CH-226 CH-229 security updates

[filippomc]

Closes CH-226
Closes CH-229
Also fixes unrelated Closes CH-207

Some of the changes included in this PR are low impact breaking changes:

• changed sentry sid source (at works, sentry won't work)
• regenerating the codefresh pipelines is recommended

Implemented solution

CH-226 Applications and template based on Connexion (python/flask serve openapi generator) are now supporting Connexion 3+
CH-229 base images have all been updated; minimal debian trixie is now used as a base
CH-207 base image names changed to better scope vulnerabilities in applications vs cloud harness

• removed sentry sid handling in the common microservice in order to remove the unnecessary dependency on the microservice itself

How to test this PR

https://samples.test-ch.dev.metacell.us/ https://workflows.test-ch.dev.metacell.us/ https://common.test-ch.dev.metacell.us/ are deployed with the test pipeline. Might also be useful to test a new generated application.
...

Sanity checks:

• The pull request is explicitly linked to the relevant issue(s)
• The issue is well described: clearly states the problem and the general proposed solution(s)
• In this PR it is explicitly stated how to test the current change
• The labels in the issue set the scope and the type of issue (bug, feature, etc.)
• The relevant components are indicated in the issue (if any)
• All the automated test checks are passing
• All the linked issues are included in one Sprint
• All the linked issues are in the Review state
• All the linked issues are assigned

Breaking changes (select one):

• The present changes do not change the preexisting api in any way
• This PR and the issue are tagged as a breaking-change and the migration procedure is well described above

Possible deployment updates issues (select one):

• There is no reason why deployments based on CloudHarness may break after the current update
• This PR and the issue are tagged as alert:deployment

Test coverage (select one):

• Tests for the relevant cases are included in this pr
• The changes included in this pr are out of the current test coverage scope

Documentation (select one):

• The documentation has been updated to match the current changes
• The changes included in this PR are out of the current documentation scope

Nice to have (if relevant):

• Screenshots of the changes
• Explanatory video/animated gif

[Copilot]

Pull Request Overview

This PR upgrades Connexion from version 2.14.2 to version 3.x across the CloudHarness framework and its applications, addressing compatibility issues with the newer API framework version.

Key changes:

• Migrates from Connexion 2.x to 3.x with corresponding Flask compatibility updates
• Replaces Flask-CORS with custom CORS handling compatible with Connexion 3.x
• Updates error handling to work with Connexion 3.x's new exception handling paradigm

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
libraries/cloudharness-common/cloudharness/utils/server.py	Core server initialization logic updated for Connexion 3.x compatibility, including JSON encoder changes, CORS setup, and error handling refactoring
infrastructure/common-images/cloudharness-flask/requirements.txt	Updated dependency versions for Connexion 3.x, Flask 2.x+, and added uvicorn
infrastructure/cluster-configuration/storageclass.yaml	Fixed Kubernetes StorageClass field name from deprecated volumeProvisioner to provisioner
infrastructure/cluster-configuration/storageclass-dockerdesktop.yaml	Added new StorageClass configuration for Docker Desktop environments
deployment/codefresh-test.yaml	Reorganized CI/CD build steps and updated build order for application images
deployment-configuration/helm/templates/ingress.yaml	Added support for whitelisted URI mappings in secured applications and proxy buffering configuration
applications/*/requirements.txt	Updated Connexion and related dependencies to version 3.x across all applications
applications/samples/tasks/sum/Dockerfile	Changed base image from CLOUDHARNESS_BASE to SAMPLES
applications/samples/backend/samples/controllers/test_controller.py	Removed environment variable validation logic from ping endpoint
applications/common/server/common/main.py	Removed Flask-CORS initialization as CORS is now handled centrally
application-templates/flask-server/backend/requirements.txt	Updated template dependencies to Connexion 3.x

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Bare except: clause catches all exceptions including system-exiting exceptions. Use except Exception: to catch only standard exceptions.

Suggested change

	except:
	except Exception:

[alxbrd]

This automatically updates to the latest minor version. It could lead to having different versions across envs for the same app.

[filippomc]

It should be no harm to use the latest patch update for keycloak, they respect semver quite well and release quite often

[alxbrd]

Should we fix a specific version?

[alxbrd]

Should we fix a specific version?

[filippomc]

Used to do pip freeze but now I prefer not to fix specific versions on cloud harness because getting security updates requires a lot of work in pinning every single requirement and we end up with outdated libraries. The risk of this simple microservice breaking is pretty low and we are now monitoring vulnerabilities that should catch bad guys coming in

[alxbrd]

For consistency should we use 22-trixie-slim?

[filippomc]

this is just for building, and alpine has less reported vulnerabilities than trixie (easily 0)

[alxbrd]

Fix versions.

[filippomc]

leaving that open for the common images so inheritors can pin versions as needed

[alxbrd]

I would specifically list the plugins we want to install. Currently there is only one anyway.

[filippomc]

I preferred this option so applications can add plugins without necessarily overriding the docker file