added changes

Author: prashantrakh

.github/workflows/publish-deployer.yaml

@@ -4,6 +4,8 @@ on:
   push:
     tags:
       - "*"
+    branches:
+      - "AE-1241/fix-vulnerabilties-d"
 
 env:
   REGISTRY: gcr.io/stackgen-gcp-marketplace

.gitignore

@@ -0,0 +1,7 @@
+# Terraform files
+*.tfvars
+*.tfstate
+*.tfstate.*
+.terraform/
+.terraform.lock.hcl
+

deployer-image/Dockerfile

@@ -11,7 +11,7 @@ RUN apk add --no-cache yq && \
     yq -i ".properties.stackgenPat.default = \"$GH_TOKEN\"" schema.yaml
 
 # Stage 1: Preprocessing schema.yaml
-FROM marketplace.gcr.io/google/debian10 AS build
+FROM marketplace.gcr.io/google/debian11 AS build
 
 # Install tools for envsubst
 RUN apt-get update && apt-get install -y --no-install-recommends gettext && rm -rf /var/lib/apt/lists/*

deployer-image/Makefile

@@ -6,7 +6,7 @@ MANIFEST_DIR := marketplace/manifests
 
 # Semantic minor version (TRACK) and full release version
 # TODO(sabith) read from tag
-TRACK ?= 1.1
+TRACK ?= 1.5
 RELEASE ?= ${TRACK}.0
 
 # Docker registry and image names

deployer-image/terraform/Makefile

@@ -1,34 +1,58 @@
+terraform {
+  required_providers {
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.0"
+    }
+  }
+}
+
 locals {
   labels = merge(var.labels, {
     "maintainer" = "stackgen"
   })
 }
 
+# provider "helm" {
+#   kubernetes = {
+#     host                   = "https://kubernetes.default.svc"
+#     token                  = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
+#     cluster_ca_certificate = file("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
+#     insecure               = false
+#   }
+# }
+
+
+# provider "kubernetes" {
+#   host                   = "https://kubernetes.default.svc"
+#   token                  = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
+#   cluster_ca_certificate = file("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
+#   # If the cluster CA is signed by a recognized authority, you can set 'insecure = false'
+#   insecure = false
+# }
+
 provider "helm" {
-  kubernetes {
-    host                   = "https://kubernetes.default.svc"
-    token                  = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
-    cluster_ca_certificate = file("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
-    insecure               = false
+  kubernetes = {
+    config_path = "~/.kube/config"
   }
 }
 
-
 provider "kubernetes" {
-  host                   = "https://kubernetes.default.svc"
-  token                  = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
-  cluster_ca_certificate = file("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
-  # If the cluster CA is signed by a recognized authority, you can set 'insecure = false'
-  insecure = false
+  config_path = "~/.kube/config"
 }
 
 
-
 module "stackgen" {
   source                = "./modules/stackgen-installation"
   domain                = var.domain
   STACKGEN_PAT          = var.STACKGEN_PAT
   suffix                = var.suffix
   global_static_ip_name = var.global_static_ip_name
   pre_shared_cert_name  = var.pre_shared_cert_name
+  nginx_config          = var.nginx_config
+  enable_feature        = var.enable_feature
 }

deployer-image/terraform/appcd-dist-0.10.1.tgz

@@ -27,29 +27,34 @@ locals {
       persistence = {
         enabled      = true
         size         = "50Gi"
-        storageClass = "standard"
+        storageClass = "standard-rwo"
       }
       resources = {
         requests = {
           memory = "2Gi"
-          cpu    = "1"
+          cpu    = "500m"
         }
         limits = {
           memory = "4Gi"
-          cpu    = "2"
+          cpu    = "2000m"
         }
       }
       postgresql = {
         maxConnections = 500
-        sharedBuffers  = "512MB"
+        sharedBuffers  = "1GB"
       }
     }
     volumePermissions = {
+      enabled = false
+    }
+    podSecurityContext = {
       enabled = true
-      containerSecurityContext = {
-        runAsUser  = 0
-        runAsGroup = 0
-      }
+      fsGroup = 1001
+    }
+    containerSecurityContext = {
+      enabled = true
+      runAsUser = 1001
+      runAsNonRoot = true
     }
     tls = {
       enabled = false
@@ -64,9 +69,9 @@ locals {
 resource "helm_release" "postgresql" {
   name = "postgres"
 
-  repository = "oci://registry-1.docker.io/"
-  chart      = "bitnamicharts/postgresql"
-  version    = "16.4.5"
+  repository = "https://charts.bitnami.com/bitnami"
+  chart      = "postgresql"
+  version    = "18.0.15"
 
   namespace = var.namespace
   values = [

deployer-image/terraform/appcd-dist-0.5.1.tgz

@@ -1,6 +1,6 @@
 
 locals {
-  temporal_helm_version             = "0.33.0"
+  temporal_helm_version             = "0.57.0"
   postgresql_administrator_password = random_password.db_password.result
   postgresql_fqdn                   = "postgres-postgresql.${helm_release.postgresql.namespace}.svc.cluster.local"
   postgresql_administrator_login    = "stackgen"
@@ -49,7 +49,7 @@ resource "helm_release" "dex" {
   chart            = "dex"
   namespace        = var.namespace
   create_namespace = false
-  version          = "0.18.0"
+  version          = "0.19.1"
   values = [
     templatefile("./values/dex.yaml", {
       host_domain               = var.domain,
@@ -62,6 +62,14 @@ resource "helm_release" "dex" {
   ]
 }
 
+resource "random_id" "appcd_client_id" {
+  byte_length = 16
+}
+
+resource "random_id" "appcd_client_secret" {
+  byte_length = 36
+}
+
 resource "kubernetes_secret" "ghcr_pkg" {
   depends_on = [kubernetes_namespace.this]
   metadata {
@@ -109,11 +117,14 @@ resource "kubernetes_secret" "appcd_secrets" {
   type = "Opaque"
 
   data = {
-    rds_port          = "5432"
-    rds_password      = local.postgresql_administrator_password
-    rds_endpoint      = local.postgresql_fqdn
-    rds_read_endpoint = local.postgresql_fqdn
-    rds_username      = local.postgresql_administrator_login
+    rds_port            = "5432"
+    rds_password        = local.postgresql_administrator_password
+    rds_endpoint        = local.postgresql_fqdn
+    rds_host            = local.postgresql_fqdn
+    rds_read_endpoint   = local.postgresql_fqdn
+    rds_username        = local.postgresql_administrator_login
+    appcd_client_id     = random_id.appcd_client_id.hex
+    appcd_client_secret = random_id.appcd_client_secret.hex
   }
 }
 
@@ -187,16 +198,14 @@ resource "helm_release" "temporal" {
 }
 
 resource "kubernetes_persistent_volume_claim" "this" {
-  count      = length(var.storage.volume) > 0 ? 1 : 0
   depends_on = [kubernetes_namespace.this]
   metadata {
     name      = "storage-${var.namespace}"
     namespace = var.namespace
   }
   spec {
-    access_modes       = ["ReadWriteMany"]
-    volume_name        = var.storage.volume
-    storage_class_name = var.storage.class
+    access_modes       = ["ReadWriteOnce"]
+    storage_class_name = "standard-rwo"
     resources {
       requests = {
         storage = "100Gi"
@@ -211,6 +220,7 @@ locals {
     appcd_secrets : concat([kubernetes_secret.appcd_secrets.metadata[0].name, kubernetes_secret.appcd_scm_secrets.metadata[0].name], var.additional_secrets)
     enable_ops : var.enable_ops
     domain : var.domain
+    enable_ingress : true
     auth_enabled : var.stackgen_authentication.type != "none"
     scm_github_auth_url : try(var.scm_configuration.github_config.auth_url, "")
     scm_github_token_url : try(var.scm_configuration.github_config.token_url, "")
@@ -222,6 +232,8 @@ locals {
     appcd_admin_emails : var.admin_emails
     enable_storage : length(var.storage.volume) > 0
     appcd_service_account : local.appcd_service_account
+    nginx : var.nginx_config
+    worm_enabled : false
   })
 }