[AE-1241] publish new version of deployer

[prashantrakh]

Summary by CodeRabbit

• New Features

  • Feature flags for many optional components (exporter, vault, integrations, backstage adapter, etc.) and nginx/ingress support with configurable settings.
  • Expanded deployment values: new integrations, exporter, vault, backstage-adapter, TF module service, and ingress/routes across multiple paths.
  • Added runtime secrets and client credentials generation for services.

• Chores

  • Release track/version bump and image/tooling updates.
  • Simplified default values and leaner service configurations; updated database/chart/provider defaults.

• Chores

  • Added Terraform-related ignore patterns.

[coderabbitai]

Walkthrough

Adds Terraform variables for nginx and feature flags, updates the deployer Docker base and tooling, bumps Helm chart versions, changes the PostgreSQL Helm release/config and PVC settings, introduces new secrets and nginx ingress wiring, removes some Makefile targets, and adds expanded Helm values files for deployment.

Changes

Cohort / File(s)	Summary
Repository ignores /.gitignore	Adds Terraform-related ignore patterns: *.tfvars, *.tfstate, *.tfstate.*, .terraform/, .terraform.lock.hcl.
Deployer image Dockerfile deployer-image/Dockerfile	Switches base to Debian 11, updates Terraform to a newer version, adds YQ_VERSION, expands tooling installs (yq, jq, git, python pip upgrades), and improves cleanup steps.
Image versioning deployer-image/Makefile	Changes TRACK default 1.1 → 2.1 and RELEASE composition ${TRACK}.0 → ${TRACK}.1.
Marketplace metadata deployer-image/marketplace/manifests/application.yaml.template, deployer-image/marketplace/schema.yaml	Updates terraform-runner descriptor versions and publishedVersion from 2.0.0 → 2.1.1.
Removed build targets deployer-image/terraform/Makefile	Removes deps, build, and helm/package targets and associated file copy/packaging steps.
Root Terraform wiring deployer-image/terraform/main.tf, deployer-image/terraform/variables.tf	Adds nginx_config and enable_feature variables at root, wires them into the stackgen module, and refactors Helm provider syntax.
Module variables deployer-image/terraform/modules/stackgen-installation/variables.tf	Bumps stackgen_version to 0.10.1, expands enable_feature into a multi-field object, and adds nginx_config variable with client_max_body_size.
Module logic & resources deployer-image/terraform/modules/stackgen-installation/main.tf	Adds random_id resources for app credentials, extends secrets with appcd_client_id/appcd_client_secret, adds rds_host, changes PVC access modes/storage class, adds enable_ingress and nginx_config into rendered AppCD YAML, and makes Temporal depend on PostgreSQL.
Database Helm release deployer-image/terraform/modules/stackgen-installation/database.tf	Switches PostgreSQL chart repo to https://charts.bitnami.com/bitnami, chart name to postgresql, updates version to 18.0.15, adjusts storage/CPU settings, disables volumePermissions, and moves container security to non-root with fsGroup.
Helm values — appcd deployer-image/terraform/values/appcd.yaml, deployer-image/terraform/values/appcd-final.yaml	Adds many feature flags and ingress settings, replaces llm-gateway with stackgen-vault, introduces exporter/integrations/backstage/deployment-manager sections, centralizes pullPolicy and resource settings, and exposes nginx/ingress configuration.
Helm values — temporal deployer-image/terraform/values/temporal.yaml	Reduces optional/advanced customization blocks across Temporal values, simplifying defaults and changing SQL driver from postgres → postgres12.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer/CI
  participant TF as Terraform root
  participant Module as stackgen module
  participant Helm as Helm provider
  participant K8s as Kubernetes

  note over Dev,TF: Apply with new variables
  Dev->>TF: terraform apply (nginx_config, enable_feature)
  TF->>Module: pass nginx_config & enable_feature
  Module->>Helm: render values (appcd YAML includes nginx, enable_ingress, secrets)
  Helm->>K8s: install/upgrade charts (postgresql, temporal, dex, appcd, etc.)
  Helm->>K8s: create Secrets (appcd_client_id/secret) and PVCs, configure Ingress rules
  note right of K8s: Ingress and service routes provisioned per rendered values

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰
I stitched new flags and charts today,
Debian and Terraform hopped my way.
Secrets spun and NGINX tuned just right,
Ingress paths gleam by morning light.
A tiny rabbit cheers infra flight! 🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "[AE-1241] publish new version of deployer" directly relates to the main objectives of this changeset. The PR contains significant version updates across multiple components including Terraform (1.5.3 → 1.13.4), Temporal, dex, and PostgreSQL charts, along with version track changes (1.1 → 2.1) and new feature configurations. The title accurately conveys that this is a version publication/release of the deployer, is concise and clear without noise, and provides sufficient context for a teammate reviewing the repository history to understand the primary purpose of the change.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch AE-1241/fix-vulnerabilties-d

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

deployer-image/terraform/modules/stackgen-installation/main.tf (2)

223-237: Hardcoding enable_ingress = true ignores module input.

Use var.enable_ingress so callers can disable ingress.

-    enable_ingress : true
+    enable_ingress : var.enable_ingress

---

158-166: SCM secret created with possibly empty data.

If scm_configuration does not match github/gitlab/azuredev, local.final_scm_secrets is {}, and creating a Secret with empty data can fail. Gate resource on presence of keys.

-resource "kubernetes_secret" "appcd_scm_secrets" {
+resource "kubernetes_secret" "appcd_scm_secrets" {
+  count = length(keys(local.final_scm_secrets)) > 0 ? 1 : 0
   depends_on = [kubernetes_namespace.this]
   metadata {
-    name      = "appcd-scm-secrets"
-    namespace = var.namespace
+    name      = "appcd-scm-secrets"
+    namespace = var.namespace
   }
-  data = local.final_scm_secrets
+  data = local.final_scm_secrets
 }

Also adjust references to this secret to handle count (e.g., only include when present).

deployer-image/terraform/values/temporal.yaml (1)

218-227: Fix invalid Ingress host and annotation usage

• Host must not include a path. Use hosts: ["${domain}"] and define /internal/workload under a paths: block.
• Remove nginx.org/mergeable-ingress-type: minion/location-snippets unless you pair them with a master Ingress for the NGINX Inc controller.
• For community ingress-nginx, replace with nginx.ingress.kubernetes.io/rewrite-target and path-based routing.

🧹 Nitpick comments (6)

deployer-image/terraform/values/temporal.yaml (1)

28-31: Hard-coded ServiceMonitor label risks non-discovery.

Label release: kube-prometheus-stack may not match your Prometheus stack release. Make this configurable or derive from var to avoid silent non-scrape.

-      additionalLabels:
-        release: kube-prometheus-stack
+      additionalLabels:
+        release: ${prometheus_release_label}

deployer-image/terraform/values/appcd-final.yaml (1)

1-4: Avoid committing environment-specific rendered values.

This looks like a rendered artifact (final values for test.stackgen.local). Consider generating it in CI or .gitignoring it to prevent drift and accidental reuse in other environments.

Also applies to: 24-27, 49-62, 88-94, 95-117, 118-143, 144-159, 160-168, 165-174

deployer-image/terraform/values/appcd.yaml (2)

103-111: Probes disabled for iac-gen — reduces resilience.

Disabling liveness/readiness can mask crashes and slow startups. Recommend enabling with conservative thresholds.

   probes:
-    liveness:
-      enabled: false
-    readiness:
-      enabled: false
+    liveness:
+      enabled: true
+      initialDelaySeconds: 30
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 6
+    readiness:
+      enabled: true
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 6

---

24-27: Duplicated Temporal config blocks.

You set both global.temporal and top-level temporal. If only one is consumed by charts, drop the duplicate to avoid drift.

Also applies to: 111-113

deployer-image/terraform/modules/stackgen-installation/main.tf (2)

73-95: Hardcoded GHCR dockerconfig values.

"username": "github_username" and "email": "support" are placeholders. Consider passing via variables and masking in state. Also prefer stringData for clarity.

-  data = {
+  string_data = {
     ".dockerconfigjson" = jsonencode({
       "auths" = {
         "https://ghcr.io" = {
-          "username" = "github_username"
+          "username" = var.ghcr_username
           "password" = var.STACKGEN_PAT
-          "email"    = "support"
+          "email"    = var.ghcr_email
           "auth"     = base64encode("${var.ghcr_username}:${var.STACKGEN_PAT}")
         }
       }
     })
   }

---

2-9: Pinning temporal_helm_version in locals reduces flexibility.

Expose as a variable with default to ease upgrades/rollbacks.

variable "temporal_helm_version" {
  type    = string
  default = "0.57.0"
}

Use var.temporal_helm_version in locals.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7dce41e and 6806f97.

📒 Files selected for processing (14)

• .gitignore (1 hunks)
• deployer-image/Dockerfile (2 hunks)
• deployer-image/Makefile (1 hunks)
• deployer-image/marketplace/manifests/application.yaml.template (1 hunks)
• deployer-image/marketplace/schema.yaml (1 hunks)
• deployer-image/terraform/Makefile (0 hunks)
• deployer-image/terraform/main.tf (2 hunks)
• deployer-image/terraform/modules/stackgen-installation/database.tf (2 hunks)
• deployer-image/terraform/modules/stackgen-installation/main.tf (8 hunks)
• deployer-image/terraform/modules/stackgen-installation/variables.tf (2 hunks)
• deployer-image/terraform/values/appcd-final.yaml (1 hunks)
• deployer-image/terraform/values/appcd.yaml (2 hunks)
• deployer-image/terraform/values/temporal.yaml (4 hunks)
• deployer-image/terraform/variables.tf (1 hunks)

💤 Files with no reviewable changes (1)

• deployer-image/terraform/Makefile

🔇 Additional comments (8)

.gitignore (1)

1-6: Solid Terraform ignore additions.
Covers the usual tfvars, state, cache, and lock artifacts so they stay out of git. Nicely done.

deployer-image/terraform/values/temporal.yaml (2)

90-97: Double-check metrics scraping across all services.

server.metrics.serviceMonitor is wired to ${enable_ops}, but per-service blocks have empty serviceMonitor objects. Confirm the chart enables monitors for frontend/history/matching/worker when enable_ops is true, or explicitly enable them to ensure coverage.

Also applies to: 112-119, 133-140, 155-161

---

61-61: No issue found. The driver: "postgres12" value is correct for Temporal Helm chart 0.57.0. Both the Temporal Helm charts README and self-hosted documentation confirm "postgres12" as the correct SQL driver value for PostgreSQL persistence configuration.

deployer-image/terraform/values/appcd.yaml (2)

116-119: WORM storage tied to artifacts_support flag — verify semantics.

iac-gen.storage.worm.enabled uses ${enable_feature.artifacts_support}. Confirm this is intentional (artifact support enabling WORM) vs. an independent toggle.

---

5-11: nginx config passthrough: ensure template keys align.

Values read ${nginx.client_max_body_size}. Confirm var.nginx_config has client_max_body_size and the chart actually consumes nginx.* keys; otherwise this block is a no-op.

deployer-image/terraform/modules/stackgen-installation/main.tf (3)

65-72: Client ID/secret generation looks good.

random_id for appcd_client_id/secret and wiring into appcd-secrets is sound.

Also applies to: 119-128

---

42-53: Dex chart bump to 0.19.1

Version bump looks fine; values mapping unchanged.

---

182-198: Temporal depends_on includes Postgres — good ordering.

Ensures DB exists before chart install.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

deployer-image/Dockerfile (3)

47-47: Pin pip dependencies for reproducible builds.

Upgrading pip/setuptools/wheel to "latest" without version constraints makes builds non-reproducible and harder to audit. Consider specifying versions or at least a known-good baseline compatible with your environment:

- python3 -m pip install --upgrade pip setuptools wheel --no-cache-dir && \
+ python3 -m pip install --upgrade pip==24.3.1 setuptools==75.1.0 wheel==0.42.0 --no-cache-dir && \

Verify these versions address CVE-2024-35195 and CVE-2025-47273 before pinning.

---

9-11: Address yq version mismatch between stages.

Stage 1 (test_schema_creator) uses Alpine's default yq version, while Stage 2 explicitly pins YQ_VERSION=4.44.6. This inconsistency could lead to schema processing differences. Either pin yq in Stage 1 or document why different versions are acceptable:

- RUN apk add --no-cache yq && \
+ RUN apk add --no-cache yq==${YQ_VERSION} && \

Or, if Alpine's yq version differs, ensure your schema processing logic is version-agnostic.

---

14-14: Verify base image stability and deprecation path.

Line 14 updates to Debian 11 (good for security patches), and line 25 retains the :latest tag for deployer_envsubst. While Debian 11 receives long-term support, the :latest tag in Stage 2 creates a reproducibility gap. Consider pinning to a specific image digest or version tag if available from Google Cloud Marketplace.

Also applies to: 25-25

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6806f97 and f8d70d8.

📒 Files selected for processing (1)

• deployer-image/Dockerfile (2 hunks)

🔇 Additional comments (1)

deployer-image/Dockerfile (1)

30-52: Good security and cleanup practices.

The expanded install block with system upgrades, security-focused package selection, and cleanup (removing wget/unzip and apt lists) effectively reduces the image attack surface and aligns with container security best practices. The explicit pip upgrade also addresses known CVEs.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

deployer-image/Dockerfile (1)

30-52: Add checksum verification for Terraform and yq downloads.

Terraform and yq binaries are downloaded without integrity verification (checksums or GPG signatures) at lines 40–44. This reintroduces the MITM attack vector flagged in a previous review and leaves the build vulnerable to supply-chain compromise. Add verification to match HashiCorp and yq security best practices:

  # Install Terraform
  wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
+ wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS && \
+ sha256sum -c terraform_${TERRAFORM_VERSION}_SHA256SUMS | grep linux_amd64 && \
  unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin/ && \
  rm terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
  # Install yq with specific version
  wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 && \
+ wget -O /usr/local/bin/yq.sha256 https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64.sha256 && \
+ sha256sum -c /usr/local/bin/yq.sha256 && \
  chmod +x /usr/local/bin/yq && \
  rm /usr/local/bin/yq.sha256 && \

Positive notes: The addition of apt-get upgrade (line 32) to apply security patches and the pip upgrade (line 47) to fix CVE-2024-35195 and CVE-2025-47273 are good security improvements. The comprehensive cleanup block (lines 49–52) properly removes build tools and APT cache.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f8d70d8 and 82033e5.

📒 Files selected for processing (1)

• deployer-image/Dockerfile (3 hunks)

🔇 Additional comments (1)

deployer-image/Dockerfile (1)

14-14: Base image security update.

Upgrading from debian10 to debian11 improves security posture and provides access to more recent packages and patches.