chore(deps): aggregated renovate updates and addressed CVEs (#136)

chore(deps): update all non-major dependencies

chore(deps): update container-images

chore: removed npmrc to prevent renovate from using it for dependency lookups

chore(deps): updated to fix CVE-2023-37920

chore(deps): update to address CVE-2023-36665

chore: ignore disputed CVE-2023-39017

chore: drop resource requests/limits from helm chart tests

chore(deps): updated kube-powertools to v2

chore(helm): switched to OCI-based image installation where available

docs: dropped note about auto-generated postgres secret - the bitnami chart uses lookup now

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/ct/ct.yaml

@@ -9,10 +9,7 @@ validate-yaml: true
 check-version-increment: false
 chart-dirs:
   - charts
-helm-extra-args: --timeout 300s
 upgrade: true
 skip-missing-values: true
 release-label: release
-chart-repos:
-  - bitnami=https://charts.bitnami.com/bitnami
 release-notes-file: CHANGELOG.md

.github/ct/install.yaml

@@ -1,10 +1,7 @@
 chart-dirs:
   - charts
 chart-repos:
-  - bitnami=https://charts.bitnami.com/bitnami
-  - chgl=https://chgl.github.io/charts
   - codecentric=https://codecentric.github.io/helm-charts
   - hapifhir=https://hapifhir.github.io/hapi-fhir-jpaserver-starter
-  - miracum=https://miracum.github.io/charts
 debug: true
 remote: origin

.github/workflows/helm-lint.yaml

@@ -13,7 +13,7 @@ permissions: read-all
 jobs:
   lint:
     runs-on: ubuntu-22.04
-    container: ghcr.io/chgl/kube-powertools:v1.23.7@sha256:9fbd9806165d2d62a555ada53d458cd9e1b6595787b69b688f235b1fdaaba141
+    container: ghcr.io/chgl/kube-powertools:v2.1.28@sha256:74c2ec2b1ac6d33891aaca488d5732a61668039fb0ccf2b9c883ed3df9ec463a
     steps:
       - name: Add workspace as safe directory
         run: |
@@ -24,6 +24,10 @@ jobs:
         with:
           fetch-depth: 0
 
+      # via <https://github.com/helm/chart-testing/issues/577>
+      - run: |
+          git branch "master" "origin/master"
+
       - name: Check if documentation is up-to-date
         run: |
           generate-docs.sh

.github/workflows/release.yaml

@@ -101,7 +101,7 @@ jobs:
   publish-kyverno-policies:
     name: publish kyverno policies
     runs-on: ubuntu-22.04
-    container: ghcr.io/chgl/kube-powertools:v1.23.7@sha256:6d575cad3af3d4febf1789ba6c88b1fd80ba4b75ec792dbffba54868acb045e0
+    container: ghcr.io/chgl/kube-powertools:v2.1.28@sha256:74c2ec2b1ac6d33891aaca488d5732a61668039fb0ccf2b9c883ed3df9ec463a
     continue-on-error: true
     steps:
       - name: Checkout

.github/workflows/reset-chart-changelog-annotations.yaml

@@ -13,7 +13,7 @@ jobs:
   reset-commit-and-push:
     name: reset changelog annotations, commit, and push
     runs-on: ubuntu-22.04
-    container: ghcr.io/chgl/kube-powertools:v1.23.7@sha256:9fbd9806165d2d62a555ada53d458cd9e1b6595787b69b688f235b1fdaaba141
+    container: ghcr.io/chgl/kube-powertools:v2.1.28@sha256:74c2ec2b1ac6d33891aaca488d5732a61668039fb0ccf2b9c883ed3df9ec463a
     permissions:
       contents: write
     steps:

.github/workflows/yamllint.yaml

@@ -18,7 +18,7 @@ jobs:
   yamllint:
     runs-on: ubuntu-22.04
     # contains yamllint
-    container: ghcr.io/chgl/kube-powertools:v1.23.7@sha256:9fbd9806165d2d62a555ada53d458cd9e1b6595787b69b688f235b1fdaaba141
+    container: ghcr.io/chgl/kube-powertools:v2.1.28@sha256:74c2ec2b1ac6d33891aaca488d5732a61668039fb0ccf2b9c883ed3df9ec463a
     steps:
       - name: Checkout
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

.polaris.yaml

@@ -0,0 +1,44 @@
+checks:
+  # reliability
+  deploymentMissingReplicas: ignore
+  priorityClassNotSet: ignore
+  tagNotSpecified: danger
+  pullPolicyNotAlways: ignore
+  readinessProbeMissing: danger
+  livenessProbeMissing: danger
+  metadataAndInstanceMismatched: ignore
+  pdbDisruptionsIsZero: warning
+  missingPodDisruptionBudget: ignore
+  topologySpreadConstraint: ignore
+
+  # efficiency
+  cpuRequestsMissing: ignore
+  cpuLimitsMissing: ignore
+  memoryRequestsMissing: ignore
+  memoryLimitsMissing: ignore
+
+  # security
+  automountServiceAccountToken: ignore
+  hostIPCSet: danger
+  hostPIDSet: danger
+  linuxHardening: danger
+  missingNetworkPolicy: ignore
+  notReadOnlyRootFilesystem: warning
+  privilegeEscalationAllowed: danger
+  runAsRootAllowed: danger
+  runAsPrivileged: danger
+  dangerousCapabilities: danger
+  insecureCapabilities: warning
+  hostNetworkSet: danger
+  hostPortSet: warning
+  tlsSettingsMissing: warning
+  sensitiveContainerEnvVar: ignore
+  sensitiveConfigmapContent: danger
+  clusterrolePodExecAttach: danger
+  rolePodExecAttach: danger
+  clusterrolebindingPodExecAttach: danger
+  rolebindingClusterRolePodExecAttach: danger
+  rolebindingRolePodExecAttach: danger
+  clusterrolebindingClusterAdmin: danger
+  rolebindingClusterAdminClusterRole: danger
+  rolebindingClusterAdminRole: danger

.trivyignore

@@ -10,3 +10,7 @@ CVE-2023-34104
 # Image user should not be 'root'
 # this is only used by the cypress image
 AVD-DS-0002
+
+# this is disputed by multiple parties because it is not plausible that untrusted
+# user input would reach the code location where injection must occur.
+CVE-2023-39017

Taskfile.yaml

@@ -14,12 +14,8 @@ tasks:
 
   helm-add-repos:
     cmds:
-      - helm repo add argo https://argoproj.github.io/argo-helm
-      - helm repo add bitnami https://charts.bitnami.com/bitnami
       - helm repo add codecentric https://codecentric.github.io/helm-charts
-      - helm repo add chgl https://chgl.github.io/charts
       - helm repo add hapifhir https://hapifhir.github.io/hapi-fhir-jpaserver-starter
-      - helm repo add miracum https://miracum.github.io/charts
 
   helm-update-dependencies:
     cmds:
@@ -32,11 +28,11 @@ tasks:
       - kind create cluster
       - kubectl create namespace recruit
       - |
-        helm upgrade --install argo-workflows argo/argo-workflows \
+        helm upgrade --install argo-workflows oci://ghcr.io/argoproj/argo-helm/argo-workflows \
           --create-namespace \
           -n argo-workflows \
           -f tests/chaos/argo-workflows-values.yaml \
-          --version 0.22.14
+          --version 0.33.2
 
   e2e-k8s:
     cmds:

charts/recruit/Chart.lock

@@ -1,18 +1,18 @@
 dependencies:
 - name: hapi-fhir-jpaserver
   repository: https://hapifhir.github.io/hapi-fhir-jpaserver-starter
-  version: 0.12.0
+  version: 0.13.0
 - name: mailhog
   repository: https://codecentric.github.io/helm-charts
   version: 5.2.3
 - name: ohdsi
   repository: oci://ghcr.io/chgl/charts
-  version: 0.21.6
+  version: 0.21.7
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 12.5.6
 - name: fhir-pseudonymizer
   repository: oci://ghcr.io/miracum/charts
-  version: 0.4.3
-digest: sha256:340ac69550eb491f3c517f0807be000c9bd3a5709b603f14695926a00a849544
-generated: "2023-06-26T12:54:56.791682743+02:00"
+  version: 0.5.3
+digest: sha256:8f44772ab433b66d1135c8b60ea921bf5018711dbc0052938a36b636aa783595
+generated: "2023-09-07T19:15:55.796403352Z"

charts/recruit/Chart.yaml

@@ -22,22 +22,22 @@ dependencies:
     alias: fhirserver
     name: hapi-fhir-jpaserver
     repository: https://hapifhir.github.io/hapi-fhir-jpaserver-starter
-    version: 0.12.0
+    version: 0.13.0
   - condition: mailhog.enabled
     name: mailhog
     repository: https://codecentric.github.io/helm-charts
     version: 5.2.3
   - condition: ohdsi.enabled
     name: ohdsi
     repository: oci://ghcr.io/chgl/charts
-    version: 0.21.6
+    version: 0.21.7
   - name: postgresql
     version: 12.5.6
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
   - condition: fhir-pseudonymizer.enabled
     name: fhir-pseudonymizer
-    version: 0.4.3
+    version: 0.5.3
     repository: oci://ghcr.io/miracum/charts
 # x-release-please-start-version
 version: 10.1.3

charts/recruit/README.md

@@ -19,9 +19,6 @@ See [UPGRADING.md](./docs/UPGRADING.md) for information on breaking changes intr
 helm install recruit oci://ghcr.io/miracum/recruit/charts/recruit -n recruit
 ```
 
-> ⚠ By default, the included [PostgreSQL Helm chart](https://github.com/bitnami/charts/tree/main/bitnami/postgresql#upgrading)
-> auto-generates a random password for the database which may cause problems when upgrading the chart (see [here for details](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrading)).
-
 ## Values
 
 | Key                                               | Type   | Default                                                                                                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
@@ -165,6 +162,7 @@ helm install recruit oci://ghcr.io/miracum/recruit/charts/recruit -n recruit
 | query.webAPI.auth.username                        | string | `""`                                                                                                                                 | the username to login as. Note that this user needs permissions to query and generate cohorts                                                                                                                                                                                                                                                                                                                                                                      |
 | query.webAPI.dataSource                           | string | `"CDS-CDMV5"`                                                                                                                        | name of the OMOP datasource used to generate the cohorts from.                                                                                                                                                                                                                                                                                                                                                                                                     |
 | query.webAPI.url                                  | string | `"http://example:8080/WebAPI"`                                                                                                       | URL of the ATLAS WebAPI endpoint. Usually ends in /WebAPI.                                                                                                                                                                                                                                                                                                                                                                                                         |
+| tests.resources                                   | object | `{}`                                                                                                                                 | configure the test pods resource requests and limits                                                                                                                                                                                                                                                                                                                                                                                                               |
 | waitForPostgresInitContainer                      | object | `{}`                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
 
 ## Configure Notifcation Rules

charts/recruit/README.md.gotmpl

@@ -19,9 +19,6 @@ See [UPGRADING.md](./docs/UPGRADING.md) for information on breaking changes intr
 helm install recruit oci://ghcr.io/miracum/recruit/charts/recruit -n recruit
 ```
 
-> ⚠ By default, the included [PostgreSQL Helm chart](https://github.com/bitnami/charts/tree/main/bitnami/postgresql#upgrading)
-> auto-generates a random password for the database which may cause problems when upgrading the chart (see [here for details](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrading)).
-
 {{ template "chart.valuesSection" . }}
 
 ## Configure Notifcation Rules

charts/recruit/templates/tests/check-all-health-probes.yaml

@@ -21,13 +21,10 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.tests.resources }}
       resources:
-        limits:
-          cpu: 50m
-          memory: 64Mi
-        requests:
-          cpu: 50m
-          memory: 64Mi
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       livenessProbe:
         exec:
           command: ["true"]
@@ -45,13 +42,10 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.tests.resources }}
       resources:
-        limits:
-          cpu: 50m
-          memory: 64Mi
-        requests:
-          cpu: 50m
-          memory: 64Mi
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       livenessProbe:
         exec:
           command: ["true"]
@@ -69,13 +63,10 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.tests.resources }}
       resources:
-        limits:
-          cpu: 50m
-          memory: 64Mi
-        requests:
-          cpu: 50m
-          memory: 64Mi
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       livenessProbe:
         exec:
           command: ["true"]

charts/recruit/values.yaml

@@ -669,9 +669,19 @@ curl: # +doc-gen:ignore
   image:
     registry: docker.io
     repository: curlimages/curl
-    tag: 8.1.2@sha256:fcf8b68aa7af25898d21b47096ceb05678665ae182052283bd0d7128149db55f
+    tag: 8.2.1@sha256:bb0843a1307b1aa73f65f24379d11dde881c16db62ba50810de0c64d48e740ed
 
 broadseaAtlasdb:
   # -- whether to deploy the OHDSI Broadsea Atlasdb (<https://github.com/OHDSI/Broadsea-Atlasdb>)
   # currently only used by internal integration tests. See [./values-integrationtest.yaml](values-integrationtest.yaml)
   enabled: false
+
+tests:
+  # -- configure the test pods resource requests and limits
+  resources: {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi

docker-compose/docker-compose.probe.yaml

@@ -1,6 +1,6 @@
 services:
   health-probes:
-    image: docker.io/curlimages/curl:8.1.1@sha256:5af13420d29b7aa7007419347519984ce44778aaf89c475c25edc9b48ca125b2
+    image: docker.io/curlimages/curl:8.2.1@sha256:bb0843a1307b1aa73f65f24379d11dde881c16db62ba50810de0c64d48e740ed
     ipc: private
     security_opt:
       - "no-new-privileges:true"

docker-compose/docker-compose.staging.yaml

@@ -1,6 +1,6 @@
 services:
   traefik:
-    image: docker.io/library/traefik:v2.10.1@sha256:7347d4d189642064337fe4eb615d14de2d44f287cb7e1189752fb7399a5ad843
+    image: docker.io/library/traefik:2.10.4@sha256:429f3398a3cd1aa7436aa4f59d809040d3903506a9d83bee61688bb1429c7693
     restart: unless-stopped
     ipc: none
     security_opt:
@@ -151,7 +151,7 @@ services:
       POSTGRES_DB: fhir
 
   maildev:
-    image: docker.io/maildev/maildev:2.0.5@sha256:082ec5ee92266c6e17493998ff1bf1c3eb70604b159fbeeaa435ee777f5cc953
+    image: docker.io/maildev/maildev:2.1.0@sha256:f7429227b8f471b3fe761767d86a8794a2fc7488bccdcda46ea6d5ba5c2c7bf5
     restart: unless-stopped
     ipc: none
     security_opt:

docs/deployment/kubernetes.md

@@ -30,16 +30,6 @@ helm install -n recruit \
   recruit oci://ghcr.io/miracum/recruit/charts/recruit
 ```
 
-!!! warning "Auto generated default passwords for the included databases"
-
-    The included HAPI FHIR server, OHDSI, and - if high-availability is enabled - recruIT chart itself depend on the
-    [Bitnami PostgreSQL chart](https://github.com/bitnami/charts/tree/master/bitnami/postgresql). By default, this chart
-    generates a random password for the `postgres` user unless either `auth.postgresPassword` or `auth.existingSecret`
-    are set. Upgrading the release (or simply re-running `helm upgrade --install`) will generate a new password which
-    will result in credential errors and the PostgreSQL pod will fail to start. You should therefore overwrite these
-    parameters or set them after the initial install. The `--render-subchart-notes` flag above will also print this
-    note.
-
 As a quick check to make sure everything is running correctly, you can use the following to check the readiness of all services:
 
 ```sh

src/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/gradle:8.1.1-jdk17@sha256:e7a4bc8f4ee27feae2eac4de61ca64406b7137e6f6b107052accd24bf0806043 AS build
+FROM docker.io/library/gradle:8.3.0-jdk17@sha256:5f4ab273b15961c5f22969136ea884ca0343f1d8b2df5c4c6fe0ca8939b401b1 AS build
 WORKDIR /home/gradle/src
 ENV GRADLE_USER_HOME="/gradle"
 
@@ -24,7 +24,7 @@ ENV TZ="UTC"
 RUN gradle ":${MODULE_NAME}:test" && \
     gradle jacocoTestReport
 
-FROM gcr.io/distroless/java17-debian11:nonroot@sha256:61463fa9d1bb9994de4e50e71f3e487d0e61f1676e26306388a743ff96311777
+FROM gcr.io/distroless/java17-debian11:nonroot@sha256:41af86bc38476afb89e640959585e4fc81104bd9c56303c24b749cc3644b79a8
 WORKDIR /app
 
 COPY --from=build /home/gradle/src/opentelemetry-javaagent.jar ./opentelemetry-javaagent.jar

src/buildSrc/build.gradle

@@ -15,10 +15,10 @@ repositories {
 }
 
 dependencies {
-    implementation 'org.springframework.boot:spring-boot-gradle-plugin:3.1.1'
-    implementation 'io.spring.gradle:dependency-management-plugin:1.1.0'
+    implementation 'org.springframework.boot:spring-boot-gradle-plugin:3.1.3'
+    implementation 'io.spring.gradle:dependency-management-plugin:1.1.3'
     implementation 'com.google.cloud.tools:jib-gradle-plugin:3.3.2'
-    implementation 'com.diffplug.spotless:spotless-plugin-gradle:6.19.0'
+    implementation 'com.diffplug.spotless:spotless-plugin-gradle:6.21.0'
     implementation 'io.freefair.gradle:lombok-plugin:6.6.3'
-    implementation 'de.undercouch:gradle-download-task:5.4.0'
+    implementation 'de.undercouch:gradle-download-task:5.5.0'
 }