[AE-1241] publish new version of deployer

.gitignore

@@ -0,0 +1,7 @@
+# Terraform files
+*.tfvars
+*.tfstate
+*.tfstate.*
+.terraform/
+.terraform.lock.hcl
+

deployer-image/Dockerfile

@@ -11,7 +11,7 @@ RUN apk add --no-cache yq && \
     yq -i ".properties.stackgenPat.default = \"$GH_TOKEN\"" schema.yaml
 
 # Stage 1: Preprocessing schema.yaml
-FROM marketplace.gcr.io/google/debian10 AS build
+FROM marketplace.gcr.io/google/debian11 AS build
 
 # Install tools for envsubst
 RUN apt-get update && apt-get install -y --no-install-recommends gettext && rm -rf /var/lib/apt/lists/*
@@ -24,15 +24,32 @@ RUN envsubst < /workspace/schema.yaml > /workspace/schema.yaml.processed && \
 # Stage 2: Deployer
 FROM gcr.io/cloud-marketplace-tools/k8s/deployer_envsubst:latest
 
-ARG TERRAFORM_VERSION=1.5.3
+ARG TERRAFORM_VERSION=1.10.3
+ARG YQ_VERSION=4.44.6
 
-RUN apt-get update && apt-get install -y wget unzip git jq && \
+# Update base system and install security patches
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends \
+        ca-certificates \
+        wget \
+        unzip \
+        git \
+        jq && \
+    # Install Terraform
     wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
     unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin/ && \
     rm terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
-    wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && \
+    # Install yq with specific version
+    wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 && \
     chmod +x /usr/local/bin/yq && \
-    apt-get remove -y wget unzip && apt-get autoremove -y && apt-get clean
+    # Upgrade pip to latest version to fix CVE-2024-35195 and CVE-2025-47273
+    python3 -m pip install --upgrade pip setuptools wheel --no-cache-dir && \
+    # Clean up
+    apt-get remove -y wget unzip && \
+    apt-get autoremove -y && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
 
 LABEL com.googleapis.cloudmarketplace.product.service.name=services/stackgen-enterprise-platform-k8s-v2.endpoints.stackgen-gcp-marketplace.cloud.goog
 

deployer-image/Makefile

@@ -6,8 +6,8 @@ MANIFEST_DIR := marketplace/manifests
 
 # Semantic minor version (TRACK) and full release version
 # TODO(sabith) read from tag
-TRACK ?= 1.1
-RELEASE ?= ${TRACK}.0
+TRACK ?= 2.1
+RELEASE ?= ${TRACK}.1
 
 # Docker registry and image names
 REGISTRY = gcr.io/stackgen-gcp-marketplace

deployer-image/marketplace/manifests/application.yaml.template

@@ -11,7 +11,7 @@ metadata:
 spec:
   descriptor:
     type: terraform-runner
-    version: "2.0.0"
+    version: "2.1.1"
     notes: |-
       # This command retrieves the IP address of the proxy-ingress service in the 'stackgen' namespace.
       # It uses kubectl to get the load balancer ingress IP and then constructs the URL.

deployer-image/marketplace/schema.yaml

@@ -3,7 +3,7 @@ x-google-marketplace:
   partnerId: "stackgen-gcp-marketplace"  # Replace with your actual Partner ID
   solutionId: "stackgen-enterprise-platform-k8s-v2.endpoints.stackgen-gcp-marketplace.cloud.goog" # Replace with your actual Product ID
   applicationApiVersion: v1beta1
-  publishedVersion: "2.0.0"
+  publishedVersion: "2.1.1"
   publishedVersionMetadata:
     releaseNote: "Initial release with Job support."
   images:

deployer-image/terraform/main.tf

@@ -5,15 +5,14 @@ locals {
 }
 
 provider "helm" {
-  kubernetes {
+  kubernetes = {
     host                   = "https://kubernetes.default.svc"
     token                  = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
     cluster_ca_certificate = file("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
     insecure               = false
   }
 }
 
-
 provider "kubernetes" {
   host                   = "https://kubernetes.default.svc"
   token                  = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
@@ -22,13 +21,13 @@ provider "kubernetes" {
   insecure = false
 }
 
-
-
 module "stackgen" {
   source                = "./modules/stackgen-installation"
   domain                = var.domain
   STACKGEN_PAT          = var.STACKGEN_PAT
   suffix                = var.suffix
   global_static_ip_name = var.global_static_ip_name
   pre_shared_cert_name  = var.pre_shared_cert_name
+  nginx_config          = var.nginx_config
+  enable_feature        = var.enable_feature
 }

deployer-image/terraform/modules/stackgen-installation/database.tf

@@ -27,29 +27,34 @@ locals {
       persistence = {
         enabled      = true
         size         = "50Gi"
-        storageClass = "standard"
+        storageClass = "standard-rwo"
       }
       resources = {
         requests = {
           memory = "2Gi"
-          cpu    = "1"
+          cpu    = "500m"
         }
         limits = {
           memory = "4Gi"
-          cpu    = "2"
+          cpu    = "2000m"
         }
       }
       postgresql = {
         maxConnections = 500
-        sharedBuffers  = "512MB"
+        sharedBuffers  = "1GB"
       }
     }
     volumePermissions = {
+      enabled = false
+    }
+    podSecurityContext = {
       enabled = true
-      containerSecurityContext = {
-        runAsUser  = 0
-        runAsGroup = 0
-      }
+      fsGroup = 1001
+    }
+    containerSecurityContext = {
+      enabled = true
+      runAsUser = 1001
+      runAsNonRoot = true
     }
     tls = {
       enabled = false
@@ -64,9 +69,9 @@ locals {
 resource "helm_release" "postgresql" {
   name = "postgres"
 
-  repository = "oci://registry-1.docker.io/"
-  chart      = "bitnamicharts/postgresql"
-  version    = "16.4.5"
+  repository = "https://charts.bitnami.com/bitnami"
+  chart      = "postgresql"
+  version    = "18.0.15"
 
   namespace = var.namespace
   values = [

deployer-image/terraform/modules/stackgen-installation/main.tf

@@ -1,6 +1,6 @@
 
 locals {
-  temporal_helm_version             = "0.33.0"
+  temporal_helm_version             = "0.57.0"
   postgresql_administrator_password = random_password.db_password.result
   postgresql_fqdn                   = "postgres-postgresql.${helm_release.postgresql.namespace}.svc.cluster.local"
   postgresql_administrator_login    = "stackgen"
@@ -49,7 +49,7 @@ resource "helm_release" "dex" {
   chart            = "dex"
   namespace        = var.namespace
   create_namespace = false
-  version          = "0.18.0"
+  version          = "0.19.1"
   values = [
     templatefile("./values/dex.yaml", {
       host_domain               = var.domain,
@@ -62,6 +62,14 @@ resource "helm_release" "dex" {
   ]
 }
 
+resource "random_id" "appcd_client_id" {
+  byte_length = 16
+}
+
+resource "random_id" "appcd_client_secret" {
+  byte_length = 36
+}
+
 resource "kubernetes_secret" "ghcr_pkg" {
   depends_on = [kubernetes_namespace.this]
   metadata {
@@ -109,11 +117,14 @@ resource "kubernetes_secret" "appcd_secrets" {
   type = "Opaque"
 
   data = {
-    rds_port          = "5432"
-    rds_password      = local.postgresql_administrator_password
-    rds_endpoint      = local.postgresql_fqdn
-    rds_read_endpoint = local.postgresql_fqdn
-    rds_username      = local.postgresql_administrator_login
+    rds_port            = "5432"
+    rds_password        = local.postgresql_administrator_password
+    rds_endpoint        = local.postgresql_fqdn
+    rds_host            = local.postgresql_fqdn
+    rds_read_endpoint   = local.postgresql_fqdn
+    rds_username        = local.postgresql_administrator_login
+    appcd_client_id     = random_id.appcd_client_id.hex
+    appcd_client_secret = random_id.appcd_client_secret.hex
   }
 }
 
@@ -169,7 +180,7 @@ resource "kubernetes_secret" "temporal_default_store" {
 }
 
 resource "helm_release" "temporal" {
-  depends_on = [kubernetes_secret.temporal_visibility_store, kubernetes_secret.temporal_default_store]
+  depends_on = [kubernetes_secret.temporal_visibility_store, kubernetes_secret.temporal_default_store, helm_release.postgresql]
   name       = "temporal"
   chart      = "https://github.com/temporalio/helm-charts/releases/download/temporal-${local.temporal_helm_version}/temporal-${local.temporal_helm_version}.tgz"
   namespace  = var.namespace
@@ -187,16 +198,14 @@ resource "helm_release" "temporal" {
 }
 
 resource "kubernetes_persistent_volume_claim" "this" {
-  count      = length(var.storage.volume) > 0 ? 1 : 0
   depends_on = [kubernetes_namespace.this]
   metadata {
     name      = "storage-${var.namespace}"
     namespace = var.namespace
   }
   spec {
-    access_modes       = ["ReadWriteMany"]
-    volume_name        = var.storage.volume
-    storage_class_name = var.storage.class
+    access_modes       = ["ReadWriteOnce"]
+    storage_class_name = "standard-rwo"
     resources {
       requests = {
         storage = "100Gi"
@@ -211,6 +220,7 @@ locals {
     appcd_secrets : concat([kubernetes_secret.appcd_secrets.metadata[0].name, kubernetes_secret.appcd_scm_secrets.metadata[0].name], var.additional_secrets)
     enable_ops : var.enable_ops
     domain : var.domain
+    enable_ingress : true
     auth_enabled : var.stackgen_authentication.type != "none"
     scm_github_auth_url : try(var.scm_configuration.github_config.auth_url, "")
     scm_github_token_url : try(var.scm_configuration.github_config.token_url, "")
@@ -222,6 +232,8 @@ locals {
     appcd_admin_emails : var.admin_emails
     enable_storage : length(var.storage.volume) > 0
     appcd_service_account : local.appcd_service_account
+    nginx : var.nginx_config
+    worm_enabled : false
   })
 }
 

deployer-image/terraform/modules/stackgen-installation/variables.tf

@@ -41,16 +41,36 @@ variable "enable_ops" {
 variable "stackgen_version" {
   description = "The version of the appcd to deploy"
   type        = string
-  default     = "0.5.1"
+  default     = "0.10.1"
 }
 
 variable "enable_feature" {
   description = "stackgen features to enable"
   type = object({
-    llm = optional(bool, false)
+    exporter          = optional(bool, true)
+    llm               = optional(bool, false)
+    vault             = optional(bool, true)
+    enable_group_sync = optional(bool, false)
+    artifacts_support = optional(bool, false)
+    need_user_vetting = optional(bool, false)
+    editableIac       = optional(bool, false)
+    moduleEditor      = optional(bool, false)
+    log_analysis      = optional(bool, false)
+    integrations      = optional(bool, false)
+    backstage_adapter = optional(bool, false)
   })
   default = {
-    llm = false
+    exporter          = true
+    vault             = true
+    llm               = false
+    enable_group_sync = false
+    artifacts_support = false
+    need_user_vetting = false
+    editableIac       = true
+    moduleEditor      = true
+    log_analysis      = false
+    integrations      = true
+    backstage_adapter = true
   }
 }
 
@@ -121,3 +141,11 @@ variable "global_static_ip_name" {
 variable "pre_shared_cert_name" {
   type = string
 }
+variable "nginx_config" {
+  type = object({
+    client_max_body_size = string
+  })
+  default = {
+    client_max_body_size = "10M"
+  }
+}