diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..78f8803 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +# Terraform files +*.tfvars +*.tfstate +*.tfstate.* +.terraform/ +.terraform.lock.hcl + diff --git a/deployer-image/Dockerfile b/deployer-image/Dockerfile index f196a31..44ffc7a 100644 --- a/deployer-image/Dockerfile +++ b/deployer-image/Dockerfile @@ -11,7 +11,7 @@ RUN apk add --no-cache yq && \ yq -i ".properties.stackgenPat.default = \"$GH_TOKEN\"" schema.yaml # Stage 1: Preprocessing schema.yaml -FROM marketplace.gcr.io/google/debian10 AS build +FROM marketplace.gcr.io/google/debian11 AS build # Install tools for envsubst RUN apt-get update && apt-get install -y --no-install-recommends gettext && rm -rf /var/lib/apt/lists/* @@ -24,15 +24,32 @@ RUN envsubst < /workspace/schema.yaml > /workspace/schema.yaml.processed && \ # Stage 2: Deployer FROM gcr.io/cloud-marketplace-tools/k8s/deployer_envsubst:latest -ARG TERRAFORM_VERSION=1.5.3 +ARG TERRAFORM_VERSION=1.13.4 +ARG YQ_VERSION=4.44.6 -RUN apt-get update && apt-get install -y wget unzip git jq && \ +# Update base system and install security patches +RUN apt-get update && \ + apt-get upgrade -y && \ + apt-get install -y --no-install-recommends \ + ca-certificates \ + wget \ + unzip \ + git \ + jq && \ + # Install Terraform wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \ unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin/ && \ rm terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \ - wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && \ + # Install yq with specific version + wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 && \ chmod +x /usr/local/bin/yq && \ - apt-get remove -y wget unzip && apt-get autoremove -y && apt-get clean + # Upgrade pip to latest version to fix CVE-2024-35195 and CVE-2025-47273 + python3 -m pip install --upgrade pip setuptools wheel --no-cache-dir && \ + # Clean up + apt-get remove -y wget unzip && \ + apt-get autoremove -y && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* LABEL com.googleapis.cloudmarketplace.product.service.name=services/stackgen-enterprise-platform-k8s-v2.endpoints.stackgen-gcp-marketplace.cloud.goog @@ -51,4 +68,4 @@ RUN chmod +x /data/deploy.sh COPY terraform/ /data/terraform/ # Define entrypoint -ENTRYPOINT ["/data/deploy.sh"] +ENTRYPOINT ["/data/deploy.sh"] \ No newline at end of file diff --git a/deployer-image/Makefile b/deployer-image/Makefile index 83b67f4..2b7b2c4 100644 --- a/deployer-image/Makefile +++ b/deployer-image/Makefile @@ -6,8 +6,8 @@ MANIFEST_DIR := marketplace/manifests # Semantic minor version (TRACK) and full release version # TODO(sabith) read from tag -TRACK ?= 1.1 -RELEASE ?= ${TRACK}.0 +TRACK ?= 2.1 +RELEASE ?= ${TRACK}.1 # Docker registry and image names REGISTRY = gcr.io/stackgen-gcp-marketplace diff --git a/deployer-image/marketplace/manifests/application.yaml.template b/deployer-image/marketplace/manifests/application.yaml.template index 1f09b28..cdc4db9 100644 --- a/deployer-image/marketplace/manifests/application.yaml.template +++ b/deployer-image/marketplace/manifests/application.yaml.template @@ -11,7 +11,7 @@ metadata: spec: descriptor: type: terraform-runner - version: "2.0.0" + version: "2.1.1" notes: |- # This command retrieves the IP address of the proxy-ingress service in the 'stackgen' namespace. # It uses kubectl to get the load balancer ingress IP and then constructs the URL. diff --git a/deployer-image/marketplace/schema.yaml b/deployer-image/marketplace/schema.yaml index cf4ca94..35c44fd 100644 --- a/deployer-image/marketplace/schema.yaml +++ b/deployer-image/marketplace/schema.yaml @@ -3,7 +3,7 @@ x-google-marketplace: partnerId: "stackgen-gcp-marketplace" # Replace with your actual Partner ID solutionId: "stackgen-enterprise-platform-k8s-v2.endpoints.stackgen-gcp-marketplace.cloud.goog" # Replace with your actual Product ID applicationApiVersion: v1beta1 - publishedVersion: "2.0.0" + publishedVersion: "2.1.1" publishedVersionMetadata: releaseNote: "Initial release with Job support." images: diff --git a/deployer-image/terraform/Makefile b/deployer-image/terraform/Makefile deleted file mode 100644 index 557cdd1..0000000 --- a/deployer-image/terraform/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -deps: helm/package - mkdir -p docs - mkdir -p ./values/dex - cp ../../../installation/on-prem/docs/*.md ./docs/ - cp ../../../installation/on-prem/values/images.yaml ./values/images.yaml - cp -r ../../../installation/on-prem/modules/k8s_deps/values/* ./values - cp ../../../installation/on-prem/install.sh ./ - cp -r ../../../installation/aws/namespace/values/dex/* ./values/dex/ - -build: - helm dependency update ../../../installation/k8s/appcd-dist - -helm/package: build - helm package --destination . ../../../installation/k8s/appcd-dist \ No newline at end of file diff --git a/deployer-image/terraform/appcd-dist-0.10.1.tgz b/deployer-image/terraform/appcd-dist-0.10.1.tgz new file mode 100644 index 0000000..f9c8fac Binary files /dev/null and b/deployer-image/terraform/appcd-dist-0.10.1.tgz differ diff --git a/deployer-image/terraform/appcd-dist-0.5.1.tgz b/deployer-image/terraform/appcd-dist-0.5.1.tgz deleted file mode 100644 index ce48917..0000000 Binary files a/deployer-image/terraform/appcd-dist-0.5.1.tgz and /dev/null differ diff --git a/deployer-image/terraform/main.tf b/deployer-image/terraform/main.tf index a4f54a1..f88c0e2 100644 --- a/deployer-image/terraform/main.tf +++ b/deployer-image/terraform/main.tf @@ -5,7 +5,7 @@ locals { } provider "helm" { - kubernetes { + kubernetes = { host = "https://kubernetes.default.svc" token = file("/var/run/secrets/kubernetes.io/serviceaccount/token") cluster_ca_certificate = file("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt") @@ -13,7 +13,6 @@ provider "helm" { } } - provider "kubernetes" { host = "https://kubernetes.default.svc" token = file("/var/run/secrets/kubernetes.io/serviceaccount/token") @@ -22,8 +21,6 @@ provider "kubernetes" { insecure = false } - - module "stackgen" { source = "./modules/stackgen-installation" domain = var.domain @@ -31,4 +28,6 @@ module "stackgen" { suffix = var.suffix global_static_ip_name = var.global_static_ip_name pre_shared_cert_name = var.pre_shared_cert_name + nginx_config = var.nginx_config + enable_feature = var.enable_feature } diff --git a/deployer-image/terraform/modules/stackgen-installation/database.tf b/deployer-image/terraform/modules/stackgen-installation/database.tf index 3d6c482..389ca35 100644 --- a/deployer-image/terraform/modules/stackgen-installation/database.tf +++ b/deployer-image/terraform/modules/stackgen-installation/database.tf @@ -27,29 +27,34 @@ locals { persistence = { enabled = true size = "50Gi" - storageClass = "standard" + storageClass = "standard-rwo" } resources = { requests = { memory = "2Gi" - cpu = "1" + cpu = "500m" } limits = { memory = "4Gi" - cpu = "2" + cpu = "2000m" } } postgresql = { maxConnections = 500 - sharedBuffers = "512MB" + sharedBuffers = "1GB" } } volumePermissions = { + enabled = false + } + podSecurityContext = { enabled = true - containerSecurityContext = { - runAsUser = 0 - runAsGroup = 0 - } + fsGroup = 1001 + } + containerSecurityContext = { + enabled = true + runAsUser = 1001 + runAsNonRoot = true } tls = { enabled = false @@ -64,9 +69,9 @@ locals { resource "helm_release" "postgresql" { name = "postgres" - repository = "oci://registry-1.docker.io/" - chart = "bitnamicharts/postgresql" - version = "16.4.5" + repository = "https://charts.bitnami.com/bitnami" + chart = "postgresql" + version = "18.0.15" namespace = var.namespace values = [ diff --git a/deployer-image/terraform/modules/stackgen-installation/main.tf b/deployer-image/terraform/modules/stackgen-installation/main.tf index 2b178ed..a9f4cb3 100644 --- a/deployer-image/terraform/modules/stackgen-installation/main.tf +++ b/deployer-image/terraform/modules/stackgen-installation/main.tf @@ -1,6 +1,6 @@ locals { - temporal_helm_version = "0.33.0" + temporal_helm_version = "0.57.0" postgresql_administrator_password = random_password.db_password.result postgresql_fqdn = "postgres-postgresql.${helm_release.postgresql.namespace}.svc.cluster.local" postgresql_administrator_login = "stackgen" @@ -49,7 +49,7 @@ resource "helm_release" "dex" { chart = "dex" namespace = var.namespace create_namespace = false - version = "0.18.0" + version = "0.19.1" values = [ templatefile("./values/dex.yaml", { host_domain = var.domain, @@ -62,6 +62,14 @@ resource "helm_release" "dex" { ] } +resource "random_id" "appcd_client_id" { + byte_length = 16 +} + +resource "random_id" "appcd_client_secret" { + byte_length = 36 +} + resource "kubernetes_secret" "ghcr_pkg" { depends_on = [kubernetes_namespace.this] metadata { @@ -109,11 +117,14 @@ resource "kubernetes_secret" "appcd_secrets" { type = "Opaque" data = { - rds_port = "5432" - rds_password = local.postgresql_administrator_password - rds_endpoint = local.postgresql_fqdn - rds_read_endpoint = local.postgresql_fqdn - rds_username = local.postgresql_administrator_login + rds_port = "5432" + rds_password = local.postgresql_administrator_password + rds_endpoint = local.postgresql_fqdn + rds_host = local.postgresql_fqdn + rds_read_endpoint = local.postgresql_fqdn + rds_username = local.postgresql_administrator_login + appcd_client_id = random_id.appcd_client_id.hex + appcd_client_secret = random_id.appcd_client_secret.hex } } @@ -169,7 +180,7 @@ resource "kubernetes_secret" "temporal_default_store" { } resource "helm_release" "temporal" { - depends_on = [kubernetes_secret.temporal_visibility_store, kubernetes_secret.temporal_default_store] + depends_on = [kubernetes_secret.temporal_visibility_store, kubernetes_secret.temporal_default_store, helm_release.postgresql] name = "temporal" chart = "https://github.com/temporalio/helm-charts/releases/download/temporal-${local.temporal_helm_version}/temporal-${local.temporal_helm_version}.tgz" namespace = var.namespace @@ -187,16 +198,14 @@ resource "helm_release" "temporal" { } resource "kubernetes_persistent_volume_claim" "this" { - count = length(var.storage.volume) > 0 ? 1 : 0 depends_on = [kubernetes_namespace.this] metadata { name = "storage-${var.namespace}" namespace = var.namespace } spec { - access_modes = ["ReadWriteMany"] - volume_name = var.storage.volume - storage_class_name = var.storage.class + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard-rwo" resources { requests = { storage = "100Gi" @@ -211,6 +220,7 @@ locals { appcd_secrets : concat([kubernetes_secret.appcd_secrets.metadata[0].name, kubernetes_secret.appcd_scm_secrets.metadata[0].name], var.additional_secrets) enable_ops : var.enable_ops domain : var.domain + enable_ingress : true auth_enabled : var.stackgen_authentication.type != "none" scm_github_auth_url : try(var.scm_configuration.github_config.auth_url, "") scm_github_token_url : try(var.scm_configuration.github_config.token_url, "") @@ -222,6 +232,8 @@ locals { appcd_admin_emails : var.admin_emails enable_storage : length(var.storage.volume) > 0 appcd_service_account : local.appcd_service_account + nginx : var.nginx_config + worm_enabled : false }) } diff --git a/deployer-image/terraform/modules/stackgen-installation/variables.tf b/deployer-image/terraform/modules/stackgen-installation/variables.tf index c057a18..a3b6a01 100644 --- a/deployer-image/terraform/modules/stackgen-installation/variables.tf +++ b/deployer-image/terraform/modules/stackgen-installation/variables.tf @@ -41,16 +41,36 @@ variable "enable_ops" { variable "stackgen_version" { description = "The version of the appcd to deploy" type = string - default = "0.5.1" + default = "0.10.1" } variable "enable_feature" { description = "stackgen features to enable" type = object({ - llm = optional(bool, false) + exporter = optional(bool, true) + llm = optional(bool, false) + vault = optional(bool, true) + enable_group_sync = optional(bool, false) + artifacts_support = optional(bool, false) + need_user_vetting = optional(bool, false) + editableIac = optional(bool, false) + moduleEditor = optional(bool, false) + log_analysis = optional(bool, false) + integrations = optional(bool, false) + backstage_adapter = optional(bool, false) }) default = { - llm = false + exporter = true + vault = true + llm = false + enable_group_sync = false + artifacts_support = false + need_user_vetting = false + editableIac = true + moduleEditor = true + log_analysis = false + integrations = true + backstage_adapter = true } } @@ -121,3 +141,11 @@ variable "global_static_ip_name" { variable "pre_shared_cert_name" { type = string } +variable "nginx_config" { + type = object({ + client_max_body_size = string + }) + default = { + client_max_body_size = "10M" + } +} diff --git a/deployer-image/terraform/values/appcd-final.yaml b/deployer-image/terraform/values/appcd-final.yaml new file mode 100755 index 0000000..4497ae7 --- /dev/null +++ b/deployer-image/terraform/values/appcd-final.yaml @@ -0,0 +1,174 @@ +domain: &domain test.stackgen.local +enable_ingress: &enable_ingress true +pullPolicy: &pullPolicy IfNotPresent +licenseKey: test.stackgen.local +nginx: + client_max_body_size: 10M +nginx-ingress-controller: + serviceMonitor: + enabled: false + prometheusRule: + enabled: false +support: + alerts: + enabled: false + +features: + editableIac: true + moduleEditor: true +global: + temporal: + hostport: "temporal-frontend:7233" + namespace: stackgen + +temporal: + hostport: "temporal-frontend:7233" + namespace: stackgen +exporter: + enabled: true + helm_workload_5a048be506c75a07b1aeec33d33e56e3: + image_pull_policy: *pullPolicy + helm_ingress_a0d9d3b950a15ef6aeb5d528f0ed1481: + rules: + - host: *domain + http: + paths: + - path: /exporter + pathType: Prefix +stackgen-vault: + enabled: true + helm_workload_54a040c89d8252de9a426f2ad1f92af6: + image_pull_policy: *pullPolicy + helm_ingress_338c921c23b152c68768988f70dcc932: + rules: + - host: *domain + http: + paths: + - path: /api/vault + pathType: Prefix +appcd: + domain: *domain + auth: + enabled: false + enable_group_sync: false + need_user_vetting: false + autoscaling: + maxReplicas: 30 + targetCPUUtilizationPercentage: 50 + ingress: + enabled: *enable_ingress + image: + pullPolicy: *pullPolicy + scm: + github: + auth_url: https://github.com/login/oauth/authorize + token_url: https://github.com/login/oauth/access_token + gitlab: + auth_url: https://gitlab.com/oauth/authorize + token_url: https://gitlab.com/oauth/token + azure: + auth_url: https://app.vssps.visualstudio.com/oauth2/authorize + token_url: https://app.vssps.visualstudio.com/oauth2/token + serviceMonitor: + enabled: false + alertmanager: + enabled: false + prometheusRule: + enabled: false + resources: + requests: + memory: "1000Mi" + cpu: "1000m" + storage: + worm: + enabled: false + secrets: + - appcd-secrets + - appcd-scm-secrets +appcd-ui: + domain: *domain + image: + pullPolicy: *pullPolicy + ingress: + enabled: *enable_ingress +iac-gen: + domain: *domain + image: + pullPolicy: *pullPolicy + probes: + liveness: + enabled: false + readiness: + enabled: false + temporal: + hostport: "temporal-frontend:7233" + namespace: stackgen + ingress: + enabled: *enable_ingress + storage: + worm: + enabled: false + secrets: + - appcd-secrets + - appcd-scm-secrets +tf-module-service: + image: + pullPolicy: *pullPolicy + +integrations: + enabled: true + helm_workload_1b5f1d019692549bb714785b7636f446: + image_pull_policy: *pullPolicy + helm_ingress_fed20208495e5e5c9c7adf36f31a3b8e: + rules: + - host: *domain + http: + paths: + - path: /integrations + pathType: Prefix + helm_ingress_fed20208495e5e5c9c7adf36f31a3b8e_swagger: + rules: + - host: *domain + http: + paths: + - path: /integrations/api/swagger + pathType: Prefix + helm_ingress_fed20208495e5e5c9c7adf36f31a3b8e_mcp: + rules: + - host: *domain + http: + paths: + - path: /api/mcp + pathType: Prefix + +backstage-adapter: + enabled: false + helm_workload_1b5f1d019692549bb714785b7636f446: + image_tag: main + image_pull_policy: *pullPolicy + env: + STACKGEN_BASE_API_URL: https://test.stackgen.local/integrations/api/ + STACKGEN_APPSTACKS_URL: https://test.stackgen.local/appstacks + helm_ingress_fed20208495e5e5c9c7adf36f31a3b8e: + rules: + - host: *domain + http: + paths: + - path: /backstage-adapter + pathType: Prefix + +infra-catalog-tracker: + enabled: false + helm_workload_29510bf8f3775740827eff66846105ef: + image_pull_policy: *pullPolicy +deployment-manager: + enabled: false + helm_workload_eedf62a44e21519893dea9656ef6fc10: + image_pull_policy: *pullPolicy + helm_ingress_58fbd417de1059fcbef3ce2fc0073ba6: + rules: + - host: *domain + http: + paths: + - path: /deployment-manager + pathType: Prefix diff --git a/deployer-image/terraform/values/appcd.yaml b/deployer-image/terraform/values/appcd.yaml index 4f35858..6ec8f26 100644 --- a/deployer-image/terraform/values/appcd.yaml +++ b/deployer-image/terraform/values/appcd.yaml @@ -1,6 +1,33 @@ domain: &domain ${domain} +enable_ingress: &enable_ingress ${enable_ingress} +pullPolicy: &pullPolicy IfNotPresent +licenseKey: ${domain} +nginx: + client_max_body_size: ${nginx.client_max_body_size} +nginx-ingress-controller: + serviceMonitor: + enabled: false + prometheusRule: + enabled: false +support: + alerts: + enabled: false + +features: + editableIac: ${enable_feature.editableIac} + moduleEditor: ${enable_feature.moduleEditor} +global: + temporal: + hostport: "temporal-frontend:7233" + namespace: ${temporal_namespace} + +temporal: + hostport: "temporal-frontend:7233" + namespace: ${temporal_namespace} exporter: - enabled: true + enabled: ${enable_feature.exporter} + helm_workload_5a048be506c75a07b1aeec33d33e56e3: + image_pull_policy: *pullPolicy helm_ingress_a0d9d3b950a15ef6aeb5d528f0ed1481: rules: - host: *domain @@ -8,23 +35,30 @@ exporter: paths: - path: /exporter pathType: Prefix -llm-gateway: - enabled: ${enable_feature.llm} - helm_ingress_234714ab33c6554ab8653a4063d20bae: +stackgen-vault: + enabled: ${enable_feature.vault} + helm_workload_54a040c89d8252de9a426f2ad1f92af6: + image_pull_policy: *pullPolicy + helm_ingress_338c921c23b152c68768988f70dcc932: rules: - host: *domain http: paths: - - path: /ai/public + - path: /api/vault pathType: Prefix appcd: domain: *domain - serviceAccount: - name: ${appcd_service_account} - podAnnotations: - gke-gcsfuse/volumes: "true" auth: enabled: ${auth_enabled} + enable_group_sync: ${enable_feature.enable_group_sync} + need_user_vetting: ${enable_feature.need_user_vetting} + autoscaling: + maxReplicas: 30 + targetCPUUtilizationPercentage: 50 + ingress: + enabled: *enable_ingress + image: + pullPolicy: *pullPolicy %{ if length(appcd_admin_emails) != 0 ~} rbac: admin_emails: @@ -42,33 +76,108 @@ appcd: azure: auth_url: ${scm_azure_auth_url} token_url: ${scm_azure_token_url} - autoscaling: - maxReplicas: 20 - targetCPUUtilizationPercentage: 90 + serviceMonitor: + enabled: false + alertmanager: + enabled: false + prometheusRule: + enabled: false resources: requests: - memory: "1Gi" - cpu: "1" - limits: - memory: "3Gi" - cpu: "2" - serviceMonitor: - enabled: ${enable_ops} + memory: "1000Mi" + cpu: "1000m" storage: worm: - enabled: ${enable_storage} - temporal: - hostport: "temporal-frontend:7233" - namespace: ${temporal_namespace} + enabled: ${worm_enabled} secrets: %{ for secret in appcd_secrets ~} - ${secret} %{ endfor ~} appcd-ui: domain: *domain + image: + pullPolicy: *pullPolicy + ingress: + enabled: *enable_ingress iac-gen: domain: *domain + image: + pullPolicy: *pullPolicy + probes: + liveness: + enabled: false + readiness: + enabled: false + temporal: + hostport: "temporal-frontend:7233" + namespace: ${temporal_namespace} + ingress: + enabled: *enable_ingress + storage: + worm: + enabled: ${enable_feature.artifacts_support} secrets: %{ for secret in appcd_secrets ~} - ${secret} %{ endfor ~} +tf-module-service: + image: + pullPolicy: *pullPolicy + +integrations: + enabled: ${enable_feature.integrations} + helm_workload_1b5f1d019692549bb714785b7636f446: + image_pull_policy: *pullPolicy + helm_ingress_fed20208495e5e5c9c7adf36f31a3b8e: + rules: + - host: *domain + http: + paths: + - path: /integrations + pathType: Prefix + helm_ingress_fed20208495e5e5c9c7adf36f31a3b8e_swagger: + rules: + - host: *domain + http: + paths: + - path: /integrations/api/swagger + pathType: Prefix + helm_ingress_fed20208495e5e5c9c7adf36f31a3b8e_mcp: + rules: + - host: *domain + http: + paths: + - path: /api/mcp + pathType: Prefix + +backstage-adapter: + enabled: ${enable_feature.backstage_adapter} + helm_workload_1b5f1d019692549bb714785b7636f446: + image_tag: main + image_pull_policy: *pullPolicy + env: + STACKGEN_BASE_API_URL: https://${domain}/integrations/api/ + STACKGEN_APPSTACKS_URL: https://${domain}/appstacks + helm_ingress_fed20208495e5e5c9c7adf36f31a3b8e: + rules: + - host: *domain + http: + paths: + - path: /backstage-adapter + pathType: Prefix + +infra-catalog-tracker: + enabled: false + helm_workload_29510bf8f3775740827eff66846105ef: + image_pull_policy: *pullPolicy +deployment-manager: + enabled: false + helm_workload_eedf62a44e21519893dea9656ef6fc10: + image_pull_policy: *pullPolicy + helm_ingress_58fbd417de1059fcbef3ce2fc0073ba6: + rules: + - host: *domain + http: + paths: + - path: /deployment-manager + pathType: Prefix diff --git a/deployer-image/terraform/values/temporal.yaml b/deployer-image/terraform/values/temporal.yaml index fd9ec4d..d619430 100644 --- a/deployer-image/terraform/values/temporal.yaml +++ b/deployer-image/terraform/values/temporal.yaml @@ -1,8 +1,3 @@ -nameOverride: "" -fullnameOverride: "" - -# Chart debug mode -# (eg. disable helm hook delete policy) debug: false # Custom Service account management @@ -10,12 +5,6 @@ serviceAccount: # Whether to create service account or not create: false - # Name of the service account, default: temporal.fullname - name: - - # extraAnnotations would let users add additional annotations - extraAnnotations: - server: enabled: true sidecarContainers: {} @@ -23,10 +12,6 @@ server: frontend.keepAliveMaxConnectionAge: - value: "5m" constraints: {} - image: - repository: temporalio/server - tag: 1.22.4 - pullPolicy: IfNotPresent # Global default settings (can be overridden per service) replicaCount: 2 @@ -42,35 +27,13 @@ server: serviceMonitor: enabled: ${enable_ops} interval: 30s - # Set additional lables to all the ServiceMonitor resources additionalLabels: release: kube-prometheus-stack - # Set Prometheus metric_relabel_configs via ServiceMonitor - # Use metricRelabelings to adjust metric and label names as needed - metricRelabelings: - # - action: replace - # sourceLabels: - # - exported_namespace - # targetLabel: temporal_namespace - # - action: replace - # regex: service_errors_(.+) - # replacement: ${1} - # sourceLabels: - # - __name__ - # targetLabel: temporal_error_kind - # - action: replace - # regex: service_errors_.+ - # replacement: temporal_service_errors - # sourceLabels: - # - __name__ - # targetLabel: __name__ + prometheus: timerType: histogram podAnnotations: reloader.stakater.com/auto: "true" - podLabels: {} - secretLabels: {} - secretAnnotations: {} resources: limits: cpu: 100m @@ -78,12 +41,6 @@ server: requests: cpu: 100m memory: 128Mi - nodeSelector: {} - tolerations: [] - affinity: {} - additionalVolumes: [] - additionalVolumeMounts: [] - additionalEnv: [] securityContext: fsGroup: 1000 runAsUser: 1000 @@ -101,7 +58,7 @@ server: driver: "sql" sql: database: "temporal" - driver: "postgres" + driver: "postgres12" maxConnLifetime: "1h" existingSecret: temporal-default-store host: ${postgres_host} @@ -115,7 +72,7 @@ server: visibility: driver: "sql" sql: - driver: "postgres" + driver: "postgres12" database: "temporalvisibility" existingSecret: temporal-visibility-store host: ${postgres_host} @@ -139,23 +96,11 @@ server: # timerType: histogram podAnnotations: reloader.stakater.com/auto: "true" - podLabels: {} resources: requests: - cpu: 100m - memory: 512Mi - nodeSelector: {} - tolerations: [] - affinity: {} - additionalEnv: [] - containerSecurityContext: {} - topologySpreadConstraints: {} - podDisruptionBudget: {} - resources: - limits: cpu: 100m memory: 128Mi - requests: + limits: cpu: 100m memory: 128Mi @@ -173,7 +118,6 @@ server: # timerType: histogram podAnnotations: reloader.stakater.com/auto: "true" - podLabels: {} resources: requests: cpu: 100m @@ -181,13 +125,6 @@ server: limits: cpu: 100m memory: 512Mi - nodeSelector: {} - tolerations: [] - affinity: {} - additionalEnv: [] - containerSecurityContext: {} - topologySpreadConstraints: {} - podDisruptionBudget: {} matching: service: @@ -202,7 +139,6 @@ server: # timerType: histogram podAnnotations: reloader.stakater.com/auto: "true" - podLabels: {} resources: limits: cpu: 100m @@ -210,13 +146,6 @@ server: requests: cpu: 100m memory: 512Mi - nodeSelector: {} - tolerations: [] - affinity: {} - additionalEnv: [] - containerSecurityContext: {} - topologySpreadConstraints: {} - podDisruptionBudget: {} worker: service: @@ -239,32 +168,15 @@ server: requests: cpu: 100m memory: 512Mi - nodeSelector: {} - tolerations: [] - affinity: {} - additionalEnv: [] - containerSecurityContext: {} - topologySpreadConstraints: {} - podDisruptionBudget: {} admintools: enabled: true - image: - repository: temporalio/admin-tools - tag: 1.22.4 - pullPolicy: IfNotPresent - service: type: ClusterIP port: 22 annotations: {} - podLabels: {} podAnnotations: reloader.stakater.com/auto: "true" - nodeSelector: {} - tolerations: [] - affinity: {} - additionalEnv: [] resources: limits: cpu: 100m @@ -272,9 +184,6 @@ admintools: requests: cpu: 100m memory: 128Mi - containerSecurityContext: {} - securityContext: {} - podDisruptionBudget: {} web: enabled: true @@ -298,11 +207,6 @@ web: cpu: 100m memory: 128Mi - image: - repository: temporalio/ui - tag: 2.27.3 - pullPolicy: IfNotPresent - service: # set type to NodePort if access to web needs access from outside the cluster # for more info see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types @@ -323,29 +227,6 @@ web: podAnnotations: reloader.stakater.com/auto: "true" - podLabels: {} - - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - - nodeSelector: {} - - tolerations: [] - - affinity: {} - - additionalVolumes: [] - additionalVolumeMounts: [] - - containerSecurityContext: {} - - securityContext: {} - schema: setup: enabled: true @@ -360,50 +241,14 @@ schema: requests: cpu: 100m memory: 128Mi - containerSecurityContext: {} - securityContext: {} elasticsearch: enabled: false - replicas: 3 - persistence: - enabled: false - imageTag: 7.17.3 - host: elasticsearch-master-headless - scheme: http - port: 9200 - version: "v7" - logLevel: "error" - username: "" - password: "" - visibilityIndex: "temporal_visibility_v1_dev" - prometheus: enabled: false - nodeExporter: - enabled: false grafana: enabled: false - replicas: 1 - testFramework: - enabled: false - rbac: - create: false - pspEnabled: false - namespaced: true - dashboardProviders: - dashboardproviders.yaml: - apiVersion: 1 - providers: - - name: "default" - orgId: 1 - folder: "" - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/default datasources: datasources.yaml: apiVersion: 1 @@ -442,22 +287,6 @@ grafana: cassandra: enabled: false - persistence: - enabled: false - image: - repo: cassandra - tag: 3.11.3 - pullPolicy: IfNotPresent - config: - cluster_size: 3 - ports: - cql: 9042 - num_tokens: 4 - max_heap_size: 512M - heap_new_size: 128M - seed_size: 0 - service: - type: ClusterIP mysql: enabled: false diff --git a/deployer-image/terraform/variables.tf b/deployer-image/terraform/variables.tf index 08dffb6..7083e40 100644 --- a/deployer-image/terraform/variables.tf +++ b/deployer-image/terraform/variables.tf @@ -27,3 +27,43 @@ variable "global_static_ip_name" { variable "pre_shared_cert_name" { type = string } + +variable "nginx_config" { + type = object({ + client_max_body_size = string + }) + default = { + client_max_body_size = "10M" + } + description = "NGINX configuration settings" +} + +variable "enable_feature" { + description = "stackgen features to enable" + type = object({ + exporter = optional(bool, true) + llm = optional(bool, false) + vault = optional(bool, true) + enable_group_sync = optional(bool, false) + artifacts_support = optional(bool, false) + need_user_vetting = optional(bool, false) + editableIac = optional(bool, false) + moduleEditor = optional(bool, false) + log_analysis = optional(bool, false) + integrations = optional(bool, false) + backstage_adapter = optional(bool, false) + }) + default = { + exporter = true + vault = true + llm = false + enable_group_sync = false + artifacts_support = false + need_user_vetting = false + editableIac = true + moduleEditor = true + log_analysis = false + integrations = true + backstage_adapter = false + } +}