Skip to content

[AE-1241] publish new version of deployer #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
prashantrakh wants to merge 25 commits into
base: main
Choose a base branch
from
Open

[AE-1241] publish new version of deployer #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
370bf07
added changes
prashantrakh Oct 16, 2025
b5a1b2b
added changes
prashantrakh Oct 16, 2025
3f94034
new changes
prashantrakh Oct 16, 2025
21c3412
new changes
prashantrakh Oct 16, 2025
9a314ce
new changes
prashantrakh Oct 16, 2025
76775dc
new changes
prashantrakh Oct 16, 2025
5e25aed
new changes
prashantrakh Oct 16, 2025
ae0e77b
addednchanges
prashantrakh Oct 16, 2025
944313a
fixed dependancies
prashantrakh Oct 16, 2025
29153aa
fixed dependancies
prashantrakh Oct 16, 2025
6806f97
changed version in Makefile
prashantrakh Oct 16, 2025
f8d70d8
added Dockerfile
prashantrakh Oct 17, 2025
82033e5
added Dockerfile
prashantrakh Oct 17, 2025
38c85be
trying to fix vulnerabilities
prashantrakh Jan 9, 2026
e48cfd2
updated dockerfile
prashantrakh Jan 9, 2026
92ea390
added timeout
prashantrakh Jan 9, 2026
924e7e4
added new version 3.1.2
prashantrakh Jan 9, 2026
67e846a
added timeout in job
prashantrakh Jan 9, 2026
1f33f4a
added testing timeout
prashantrakh Jan 9, 2026
272a0d6
timeout testing
prashantrakh Jan 9, 2026
1a83bf0
added changes
prashantrakh Jan 9, 2026
2091626
4.1.1
prashantrakh Jan 10, 2026
b9fbaa2
4.1.2
prashantrakh Jan 10, 2026
bb85b3a
4.1.3
prashantrakh Jan 10, 2026
4aee9b8
added new version in Makefile
prashantrakh Jan 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Terraform files
*.tfvars
*.tfstate
*.tfstate.*
.terraform/
.terraform.lock.hcl

55 changes: 49 additions & 6 deletions deployer-image/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ RUN apk add --no-cache yq && \
yq -i ".properties.stackgenPat.default = \"$GH_TOKEN\"" schema.yaml

# Stage 1: Preprocessing schema.yaml
FROM marketplace.gcr.io/google/debian10 AS build
FROM marketplace.gcr.io/google/debian11 AS build

# Install tools for envsubst
RUN apt-get update && apt-get install -y --no-install-recommends gettext && rm -rf /var/lib/apt/lists/*
Expand All @@ -24,18 +24,61 @@ RUN envsubst < /workspace/schema.yaml > /workspace/schema.yaml.processed && \
# Stage 2: Deployer
FROM gcr.io/cloud-marketplace-tools/k8s/deployer_envsubst:latest

ARG TERRAFORM_VERSION=1.5.3
ARG TERRAFORM_VERSION=1.13.4
ARG YQ_VERSION=4.44.6

RUN apt-get update && apt-get install -y wget unzip git jq && \
# Update base system and install security patches
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install -y --no-install-recommends \
ca-certificates \
wget \
unzip \
git \
jq \
curl && \
# Install Terraform
wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin/ && \
rm terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 && \
# Install yq with specific version
wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 && \
chmod +x /usr/local/bin/yq && \
apt-get remove -y wget unzip && apt-get autoremove -y && apt-get clean
# Install latest kubectl versions to fix CVE-2025-8959, CVE-2025-61729, and CVE-2025-22868
# These vulnerabilities affect kubectl binaries built with vulnerable Go dependencies
# Installing latest kubectl versions that were built with fixed Go 1.22.6+ and updated dependencies
KUBECTL_VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt) && \
mkdir -p /opt/kubectl/1.30 /opt/kubectl/1.31 && \
curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256" && \
echo "$(cat kubectl.sha256) kubectl" | sha256sum --check && \
chmod +x kubectl && \
cp kubectl /opt/kubectl/1.30/kubectl && \
cp kubectl /opt/kubectl/1.31/kubectl && \
cp kubectl /usr/local/bin/kubectl && \
rm kubectl kubectl.sha256 && \
Comment on lines +47 to +59
Copy link

@coderabbitai coderabbitai bot Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

CVE-2025-8959 kubectl Go vulnerability

💡 Result:

Short answer
CVE-2025-8959 is a symlink/traversal vulnerability in HashiCorp’s go-getter library (affects go-getter <= 1.7.8) that can allow unauthorized reads outside a requested subdirectory. It was fixed in go-getter 1.7.9. This is a vulnerability in the library—not in kubectl itself—so only Kubernetes tooling or wrapper projects that embed or vendor go-getter (or depend on packages that do) are affected; plain upstream kubectl is not implicated unless your kubectl build or related tools include go-getter. [1][2][3]

What to do

  • If you maintain software that vendors or imports github.com/hashicorp/go-getter, upgrade to go-getter >= 1.7.9. [1][3]
  • If you use third-party Kubernetes tools (e.g., scanners, installers, CLIs like tools that fetch subdirectories), check their advisories and update those tools if they ship a vulnerable go-getter. [2][3]
  • Run dependency scans (SCA) against your builds/containers to find any vendored go-getter <=1.7.8 and remediate.

References

  1. HashiCorp advisory (HCSEC-2025-23) — go-getter fixed in 1.7.9. [HashiCorp advisory]. [1]
  2. NVD entry for CVE-2025-8959. [2]
  3. GitLab advisory / package advisories summarizing affected versions and fix. [3]

Would you like me to scan a specific binary/container image, repo, or list of tools for the vulnerable go-getter dependency?

🌐 Web query:

CVE-2025-61729 kubectl vulnerability

💡 Result:

Short summary — what it is

  • CVE-2025-61729 is a Go crypto/x509 issue where HostnameError.Error() can print an unbounded list of hosts using repeated string concatenation, causing excessive CPU/memory (DoS) when a maliciously-crafted certificate is presented. [1][2]

Impact for kubectl

  • Any Go-built binary that uses crypto/x509 Certificate.Verify / VerifyHostname is potentially affected — that includes kubectl builds that were compiled with vulnerable Go versions. An affected kubectl could be made to consume excessive resources (denial of service) by a crafted certificate. [1][2]

Affected versions / fix

  • Affects Go: before go1.24.11, and from go1.25.0 before go1.25.5. The fix was applied in the Go project (see patch/issue). [2][3]

What you should do

  • If you run kubectl (or other Go binaries) compiled with a vulnerable Go version, update to a kubectl build that was compiled with a fixed Go (i.e., use vendor/distribution kubectl releases rebuilt with Go ≥ go1.24.11 or ≥ go1.25.5). If you build kubectl yourself, upgrade your Go toolchain to a fixed release and rebuild. Monitor vendor/security advisories for your Kubernetes distribution for patched kubectl packages. [2][3]

References

  • NVD entry for CVE-2025-61729. [1]
  • Go vulnerability advisory (GO-2025-4155) — affected symbols and fixed versions. [2]
  • Go issue / patch tracking the fix. [3]

Sources:
[1] NVD — CVE-2025-61729.
[2] GO-2025-4155 (pkg.go.dev vulnerability report).
[3] golang issue / patch (Go project).

🌐 Web query:

CVE-2025-22868 kubectl Go dependency vulnerability

💡 Result:

Summary

  • CVE-2025-22868 is a vulnerability in golang.org/x/oauth2/jws (token parsing) that can cause excessive memory consumption (DoS). [1]
  • Affects versions of golang.org/x/oauth2/jws before v0.27.0; fixed in v0.27.0. [1]

Relevance to kubectl

  • The CVE is in a Go oauth2 library used by many Go projects and downstream components (e.g., gke-gcloud-auth-plugin, kubernetes-dashboard packages and other tools). If your kubectl or its exec-plugins (like gke-gcloud-auth-plugin) or other auth-related binaries were built linking a vulnerable oauth2 version, they may be affected. A Kubernetes repo issue and multiple downstream advisories discuss updating the client/deps. [2][3]

Recommended actions

  1. Identify binaries/plugins in your environment that use golang.org/x/oauth2 (kubectl plugins, gke-gcloud-auth-plugin, dashboards, cloud agents, etc.).
  2. Update affected components to use oauth2 v0.27.0 or later (or install vendor/OS vendor patches). For example, update gke-gcloud-auth-plugin / kubectl builds or install vendor security updates. [1][3]
  3. Rebuild/redeploy binaries that statically include the vulnerable module, or install vendor/OS patches where provided. Monitor vendor advisories for fixed packages. [1][3]

References
[1] Go vulnerability report (GO-2025-3488 / CVE-2025-22868) — pkg.go.dev.
[2] kubernetes/kubernetes issue discussing CVE-2025-22868.
[3] Snyk advisory examples (gke-gcloud-auth-plugin / kubernetes-dashboard-api) and vendor advisories.

kubectl installation copies single binary to version-specific directories, and CVE claims in comment need clarification.

The code downloads one "stable" version of kubectl but copies it to directories named 1.30 and 1.31. This is misleading—if any tooling expects version-specific kubectl binaries at these paths, it will silently get the wrong version.

The CVE claims in the comment are also overstated:

  • CVE-2025-8959 does not affect upstream kubectl directly (only tools that vendor the go-getter library).
  • CVE-2025-61729 and CVE-2025-22868 may affect kubectl only if it was compiled with specific vulnerable Go versions or oauth2 dependency versions—simply installing "latest" does not guarantee these are fixed unless you verify the build metadata.

Either remove the unverified CVE claims or update the comment to reflect the actual conditions under which they apply. For the version-specific directory issue, if separate 1.30 and 1.31 binaries are genuinely needed, install each version explicitly:

🔧 Suggested fix for version-specific kubectl 
-    # Install latest kubectl versions to fix CVE-2025-8959, CVE-2025-61729, and CVE-2025-22868
-    # These vulnerabilities affect kubectl binaries built with vulnerable Go dependencies
-    # Installing latest kubectl versions that were built with fixed Go 1.22.6+ and updated dependencies
-    KUBECTL_VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt) && \
-    mkdir -p /opt/kubectl/1.30 /opt/kubectl/1.31 && \
-    curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
-    curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256" && \
-    echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check && \
-    chmod +x kubectl && \
-    cp kubectl /opt/kubectl/1.30/kubectl && \
-    cp kubectl /opt/kubectl/1.31/kubectl && \
-    cp kubectl /usr/local/bin/kubectl && \
-    rm kubectl kubectl.sha256 && \
+    # Install version-specific kubectl binaries
+    mkdir -p /opt/kubectl/1.30 /opt/kubectl/1.31 && \
+    # Install kubectl 1.30 (latest patch)
+    KUBECTL_130=$(curl -L -s https://dl.k8s.io/release/stable-1.30.txt) && \
+    curl -LO "https://dl.k8s.io/release/${KUBECTL_130}/bin/linux/amd64/kubectl" && \
+    curl -LO "https://dl.k8s.io/release/${KUBECTL_130}/bin/linux/amd64/kubectl.sha256" && \
+    echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check && \
+    chmod +x kubectl && mv kubectl /opt/kubectl/1.30/kubectl && rm kubectl.sha256 && \
+    # Install kubectl 1.31 (latest patch)
+    KUBECTL_131=$(curl -L -s https://dl.k8s.io/release/stable-1.31.txt) && \
+    curl -LO "https://dl.k8s.io/release/${KUBECTL_131}/bin/linux/amd64/kubectl" && \
+    curl -LO "https://dl.k8s.io/release/${KUBECTL_131}/bin/linux/amd64/kubectl.sha256" && \
+    echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check && \
+    chmod +x kubectl && mv kubectl /opt/kubectl/1.31/kubectl && rm kubectl.sha256 && \
+    # Symlink default kubectl to 1.31
+    ln -s /opt/kubectl/1.31/kubectl /usr/local/bin/kubectl && \
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Install latest kubectl versions to fix CVE-2025-8959, CVE-2025-61729, and CVE-2025-22868
# These vulnerabilities affect kubectl binaries built with vulnerable Go dependencies
# Installing latest kubectl versions that were built with fixed Go 1.22.6+ and updated dependencies
KUBECTL_VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt) && \
mkdir -p /opt/kubectl/1.30 /opt/kubectl/1.31 && \
curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" && \
curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl.sha256" && \
echo "$(cat kubectl.sha256) kubectl" | sha256sum --check && \
chmod +x kubectl && \
cp kubectl /opt/kubectl/1.30/kubectl && \
cp kubectl /opt/kubectl/1.31/kubectl && \
cp kubectl /usr/local/bin/kubectl && \
rm kubectl kubectl.sha256 && \
# Install version-specific kubectl binaries
mkdir -p /opt/kubectl/1.30 /opt/kubectl/1.31 && \
# Install kubectl 1.30 (latest patch)
KUBECTL_130=$(curl -L -s https://dl.k8s.io/release/stable-1.30.txt) && \
curl -LO "https://dl.k8s.io/release/${KUBECTL_130}/bin/linux/amd64/kubectl" && \
curl -LO "https://dl.k8s.io/release/${KUBECTL_130}/bin/linux/amd64/kubectl.sha256" && \
echo "$(cat kubectl.sha256) kubectl" | sha256sum --check && \
chmod +x kubectl && mv kubectl /opt/kubectl/1.30/kubectl && rm kubectl.sha256 && \
# Install kubectl 1.31 (latest patch)
KUBECTL_131=$(curl -L -s https://dl.k8s.io/release/stable-1.31.txt) && \
curl -LO "https://dl.k8s.io/release/${KUBECTL_131}/bin/linux/amd64/kubectl" && \
curl -LO "https://dl.k8s.io/release/${KUBECTL_131}/bin/linux/amd64/kubectl.sha256" && \
echo "$(cat kubectl.sha256) kubectl" | sha256sum --check && \
chmod +x kubectl && mv kubectl /opt/kubectl/1.31/kubectl && rm kubectl.sha256 && \
# Symlink default kubectl to 1.31
ln -s /opt/kubectl/1.31/kubectl /usr/local/bin/kubectl && \
🤖 Prompt for AI Agents 
In @deployer-image/Dockerfile around lines 47 - 59, The Dockerfile currently
fetches a single "stable" kubectl (KUBECTL_VERSION) but then copies that binary
into versioned paths (/opt/kubectl/1.30 and /opt/kubectl/1.31), which is
misleading; either download and verify each desired version explicitly (fetch
distinct URLs/checksums per version and place them into
/opt/kubectl/1.30/kubectl and /opt/kubectl/1.31/kubectl, keeping the existing
sha256 verification per file) or stop using versioned directories and name them
/opt/kubectl/stable to match KUBECTL_VERSION, and update the cp
/usr/local/bin/kubectl step accordingly; also update the top comment about CVEs
to remove blanket claims and instead state the exact conditions (e.g., “these
CVEs may affect binaries built with vulnerable Go/oauth2/go-getter versions;
ensure the downloaded kubectl build metadata or Go toolchain is fixed, or verify
by using explicit versioned releases”) so the comment accurately reflects when
those CVEs apply.

# Upgrade pip to latest version to fix CVE-2024-35195 and CVE-2025-47273
python3 -m pip install --upgrade pip setuptools wheel --no-cache-dir && \
Comment on lines +60 to +61
Copy link

@coderabbitai coderabbitai bot Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

CVE-2024-35195 vulnerability

💡 Result:

Summary

  • CVE-2024-35195: a bug in the Python Requests library (fixed in requests 2.32.0) where if the first request made by a Session to a host sets verify=False, subsequent requests to that host in the same connection pool may also skip TLS certificate verification, exposing connections to MITM risk. [1][2][3]

Affected versions

  • Requests prior to 2.32.0. Fixed in requests 2.32.0. [1][2]

Impact

  • TLS verification can be unintentionally bypassed for the lifetime of a pooled connection, risking confidentiality and integrity (possible MITM). Severity rated medium (CVSS ~5.6–6.5 by different vendors). [1][3][4]

Mitigation and workarounds

  • Upgrade to requests>=2.32.0 (recommended). [1][2]
  • If you cannot upgrade immediately: avoid making the first request to a host with verify=False when using a Session; or call Session.close() (or otherwise close/reset connections) after any request that used verify=False to clear the connection pool. [2][4]

References
[1] NVD summary for CVE-2024-35195.
[2] AWS / Amazon Linux advisory entry for CVE-2024-35195.
[3] Ubuntu security notice for CVE-2024-35195 (notes and patches).
[4] Wiz vulnerability summary / mitigations for CVE-2024-35195.

Would you like exact upgrade commands or a quick script to detect vulnerable requests versions across your environment?

🌐 Web query:

CVE-2025-47273 vulnerability

💡 Result:

Summary — CVE-2025-47273

  • What it is: a path‑traversal vulnerability in setuptools' PackageIndex that can allow writing files to arbitrary filesystem locations (possibly leading to RCE depending on context). [1][2]
  • Affected versions: setuptools prior to 78.1.1. [1][2]
  • Fix: upgrade setuptools to version 78.1.1 or later. [2]
  • Severity/impact: rated high; arbitrary file write as the process user (attack surface depends on how setuptools is used in your environment). [1][3]
  • Mitigations if you cannot upgrade immediately: restrict execution privileges of processes that run packaging code, restrict network access to untrusted package indexes, and validate/sandbox build environments. [2][4]

References
[1] NVD entry for CVE-2025-47273.
[2] GitHub setuptools security advisory / patch (fix in v78.1.1).
[3] Ubuntu security notice for CVE-2025-47273.
[4] AWS/ALAS advisory for CVE-2025-47273.

Fix CVE attribution in the Dockerfile comment.

CVE-2024-35195 is a Python Requests library vulnerability (TLS verification bypass), not a pip vulnerability. Upgrading pip does not address this CVE. CVE-2025-47273 is a legitimate setuptools vulnerability (path-traversal), so upgrading setuptools is appropriate, but the Dockerfile comment incorrectly attributes both CVEs to the pip upgrade. Revise the comment to either:

  • Reference only CVE-2025-47273 for the setuptools upgrade, or
  • Add a separate pip/requests upgrade step if CVE-2024-35195 remediation is intended (upgrade requests>=2.32.0)
🤖 Prompt for AI Agents 
In @deployer-image/Dockerfile around lines 60 - 61, The Dockerfile comment
incorrectly attributes CVE-2024-35195 to pip; update the comment above the
existing python3 -m pip install --upgrade pip setuptools wheel --no-cache-dir
line to state that upgrading setuptools addresses CVE-2025-47273 and does not
remediate CVE-2024-35195, and if you intend to remediate CVE-2024-35195 also,
add a separate pip install step to upgrade the requests package (e.g., install
requests>=2.32.0) after the existing upgrade; ensure the comment and/or added
step clearly distinguishes which package addresses which CVE.

# Clean up
apt-get remove -y wget unzip curl && \
apt-get autoremove -y && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*

LABEL com.googleapis.cloudmarketplace.product.service.name=services/stackgen-enterprise-platform-k8s-v2.endpoints.stackgen-gcp-marketplace.cloud.goog

# Set timeout for Application readiness check (default is 300 seconds)
# Increased to 600 seconds (10 minutes) to allow for longer deployment times
ENV WAIT_FOR_READY_TIMEOUT=600

# Set timeout for the entire tester process (deploying, running tester pods, waiting for completion)
# Increased to 900 seconds (15 minutes) to allow for longer deployment and testing times
ENV TESTER_TIMEOUT=900

# Enable debug logging by default to help diagnose issues
# Set to "false" to disable verbose output and Terraform debug logs
ENV DEBUG=true

# Copy processed schema.yaml
COPY --from=build /workspace/schema.yaml /data/schema.yaml

Expand All @@ -51,4 +94,4 @@ RUN chmod +x /data/deploy.sh
COPY terraform/ /data/terraform/

# Define entrypoint
ENTRYPOINT ["/data/deploy.sh"]
ENTRYPOINT ["/data/deploy.sh"]
12 changes: 6 additions & 6 deletions deployer-image/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,16 @@ MPDEV := $(BIN_DIR)/mpdev
SCHEMA_FILE := marketplace/schema.yaml
MANIFEST_DIR := marketplace/manifests

# Semantic minor version (TRACK) and full release version
# TODO(sabith) read from tag
TRACK ?= 1.1
RELEASE ?= ${TRACK}.0
TRACK ?= 4.1
RELEASE ?= ${TRACK}.2

# Docker registry and image names
REGISTRY = gcr.io/stackgen-gcp-marketplace
APP_NAME = stackgen-deployer
DEPLOYER_IMAGE_RELEASE := $(REGISTRY)/$(APP_NAME)/deployer:$(RELEASE)
DEPLOYER_IMAGE_TRACK := $(REGISTRY)/$(APP_NAME)/deployer:$(TRACK)

.PHONY: all push setup doctor install verify validate clean help
.PHONY: all push setup doctor install install-crd verify validate clean help
Copy link

@coderabbitai coderabbitai bot Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Declared phony targets install-crd and validate are missing implementations.

The .PHONY declaration includes install-crd and validate, but neither target is defined in this Makefile. Additionally, line 76 in help references the validate target. Either add the missing targets or remove them from the .PHONY declaration and help text.

🔧 Option 1: Remove undeclared targets from .PHONY 
-.PHONY: all push setup doctor install install-crd verify validate clean help
+.PHONY: all push setup doctor install verify clean help

And update the help text accordingly:

 	@echo "  verify    - Verify an application using mpdev verify"
-	@echo "  validate  - Validate the deployer schema.yaml file"
 	@echo "  clean     - Clean up local Docker images"
🔧 Option 2: Add missing validate target 
validate:
	@echo "Validating schema file: $(SCHEMA_FILE)"
	$(MPDEV) validate --schema=$(SCHEMA_FILE)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
.PHONY: all push setup doctor install install-crd verify validate clean help
.PHONY: all push setup doctor install verify clean help
🧰 Tools
🪛 checkmake (0.2.2)

[warning] 16-16: Missing required phony target "test"

(minphony)

🤖 Prompt for AI Agents 
In @deployer-image/Makefile at line 16, The .PHONY list includes install-crd and
validate but neither target is defined, and help references validate; add
implementations for the missing targets (define a validate target that echoes
the schema file and runs $(MPDEV) validate --schema=$(SCHEMA_FILE) and add an
install-crd target that performs the CRD installation steps your project
expects) or, if you prefer removing them, remove install-crd and validate from
the .PHONY line and delete or update the help text that references validate so
the Makefile and help output are consistent.


all: help

Expand Down Expand Up @@ -52,7 +50,9 @@ install:
$(MPDEV) install \
--deployer=$(DEPLOYER_IMAGE_RELEASE)

verify: build


verify:
@echo "Verifying application with deployer: $(DEPLOYER_IMAGE_RELEASE)"
$(MPDEV) verify --deployer=$(DEPLOYER_IMAGE_RELEASE)

Expand Down
2 changes: 1 addition & 1 deletion deployer-image/marketplace/manifests/application.yaml.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ metadata:
spec:
descriptor:
type: terraform-runner
version: "2.0.0"
version: "4.1.2"
notes: |-
# This command retrieves the IP address of the proxy-ingress service in the 'stackgen' namespace.
# It uses kubectl to get the load balancer ingress IP and then constructs the URL.
Expand Down
9 changes: 8 additions & 1 deletion deployer-image/marketplace/manifests/job.yaml.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,16 @@ spec:
value: $pre_shared_cert_name
- name: GLOBAL_STATIC_IP_NAME
value: $global_static_ip_name
- name: WAIT_FOR_READY_TIMEOUT
value: "900"
- name: TESTER_TIMEOUT
value: "1200"
- name: DEBUG
value: "false"
volumeMounts:
- name: deployer-config
mountPath: /data/values
mountPath: /data/values.yaml
subPath: values.yaml
readOnly: true
volumes:
- name: deployer-config
Expand Down
2 changes: 1 addition & 1 deletion deployer-image/marketplace/schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ x-google-marketplace:
partnerId: "stackgen-gcp-marketplace" # Replace with your actual Partner ID
solutionId: "stackgen-enterprise-platform-k8s-v2.endpoints.stackgen-gcp-marketplace.cloud.goog" # Replace with your actual Product ID
applicationApiVersion: v1beta1
publishedVersion: "2.0.0"
publishedVersion: "4.1.2"
publishedVersionMetadata:
releaseNote: "Initial release with Job support."
images:
Expand Down
103 changes: 98 additions & 5 deletions deployer-image/scripts/deploy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,32 @@
#!/bin/bash
set -e

# Enable debug mode if DEBUG environment variable is set
if [ "${DEBUG:-false}" = "true" ]; then
set -x
export TF_LOG=INFO
fi

# Debug: Print script start time
echo "[INFO] Starting deployment at $(date)"
echo "[DEBUG] Working directory: $(pwd)"
echo "[DEBUG] Environment variables:"
echo " DEBUG=${DEBUG:-false}"
echo " WAIT_FOR_READY_TIMEOUT=${WAIT_FOR_READY_TIMEOUT:-300}"
echo " TESTER_TIMEOUT=${TESTER_TIMEOUT:-300}"
echo "[DEBUG] All environment variables containing TIMEOUT:"
env | grep -i timeout || echo " (none found)"
echo "[DEBUG] Process info:"
echo " PID: $$"
echo " Command: $0 $*"

VALUES_FILE="/data/values.yaml"
if [ ! -f "$VALUES_FILE" ]; then
echo "[ERROR] Values file not found: $VALUES_FILE"
ls -la /data/ || true
exit 1
fi

# Extract values from values.yaml using yq if environment variables are not already set
SUFFIX=${SUFFIX:-$(yq '.suffix' $VALUES_FILE)}
DOMAIN=${DOMAIN:-$(yq '.domain' $VALUES_FILE)}
Expand All @@ -21,11 +44,20 @@ echo " GLOBAL_STATIC_IP_NAME: $GLOBAL_STATIC_IP_NAME"

# Run Terraform
cd /data/terraform
echo "[DEBUG] Changed to Terraform directory: $(pwd)"
echo "[DEBUG] Terraform files present:"
ls -la || true

echo "[INFO] Initializing Terraform"
terraform init
terraform init -input=false

if [ $? -ne 0 ]; then
echo "[ERROR] Terraform initialization failed!"
exit 1
fi

echo "[INFO] Applying Terraform configuration"
echo "[DEBUG] Terraform version: $(terraform version | head -1)"
terraform apply \
-var "suffix=${SUFFIX}" \
-var "domain=${DOMAIN}" \
Expand All @@ -34,9 +66,70 @@ terraform apply \
-var "global_static_ip_name=${GLOBAL_STATIC_IP_NAME}" \
-auto-approve

if [ $? -eq 0 ]; then
echo "[INFO] Terraform apply complete!"
EXIT_CODE=$?
if [ $EXIT_CODE -eq 0 ]; then
echo "[INFO] Terraform apply complete at $(date)!"
echo "[INFO] Deployment completed successfully. Checking deployed resources..."

# Output pod statuses to stdout so they're captured in logs
# This helps diagnose why wait_for_ready.py might timeout
if command -v kubectl >/dev/null 2>&1; then
# Get namespace from service account if available
namespace=""
if [ -f /var/run/secrets/kubernetes.io/serviceaccount/namespace ]; then
namespace=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null || echo "")
fi

echo "[INFO] ========== POST-DEPLOYMENT STATUS CHECK =========="

# Check stackgen namespace pods
if kubectl get namespace stackgen >/dev/null 2>&1; then
echo "[INFO] --- Pods in stackgen namespace ---"
kubectl get pods -n stackgen -o wide 2>&1 | tee /dev/stderr || true

echo "[INFO] --- Pod status details ---"
for pod in $(kubectl get pods -n stackgen -o jsonpath='{.items[*].metadata.name}' 2>/dev/null || echo ""); do
if [ -n "$pod" ]; then
phase=$(kubectl get pod -n stackgen "$pod" -o jsonpath='{.status.phase}' 2>&1 || echo "Unknown")
ready=$(kubectl get pod -n stackgen "$pod" -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}' 2>&1 || echo "Unknown")
echo "[INFO] Pod: $pod | Phase: $phase | Ready: $ready"

# If pod is not ready, show why
if [ "$ready" != "True" ] && [ "$phase" != "Running" ]; then
echo "[WARNING] Pod $pod is not ready. Showing details:"
kubectl describe pod -n stackgen "$pod" 2>&1 | grep -A 10 "Status:\|Events:" | tee /dev/stderr || true
echo "[WARNING] Last 30 lines of logs from $pod:"
kubectl logs -n stackgen "$pod" --tail=30 2>&1 | tee /dev/stderr || true
fi
Comment on lines +91 to +103
Copy link

@coderabbitai coderabbitai bot Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, check if the file exists and read the relevant lines
if [ -f "deployer-image/scripts/deploy.sh" ]; then
  echo "File found. Reading lines 91-103:"
  sed -n '91,103p' deployer-image/scripts/deploy.sh
else
  echo "File not found at deployer-image/scripts/deploy.sh"
  # Try to find it
  find . -name "deploy.sh" -type f 2>/dev/null | head -20
fi

Repository: appcd-dev/deployer

Length of output: 1022

Change && to || on line 98 to diagnose Running-but-not-Ready pods.
With the current && operator, diagnostics are skipped when phase=Running but ready!=True (e.g., CrashLoopBackOff, failing readiness probe)—a common failure mode that needs debugging. Use || instead so diagnostics run whenever the pod is either not Ready OR not Running.

Proposed fix 
-          if [ "$ready" != "True" ] && [ "$phase" != "Running" ]; then
+          if [ "$ready" != "True" ] || [ "$phase" != "Running" ]; then
             echo "[WARNING] Pod $pod is not ready. Showing details:"
             kubectl describe pod -n stackgen "$pod" 2>&1 | grep -A 10 "Status:\|Events:" | tee /dev/stderr || true
             echo "[WARNING] Last 30 lines of logs from $pod:"
             kubectl logs -n stackgen "$pod" --tail=30 2>&1 | tee /dev/stderr || true
           fi
🤖 Prompt for AI Agents 
In @deployer-image/scripts/deploy.sh around lines 91 - 103, The pod readiness
check in deploy.sh incorrectly uses a logical AND between "$ready" and "$phase",
so diagnostics only run when the pod is neither Ready nor Running; change the
condition in the if that checks ready and phase to use OR (i.e., replace && with
||) so that when either ready != "True" OR phase != "Running" the script prints
describe/logs for the pod (references: variables pod, phase, ready and the if
block that echoes "[WARNING] Pod $pod is not ready. Showing details:").

fi
done

# Show events
echo "[INFO] --- Recent events in stackgen namespace ---"
kubectl get events -n stackgen --sort-by='.lastTimestamp' 2>&1 | tail -20 | tee /dev/stderr || true
else
echo "[WARNING] stackgen namespace does not exist - this may indicate a deployment issue"
fi

# Show current namespace resources if available
if [ -n "$namespace" ]; then
echo "[INFO] --- Jobs in current namespace ($namespace) ---"
kubectl get jobs -n "$namespace" -o wide 2>&1 | tee /dev/stderr || true
fi

echo "[INFO] ========== END POST-DEPLOYMENT STATUS CHECK =========="
else
echo "[WARNING] kubectl not available - skipping pod status check"
fi

echo "[INFO] Deployment script completed successfully at $(date)"
else
echo "[ERROR] Terraform apply failed!"
exit 1
echo "[ERROR] ========== TERRAFORM APPLY FAILED =========="
echo "[ERROR] Terraform apply failed with exit code $EXIT_CODE at $(date)!"
echo "[ERROR] Showing Terraform state for debugging:"
terraform show -no-color 2>&1 | tee /dev/stderr || true
echo "[ERROR] Showing Terraform plan output:"
terraform plan -detailed-exitcode -var "suffix=${SUFFIX}" -var "domain=${DOMAIN}" -var "STACKGEN_PAT=${STACKGEN_PAT}" -var "pre_shared_cert_name=${PRE_SHARED_CERT_NAME}" -var "global_static_ip_name=${GLOBAL_STATIC_IP_NAME}" 2>&1 | tee /dev/stderr || true
echo "[ERROR] ========== END ERROR OUTPUT =========="
exit $EXIT_CODE
fi
14 changes: 0 additions & 14 deletions deployer-image/terraform/Makefile
View file
Open in desktop

This file was deleted.

Binary file added deployer-image/terraform/appcd-dist-0.10.1.tgz
View file
Open in desktop
Copy link

@vishwajeetk1160 vishwajeetk1160 Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this file?

Copy link

@vishwajeetk1160 vishwajeetk1160 Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Answer: This is the zip of helm chart for appcd.

Binary file not shown.
Binary file removed deployer-image/terraform/appcd-dist-0.5.1.tgz
View file
Open in desktop
Binary file not shown.
7 changes: 3 additions & 4 deletions deployer-image/terraform/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,14 @@ locals {
}

provider "helm" {
kubernetes {
kubernetes = {
host = "https://kubernetes.default.svc"
token = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
cluster_ca_certificate = file("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
insecure = false
}
}


provider "kubernetes" {
host = "https://kubernetes.default.svc"
token = file("/var/run/secrets/kubernetes.io/serviceaccount/token")
Expand All @@ -22,13 +21,13 @@ provider "kubernetes" {
insecure = false
}



module "stackgen" {
source = "./modules/stackgen-installation"
domain = var.domain
STACKGEN_PAT = var.STACKGEN_PAT
suffix = var.suffix
global_static_ip_name = var.global_static_ip_name
pre_shared_cert_name = var.pre_shared_cert_name
nginx_config = var.nginx_config
enable_feature = var.enable_feature
}
27 changes: 16 additions & 11 deletions deployer-image/terraform/modules/stackgen-installation/database.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,29 +27,34 @@ locals {
persistence = {
enabled = true
size = "50Gi"
storageClass = "standard"
storageClass = "standard-rwo"
}
resources = {
requests = {
memory = "2Gi"
cpu = "1"
cpu = "500m"
}
limits = {
memory = "4Gi"
cpu = "2"
cpu = "2000m"
}
}
postgresql = {
maxConnections = 500
sharedBuffers = "512MB"
sharedBuffers = "1GB"
}
}
volumePermissions = {
enabled = false
}
podSecurityContext = {
enabled = true
containerSecurityContext = {
runAsUser = 0
runAsGroup = 0
}
fsGroup = 1001
}
containerSecurityContext = {
enabled = true
runAsUser = 1001
runAsNonRoot = true
}
tls = {
enabled = false
Expand All @@ -64,9 +69,9 @@ locals {
resource "helm_release" "postgresql" {
name = "postgres"

repository = "oci://registry-1.docker.io/"
chart = "bitnamicharts/postgresql"
version = "16.4.5"
repository = "https://charts.bitnami.com/bitnami"
chart = "postgresql"
version = "18.0.15"

namespace = var.namespace
values = [
Expand Down
Loading