the only pack-content image; the VAST driver + COSI sidecar craned at deploy). It also bundles the v1alpha1 COSI CRDs and the matching centralobjectstorage-controllersoBucketClaim→Bucketprovisioning works out of the box (the controller image is pinned to v0.1.0/v1alpha1 to match the driver's API).Conventions
pack.jsonschema-conformant (version2.6.5, novprefix).validate-values.sh packs/vast-cosi-2.6.5/values.yaml→ SUCCESS, 0 errors / 0 warnings.pack.content.images(wolfi-base,vastdataorg/csi:v2.6.5,objectstorage-controller:v20220915-v0.1.0-...).README.mdfollows the repo README template.Scenarios validated
BucketClaimagainst the BucketClass → the bundled controller produced aBucket→bucketReady=true, bucket provisioned on VAST (S3 endpoint on the tenant VIP).Notes
One of three VAST storage packs submitted as separate PRs:
vast-csi,vast-cosi(this),vast-block.