Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: limit max content length to prevent a possible dos attack #423

Merged
merged 4 commits into from
Apr 9, 2023
Merged

security: limit max content length to prevent a possible dos attack #423

merged 4 commits into from
Apr 9, 2023

Conversation

42atomys
Copy link
Owner

@42atomys 42atomys commented Apr 9, 2023

Relative Issues: Resolve #412

Describe the pull request
This pull request addresses a potential security vulnerability by limiting the maximum content length accepted by the application. This measure helps to prevent possible Denial of Service (DoS) attacks that could be executed by sending excessively large payloads to the server. By enforcing a reasonable content length limit, we can maintain the application's stability and security while minimizing the risk of disruption from malicious actors.

Checklist

  • I have linked the relative issue to this pull request
  • I have made the modifications or added tests related to my PR
  • I have added/updated the documentation for my RP
  • I put my PR in Ready for Review only when all the checklist is checked

Breaking changes ?
no

Additional context
A Directive Overloading occurs when a user can send a query with many consecutive directives and overload the parser of the app. Actually gqlgen don't allow us to add a fixed limit. I will work on gqlgen project to see if this can be implemented to respect the GraphQL 16 specifications about Directive Overloading.

@github-actions github-actions bot added the state/triage 🚦 Has not been triaged & therefore, not ready for work label Apr 9, 2023
@github-actions
Copy link

github-actions bot commented Apr 9, 2023
edited
Loading

Terraform data for sandbox stack

Terraform Initialization ⚙️ success

Terraform Validation 🤖 success

Show Validation 
Success! The configuration is valid.

Terraform Plan 📖 success

Show Plan 
kubernetes_config_map.stud42_config: Refreshing state... [id=sandbox/stud42-config]
module.istio.kubectl_manifest.virtual_services["dev-s42-sandbox"]: Refreshing state... [id=/apis/networking.istio.io/v1alpha3/namespaces/sandbox/virtualservices/dev-s42-sandbox]
module.jwtks_service.kubernetes_service.app[0]: Refreshing state... [id=sandbox/jwtks-service]
module.jwtks_service.kubernetes_deployment.app[0]: Refreshing state... [id=sandbox/jwtks-service]
module.jwtks_service.kubernetes_horizontal_pod_autoscaler_v2.app[0]: Refreshing state... [id=sandbox/jwtks-service]
module.jwtks_service.kubernetes_manifest.certificate["grpc-internal"]: Refreshing state...

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

@github-actions
Copy link

github-actions bot commented Apr 9, 2023
edited
Loading

Terraform data for pre-cluster stack

Terraform Initialization ⚙️ success

Terraform Validation 🤖 success

Show Validation 
Success! The configuration is valid.

Terraform Plan 📖 success

Show Plan 
helm_release.reflector: Refreshing state... [id=reflector]
helm_release.sealed_secret: Refreshing state... [id=sealed-secret]
helm_release.istio_base: Refreshing state... [id=istio-base]
helm_release.rabbitmq_operator: Refreshing state... [id=primary]
kubernetes_namespace.namespace["staging"]: Refreshing state... [id=staging]
kubernetes_namespace.namespace["monitoring"]: Refreshing state... [id=monitoring]
kubernetes_namespace.namespace["production"]: Refreshing state... [id=production]
kubernetes_namespace.namespace["istio-system"]: Refreshing state... [id=istio-system]
kubernetes_namespace.namespace["permission-manager"]: Refreshing state... [id=permission-manager]
kubernetes_namespace.namespace["cert-manager"]: Refreshing state... [id=cert-manager]
kubernetes_namespace.namespace["previews"]: Refreshing state... [id=previews]
kubernetes_namespace.namespace["sandbox"]: Refreshing state... [id=sandbox]
helm_release.gateway: Refreshing state... [id=istio-ingressgateway]
helm_release.istiod: Refreshing state... [id=istiod]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

@github-actions
Copy link

github-actions bot commented Apr 9, 2023
edited
Loading

Terraform data for apps stack

Terraform Initialization ⚙️ success

Terraform Validation 🤖 success

Show Validation 
Success! The configuration is valid.

Terraform Plan 📖 success

Show Plan 
module.s42.random_password.meilisearch_token: Refreshing state... [id=none]
module.s42.random_password.next_auth_secret: Refreshing state... [id=none]
module.s42.kubernetes_config_map.stud42_config: Refreshing state... [id=production/stud42-config]
module.s42.random_password.postgres: Refreshing state... [id=none]
module.s42.module.meilisearch_clean_tasks.kubernetes_cron_job.app[0]: Refreshing state... [id=production/meilisearch-clean-tasks]
module.s42.module.meilisearch.kubernetes_persistent_volume_claim.app["data"]: Refreshing state... [id=production/meilisearch-data]
module.s42.module.meilisearch.kubernetes_service.app[0]: Refreshing state... [id=production/meilisearch]
module.s42.module.postgres.kubernetes_config_map.app["config"]: Refreshing state... [id=production/postgres-config]
module.s42.module.postgres.kubernetes_service.app[0]: Refreshing state... [id=production/postgres]
module.s42.module.postgres.kubernetes_persistent_volume_claim.app["data"]: Refreshing state... [id=production/postgres-data]
module.s42.module.istio.kubectl_manifest.virtual_services["app-s42"]: Refreshing state... [id=/apis/networking.istio.io/v1alpha3/namespaces/production/virtualservices/app-s42]
module.webhooked.module.webhooked.kubernetes_config_map.app["config"]: Refreshing state... [id=production/webhooked-config]
module.webhooked.module.webhooked.kubernetes_service.app[0]: Refreshing state... [id=production/webhooked]
module.s42.kubernetes_secret.next_auth_secret: Refreshing state... [id=production/next-auth-secret]
module.s42.module.crawler_locations.kubernetes_cron_job.app[0]: Refreshing state... [id=production/crawler-locations]
module.s42.module.webhooks_processor.kubernetes_deployment.app[0]: Refreshing state... [id=production/webhooks-processor]
module.s42.kubernetes_manifest.rabbitmq: Refreshing state...
module.s42.module.meilisearch.kubernetes_stateful_set.app[0]: Refreshing state... [id=production/meilisearch]
module.s42.module.jwtks_service.kubernetes_service.app[0]: Refreshing state... [id=production/jwtks-service]
module.s42.module.jwtks_service.kubernetes_deployment.app[0]: Refreshing state... [id=production/jwtks-service]
module.s42.module.api.kubernetes_deployment.app[0]: Refreshing state... [id=production/api]
module.s42.module.service-token.kubernetes_manifest.sealed_secret["sentry-dsns"]: Refreshing state...
module.s42.module.service-token.kubernetes_manifest.sealed_secret["github-token"]: Refreshing state...
module.webhooked.module.secrets.kubernetes_manifest.sealed_secret["s42-webhooked-secrets"]: Refreshing state...
module.s42.module.service-token.kubernetes_manifest.sealed_secret["discord-token"]: Refreshing state...
module.s42.module.api.kubernetes_service.app[0]: Refreshing state... [id=production/api]
module.s42.module.service-token.kubernetes_manifest.sealed_secret["oauth2-providers"]: Refreshing state...
module.s42.module.meilisearch.kubernetes_secret.app["token"]: Refreshing state... [id=production/meilisearch-token]
module.s42.module.interface.kubernetes_service.app[0]: Refreshing state... [id=production/interface]
module.s42.module.jwtks_service.kubernetes_manifest.certificate["grpc-internal"]: Refreshing state...
module.s42.module.service-token.kubernetes_manifest.sealed_secret["jwtks-service-certs-jwk"]: Refreshing state...
module.s42.module.service-token.kubernetes_manifest.sealed_secret["s42-service-token"]: Refreshing state...
module.s42.module.interface.kubernetes_deployment.app[0]: Refreshing state... [id=production/interface]
module.s42.module.crawler_campus.kubernetes_cron_job.app[0]: Refreshing state... [id=production/crawler-campus]
module.s42.module.postgres.kubernetes_secret.app["credentials"]: Refreshing state... [id=production/postgres-credentials]
module.s42.module.postgres.kubernetes_stateful_set.app[0]: Refreshing state... [id=production/postgres]
module.s42.module.webhooks_processor.kubernetes_horizontal_pod_autoscaler_v2.app[0]: Refreshing state... [id=production/webhooks-processor]
module.s42.module.jwtks_service.kubernetes_horizontal_pod_autoscaler_v2.app[0]: Refreshing state... [id=production/jwtks-service]
module.s42.module.api.kubernetes_horizontal_pod_autoscaler_v2.app[0]: Refreshing state... [id=production/api]
module.s42.kubernetes_pod_disruption_budget.rabbitmq: Refreshing state... [id=production/rabbitmq]
module.s42.module.interface.kubernetes_horizontal_pod_autoscaler_v2.app[0]: Refreshing state... [id=production/interface]
module.webhooked.module.webhooked.kubernetes_deployment.app[0]: Refreshing state... [id=production/webhooked]
module.webhooked.module.webhooked.kubernetes_horizontal_pod_autoscaler_v2.app[0]: Refreshing state... [id=production/webhooked]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.s42.module.api.kubernetes_deployment.app[0] will be updated in-place
  ~ resource "kubernetes_deployment" "app" {
        id               = "production/api"
        # (1 unchanged attribute hidden)

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "api"
            # (5 unchanged attributes hidden)
        }

      ~ spec {
            # (5 unchanged attributes hidden)

          ~ template {
              ~ metadata {
                  ~ labels      = {
                      ~ "version"                      = "v0.22.3" -> "latest"
                        # (4 unchanged elements hidden)
                    }
                    # (2 unchanged attributes hidden)
                }

              ~ spec {
                    # (11 unchanged attributes hidden)

                  ~ container {
                      ~ image                      = "ghcr.io/42atomys/stud42:v0.22.3" -> "ghcr.io/42atomys/stud42:latest"
                        name                       = "api"
                        # (8 unchanged attributes hidden)

                        # (16 unchanged blocks hidden)
                    }

                    # (3 unchanged blocks hidden)
                }
            }

            # (2 unchanged blocks hidden)
        }
    }

  # module.s42.module.api.kubernetes_horizontal_pod_autoscaler_v2.app[0] will be updated in-place
  ~ resource "kubernetes_horizontal_pod_autoscaler_v2" "app" {
        id = "production/api"

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "api"
            # (5 unchanged attributes hidden)
        }

      ~ spec {
          ~ min_replicas                      = 1 -> 2
            # (2 unchanged attributes hidden)

            # (3 unchanged blocks hidden)
        }
    }

  # module.s42.module.api.kubernetes_service.app[0] will be updated in-place
  ~ resource "kubernetes_service" "app" {
        id                     = "production/api"
        # (2 unchanged attributes hidden)

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "api"
            # (5 unchanged attributes hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.s42.module.crawler_campus.kubernetes_cron_job.app[0] will be updated in-place
  ~ resource "kubernetes_cron_job" "app" {
        id = "production/crawler-campus"

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "crawler-campus"
            # (5 unchanged attributes hidden)
        }

      ~ spec {
            # (6 unchanged attributes hidden)

          ~ job_template {
              ~ metadata {
                  ~ labels      = {
                      ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
                      ~ "version"                      = "v0.22.3" -> "latest"
                        # (5 unchanged elements hidden)
                    }
                    # (2 unchanged attributes hidden)
                }

              ~ spec {
                    # (7 unchanged attributes hidden)

                  ~ template {
                      ~ metadata {
                          ~ labels      = {
                              ~ "version"                      = "v0.22.3" -> "latest"
                                # (5 unchanged elements hidden)
                            }
                            # (2 unchanged attributes hidden)
                        }

                      ~ spec {
                            # (11 unchanged attributes hidden)

                          ~ container {
                              ~ image                      = "ghcr.io/42atomys/stud42:v0.22.3" -> "ghcr.io/42atomys/stud42:latest"
                                name                       = "crawler-campus"
                                # (8 unchanged attributes hidden)

                                # (12 unchanged blocks hidden)
                            }

                            # (3 unchanged blocks hidden)
                        }
                    }
                }
            }
        }
    }

  # module.s42.module.crawler_locations.kubernetes_cron_job.app[0] will be updated in-place
  ~ resource "kubernetes_cron_job" "app" {
        id = "production/crawler-locations"

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "crawler-locations"
            # (5 unchanged attributes hidden)
        }

      ~ spec {
            # (6 unchanged attributes hidden)

          ~ job_template {
              ~ metadata {
                  ~ labels      = {
                      ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
                      ~ "version"                      = "v0.22.3" -> "latest"
                        # (5 unchanged elements hidden)
                    }
                    # (2 unchanged attributes hidden)
                }

              ~ spec {
                    # (7 unchanged attributes hidden)

                  ~ template {
                      ~ metadata {
                          ~ labels      = {
                              ~ "version"                      = "v0.22.3" -> "latest"
                                # (5 unchanged elements hidden)
                            }
                            # (2 unchanged attributes hidden)
                        }

                      ~ spec {
                            # (11 unchanged attributes hidden)

                          ~ container {
                              ~ args                       = [
                                    # (4 unchanged elements hidden)
                                    "locations",
                                  - "-c",
                                  - "53",
                                ]
                              ~ image                      = "ghcr.io/42atomys/stud42:v0.22.3" -> "ghcr.io/42atomys/stud42:latest"
                                name                       = "crawler-locations"
                                # (7 unchanged attributes hidden)

                                # (14 unchanged blocks hidden)
                            }

                            # (3 unchanged blocks hidden)
                        }
                    }
                }
            }
        }
    }

  # module.s42.module.interface.kubernetes_deployment.app[0] will be updated in-place
  ~ resource "kubernetes_deployment" "app" {
        id               = "production/interface"
        # (1 unchanged attribute hidden)

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "interface"
            # (5 unchanged attributes hidden)
        }

      ~ spec {
            # (5 unchanged attributes hidden)

          ~ template {
              ~ metadata {
                  ~ labels      = {
                      ~ "version"                      = "v0.22.3" -> "latest"
                        # (4 unchanged elements hidden)
                    }
                    # (2 unchanged attributes hidden)
                }

              ~ spec {
                    # (11 unchanged attributes hidden)

                  ~ container {
                      ~ image                      = "ghcr.io/42atomys/stud42:v0.22.3" -> "ghcr.io/42atomys/stud42:latest"
                        name                       = "interface"
                        # (8 unchanged attributes hidden)

                        # (19 unchanged blocks hidden)
                    }

                    # (4 unchanged blocks hidden)
                }
            }

            # (2 unchanged blocks hidden)
        }
    }

  # module.s42.module.interface.kubernetes_horizontal_pod_autoscaler_v2.app[0] will be updated in-place
  ~ resource "kubernetes_horizontal_pod_autoscaler_v2" "app" {
        id = "production/interface"

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "interface"
            # (5 unchanged attributes hidden)
        }

      ~ spec {
          ~ min_replicas                      = 1 -> 2
            # (2 unchanged attributes hidden)

            # (3 unchanged blocks hidden)
        }
    }

  # module.s42.module.interface.kubernetes_service.app[0] will be updated in-place
  ~ resource "kubernetes_service" "app" {
        id                     = "production/interface"
        # (2 unchanged attributes hidden)

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "interface"
            # (5 unchanged attributes hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.s42.module.jwtks_service.kubernetes_deployment.app[0] will be updated in-place
  ~ resource "kubernetes_deployment" "app" {
        id               = "production/jwtks-service"
        # (1 unchanged attribute hidden)

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "jwtks-service"
            # (5 unchanged attributes hidden)
        }

      ~ spec {
          ~ replicas                  = "10" -> "1"
            # (4 unchanged attributes hidden)

          ~ template {
              ~ metadata {
                  ~ labels      = {
                      ~ "version"                      = "v0.22.3" -> "latest"
                        # (4 unchanged elements hidden)
                    }
                    # (2 unchanged attributes hidden)
                }

              ~ spec {
                    # (11 unchanged attributes hidden)

                  ~ container {
                      ~ image                      = "ghcr.io/42atomys/stud42:v0.22.3" -> "ghcr.io/42atomys/stud42:latest"
                        name                       = "jwtks-service"
                        # (8 unchanged attributes hidden)

                      ~ env {
                          ~ name  = "DEBUG" -> "S42_SERVICE_TOKEN"
                          - value = "true" -> null

                          + value_from {

                              + secret_key_ref {
                                  + key  = "TOKEN"
                                  + name = "s42-service-token"
                                }
                            }
                        }
                      ~ env {
                          ~ name = "S42_SERVICE_TOKEN" -> "SENTRY_DSN"

                          ~ value_from {

                              ~ secret_key_ref {
                                  ~ key      = "TOKEN" -> "JWTKS_SERVICE_DSN"
                                  ~ name     = "s42-service-token" -> "sentry-dsns"
                                    # (1 unchanged attribute hidden)
                                }
                            }
                        }
                      ~ env {
                          ~ name  = "SENTRY_DSN" -> "GO_ENV"
                          + value = "production"

                          - value_from {

                              - secret_key_ref {
                                  - key      = "JWTKS_SERVICE_DSN" -> null
                                  - name     = "sentry-dsns" -> null
                                  - optional = false -> null
                                }
                            }
                        }
                      - env {
                          - name  = "GO_ENV" -> null
                          - value = "production" -> null
                        }

                      ~ resources {
                          ~ limits   = {
                              ~ "memory" = "100Mi" -> "40Mi"
                            }
                          ~ requests = {
                              ~ "cpu"    = "100m" -> "60m"
                                # (1 unchanged element hidden)
                            }
                        }

                        # (6 unchanged blocks hidden)
                    }

                    # (5 unchanged blocks hidden)
                }
            }

            # (2 unchanged blocks hidden)
        }
    }

  # module.s42.module.jwtks_service.kubernetes_horizontal_pod_autoscaler_v2.app[0] will be updated in-place
  ~ resource "kubernetes_horizontal_pod_autoscaler_v2" "app" {
        id = "production/jwtks-service"

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "jwtks-service"
            # (5 unchanged attributes hidden)
        }

      ~ spec {
          ~ min_replicas                      = 10 -> 2
            # (2 unchanged attributes hidden)

            # (3 unchanged blocks hidden)
        }
    }

  # module.s42.module.jwtks_service.kubernetes_manifest.certificate["grpc-internal"] will be updated in-place
  ~ resource "kubernetes_manifest" "certificate" {
      ~ manifest = {
          ~ metadata   = {
              ~ labels    = {
                  ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
                  ~ version                        = "v0.22.3" -> "latest"
                    # (5 unchanged elements hidden)
                }
                name      = "jwtks-service-grpc-internal"
                # (1 unchanged element hidden)
            }
            # (3 unchanged elements hidden)
        }
      ~ object   = {
          ~ metadata   = {
              ~ labels                     = {
                  - "app"                          = "jwtks-service"
                  - "app.kubernetes.io/created-by" = "github-actions"
                  - "app.kubernetes.io/managed-by" = "terraform"
                  - "app.kubernetes.io/part-of"    = "jwtks-service"
                  - "app.kubernetes.io/version"    = "v0.22.3"
                  - "kubernetes.io/name"           = "jwtks-service"
                  - "version"                      = "v0.22.3"
                } -> (known after apply)
                name                       = "jwtks-service-grpc-internal"
                # (14 unchanged elements hidden)
            }
            # (3 unchanged elements hidden)
        }
    }

  # module.s42.module.jwtks_service.kubernetes_service.app[0] will be updated in-place
  ~ resource "kubernetes_service" "app" {
        id                     = "production/jwtks-service"
        # (2 unchanged attributes hidden)

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "jwtks-service"
            # (5 unchanged attributes hidden)
        }

        # (1 unchanged block hidden)
    }

  # module.s42.module.webhooks_processor.kubernetes_deployment.app[0] will be updated in-place
  ~ resource "kubernetes_deployment" "app" {
        id               = "production/webhooks-processor"
        # (1 unchanged attribute hidden)

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "webhooks-processor"
            # (5 unchanged attributes hidden)
        }

      ~ spec {
            # (5 unchanged attributes hidden)

          ~ template {
              ~ metadata {
                  ~ labels      = {
                      ~ "version"                      = "v0.22.3" -> "latest"
                        # (5 unchanged elements hidden)
                    }
                    # (2 unchanged attributes hidden)
                }

              ~ spec {
                    # (11 unchanged attributes hidden)

                  ~ container {
                      ~ image                      = "ghcr.io/42atomys/stud42:v0.22.3" -> "ghcr.io/42atomys/stud42:latest"
                        name                       = "webhooks-processor"
                        # (8 unchanged attributes hidden)

                        # (20 unchanged blocks hidden)
                    }

                    # (3 unchanged blocks hidden)
                }
            }

            # (2 unchanged blocks hidden)
        }
    }

  # module.s42.module.webhooks_processor.kubernetes_horizontal_pod_autoscaler_v2.app[0] will be updated in-place
  ~ resource "kubernetes_horizontal_pod_autoscaler_v2" "app" {
        id = "production/webhooks-processor"

      ~ metadata {
          ~ labels           = {
              ~ "app.kubernetes.io/version"    = "v0.22.3" -> "latest"
              ~ "version"                      = "v0.22.3" -> "latest"
                # (5 unchanged elements hidden)
            }
            name             = "webhooks-processor"
            # (5 unchanged attributes hidden)
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 14 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: apps-tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "apps-tfplan"

@github-actions
Copy link

github-actions bot commented Apr 9, 2023
edited
Loading

Terraform data for cluster stack

Terraform Initialization ⚙️ success

Terraform Validation 🤖 success

Show Validation 
Success! The configuration is valid.

Terraform Plan 📖 success

Show Plan 
module.grafana.kubernetes_persistent_volume_claim.app["data"]: Refreshing state... [id=monitoring/grafana-data]
module.cert_manager.helm_release.cert_manager: Refreshing state... [id=cert-manager]
module.istio.kubectl_manifest.gateways["app-s42-next"]: Refreshing state... [id=/apis/networking.istio.io/v1alpha3/namespaces/staging/gateways/app-s42-next]
module.istio.kubectl_manifest.gateways["app-s42"]: Refreshing state... [id=/apis/networking.istio.io/v1alpha3/namespaces/production/gateways/app-s42]
module.istio.kubectl_manifest.gateways["app-s42-dashboards"]: Refreshing state... [id=/apis/networking.istio.io/v1alpha3/namespaces/monitoring/gateways/app-s42-dashboards]
module.grafana.kubernetes_service.app[0]: Refreshing state... [id=monitoring/grafana]
module.istio.kubectl_manifest.gateways["dev-s42-previews"]: Refreshing state... [id=/apis/networking.istio.io/v1alpha3/namespaces/previews/gateways/dev-s42-previews]
module.prometheus.kubernetes_persistent_volume_claim.app["data"]: Refreshing state... [id=monitoring/prometheus-data]
module.prometheus.kubernetes_config_map.app["config"]: Refreshing state... [id=monitoring/prometheus-config]
module.istio.kubectl_manifest.gateways["dev-s42-sandbox"]: Refreshing state... [id=/apis/networking.istio.io/v1alpha3/namespaces/sandbox/gateways/dev-s42-sandbox]
module.prometheus.kubernetes_service.app[0]: Refreshing state... [id=monitoring/prometheus]
module.grafana.kubernetes_deployment.app[0]: Refreshing state... [id=monitoring/grafana]
kubernetes_role.loki: Refreshing state... [id=monitoring/loki]
module.tempo.kubernetes_config_map.app["config"]: Refreshing state... [id=monitoring/tempo-config]
module.tempo.kubernetes_service.app[0]: Refreshing state... [id=monitoring/tempo]
kubernetes_service_account.prometheus: Refreshing state... [id=monitoring/prometheus]
kubernetes_service_account.tempo: Refreshing state... [id=monitoring/tempo]
module.promtail.kubernetes_service.app[0]: Refreshing state... [id=monitoring/promtail]
module.cert_manager.null_resource.cert_manager_ovh_source: Refreshing state... [id=6901452211892208863]
kubernetes_service_account.promtail: Refreshing state... [id=monitoring/promtail]
kubernetes_cluster_role.prometheus: Refreshing state... [id=prometheus]
kubernetes_cluster_role.promtail: Refreshing state... [id=promtail]
module.monitoring_routing.kubectl_manifest.virtual_services["app-s42-dashboards"]: Refreshing state... [id=/apis/networking.istio.io/v1alpha3/namespaces/monitoring/virtualservices/app-s42-dashboards]
module.tempo.kubernetes_persistent_volume_claim.app["data"]: Refreshing state... [id=monitoring/tempo-data]
module.promtail.kubernetes_config_map.app["config"]: Refreshing state... [id=monitoring/promtail-config]
kubernetes_service_account.loki: Refreshing state... [id=monitoring/loki]
module.promtail.kubernetes_daemonset.app[0]: Refreshing state... [id=monitoring/promtail]
module.loki.kubernetes_service.app[0]: Refreshing state... [id=monitoring/loki]
module.loki.kubernetes_persistent_volume_claim.app["data"]: Refreshing state... [id=monitoring/loki-data]
module.loki.kubernetes_config_map.app["config"]: Refreshing state... [id=monitoring/loki-config]
module.prometheus.kubernetes_stateful_set.app[0]: Refreshing state... [id=monitoring/prometheus]
module.tempo.kubernetes_stateful_set.app[0]: Refreshing state... [id=monitoring/tempo]
kubernetes_cluster_role_binding.prometheus: Refreshing state... [id=prometheus]
kubernetes_cluster_role_binding.promtail: Refreshing state... [id=promtail]
kubernetes_role_binding.loki: Refreshing state... [id=monitoring/loki]
module.cert_manager.kubernetes_role.cert_manager_webhook_ovh_secret_reader: Refreshing state... [id=cert-manager/cert-manager-webhook-ovh:secret-reader]
module.cert_manager.kubectl_manifest.certificates["app-s42"]: Refreshing state... [id=/apis/cert-manager.io/v1/namespaces/istio-system/certificates/app-s42]
module.cert_manager.kubectl_manifest.certificates["app-s42-dashboards"]: Refreshing state... [id=/apis/cert-manager.io/v1/namespaces/istio-system/certificates/app-s42-dashboards]
module.cert_manager.kubectl_manifest.certificates["app-s42-next"]: Refreshing state... [id=/apis/cert-manager.io/v1/namespaces/istio-system/certificates/app-s42-next]
module.cert_manager.kubectl_manifest.certificates["dev-s42-previews"]: Refreshing state... [id=/apis/cert-manager.io/v1/namespaces/istio-system/certificates/dev-s42-previews]
module.cert_manager.kubectl_manifest.certificates["dev-s42-sandbox"]: Refreshing state... [id=/apis/cert-manager.io/v1/namespaces/istio-system/certificates/dev-s42-sandbox]
module.loki.kubernetes_stateful_set.app[0]: Refreshing state... [id=monitoring/loki]
module.cert_manager.kubernetes_role_binding.cert_manager_webhook_ovh_secret_reader: Refreshing state... [id=cert-manager/cert-manager-webhook-ovh:secret-reader]
module.cert_manager.helm_release.cert_manager_ovh: Refreshing state... [id=cert-manager-webhook-ovh]
module.secrets.kubernetes_manifest.sealed_secret["ovh-credentials"]: Refreshing state...
module.secrets.kubernetes_manifest.sealed_secret["ghcr-creds"]: Refreshing state...
module.cert_manager.kubectl_manifest.self_signed_issuers["selfsigned-issuer"]: Refreshing state... [id=/apis/cert-manager.io/v1/clusterissuers/selfsigned-issuer]
module.cert_manager.kubectl_manifest.issuers["ovh-staging-issuer"]: Refreshing state... [id=/apis/cert-manager.io/v1/clusterissuers/ovh-staging-issuer]
module.cert_manager.kubectl_manifest.issuers["ovh-issuer"]: Refreshing state... [id=/apis/cert-manager.io/v1/clusterissuers/ovh-issuer]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Warning: "default_secret_name" is no longer applicable for Kubernetes v1.24.0 and above

  with kubernetes_service_account.prometheus,
  on monitoring.tf line 73, in resource "kubernetes_service_account" "prometheus":
  73: resource "kubernetes_service_account" "prometheus" {

Starting from version 1.24.0 Kubernetes does not automatically generate a
token for service accounts, in this case, "default_secret_name" will be empty

(and 3 more similar warnings elsewhere)

@42atomys 42atomys self-assigned this Apr 9, 2023
@42atomys 42atomys merged commit a70bfc7 into main Apr 9, 2023
@42atomys 42atomys deleted the checkout-412-fix-uncontrolled-resource-consumption branch April 9, 2023 18:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@42atomys 42atomys

Labels
state/triage 🚦 Has not been triaged & therefore, not ready for work
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix: uncontrolled resource consumption
1 participant
@42atomys