Skip to content

Commit

Permalink
Fix terraform deploy (#241)
Browse files Browse the repository at this point in the history
  • Loading branch information
goshander authored Nov 13, 2024
1 parent 23544f3 commit 42dc67e
Show file tree
Hide file tree
Showing 16 changed files with 76 additions and 137 deletions.
2 changes: 0 additions & 2 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,6 @@ jobs:
- uses: arduino/setup-task@v2
- uses: nightstory/setup-yc@v1
- run: |
../scripts/tofu-opensource.sh --tofurc --cleanup --init --target data.shell_script.kubeconfig --apply --approve
ls -la ./kubeconfig.conf && sleep 10
../scripts/tofu-opensource.sh --tofurc --cleanup --init --apply --approve
working-directory: ./deploy/terraform
env:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/e2e_tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,10 @@ jobs:
CONTROL_API_VERSION: ${{ env.CONTROL_API_VERSION }}
DATA_API_VERSION: ${{ env.DATA_API_VERSION }}
UI_VERSION: ${{ env.UI_VERSION }}
E2E_RETRY_TIMES: 2
E2E_TEST_TIMEOUT: 90000
E2E_ACTION_TIMEOUT: 10000
E2E_EXPECT_TIMEOUT: 10000

- name: Copy tests report from docker run
if: always()
Expand Down
14 changes: 7 additions & 7 deletions deploy/scripts/tofu-opensource.sh
Original file line number Diff line number Diff line change
Expand Up @@ -151,10 +151,10 @@ if [ ! "${YC_PROFILE_EXISTS}" == "true" ]; then
fi
fi

SERVICE_ACCOUNT_ID=$(yc --profile=${PROFILE_NAME} lockbox payload get --name "${LOCKBOX_NAME}" --key service-account-id)
SERVICE_ACCOUNT_ID=$(yc --profile=${PROFILE_NAME} --folder-id=${FOLDER_ID} lockbox payload get --name "${LOCKBOX_NAME}" --key service-account-id)

export AWS_ACCESS_KEY_ID=$(yc --profile=${PROFILE_NAME} lockbox payload get --name "${LOCKBOX_NAME}" --key access-key)
export AWS_SECRET_ACCESS_KEY=$(yc --profile=${PROFILE_NAME} lockbox payload get --name "${LOCKBOX_NAME}" --key secret-key)
export AWS_ACCESS_KEY_ID=$(yc --profile=${PROFILE_NAME} --folder-id=${FOLDER_ID} lockbox payload get --name "${LOCKBOX_NAME}" --key access-key)
export AWS_SECRET_ACCESS_KEY=$(yc --profile=${PROFILE_NAME} --folder-id=${FOLDER_ID} lockbox payload get --name "${LOCKBOX_NAME}" --key secret-key)
export AWS_ENDPOINT_URL_S3="${STORAGE_ENDPOINT}"
export YC_STORAGE_ACCESS_KEY="${AWS_ACCESS_KEY_ID}"
export YC_STORAGE_SECRET_KEY="${AWS_SECRET_ACCESS_KEY}"
Expand All @@ -164,9 +164,9 @@ if [ -z "${AWS_SECRET_ACCESS_KEY}" ]; then
exit 1
fi

export BACKEND_STATE_BUCKET=$(yc --profile=${PROFILE_NAME} lockbox payload get --name "${LOCKBOX_NAME}" --key backend-state-bucket)
export BACKEND_STATE_KEY=$(yc --profile=${PROFILE_NAME} lockbox payload get --name "${LOCKBOX_NAME}" --key backend-state-key)
export BACKEND_STATE_REGION=$(yc --profile=${PROFILE_NAME} lockbox payload get --name "${LOCKBOX_NAME}" --key backend-state-region)
export BACKEND_STATE_BUCKET=$(yc --profile=${PROFILE_NAME} --folder-id=${FOLDER_ID} lockbox payload get --name "${LOCKBOX_NAME}" --key backend-state-bucket)
export BACKEND_STATE_KEY=$(yc --profile=${PROFILE_NAME} --folder-id=${FOLDER_ID} lockbox payload get --name "${LOCKBOX_NAME}" --key backend-state-key)
export BACKEND_STATE_REGION=$(yc --profile=${PROFILE_NAME} --folder-id=${FOLDER_ID} lockbox payload get --name "${LOCKBOX_NAME}" --key backend-state-region)

export TF_VAR_PROFILE="${PROFILE_NAME}"

Expand All @@ -183,7 +183,7 @@ export TF_VAR_BACKEND_STATE_REGION="${BACKEND_STATE_REGION}"

export TF_VAR_DOMAIN="${DOMAIN}"

export TF_VAR_YC_TOKEN=$(yc --profile=${PROFILE_NAME} iam create-token --impersonate-service-account-id "${SERVICE_ACCOUNT_ID}")
export TF_VAR_YC_TOKEN=$(yc --profile=${PROFILE_NAME} --folder-id=${FOLDER_ID} iam create-token --impersonate-service-account-id "${SERVICE_ACCOUNT_ID}")

if [ -z "${TF_VAR_YC_TOKEN}" ]; then
echo "❌ error obtain iam token for sa '${SERVICE_ACCOUNT_ID}', check profile settings, exit..."
Expand Down
5 changes: 0 additions & 5 deletions deploy/terraform/k8s-alb-ingress.tf
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,6 @@ resource "helm_release" "alb_ingress" {
private_key = yandex_iam_service_account_key.this["alb"].private_key
})
})]


depends_on = [
data.shell_script.kubeconfig,
]
}

locals {
Expand Down
10 changes: 1 addition & 9 deletions deploy/terraform/k8s-app-control-api.tf
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ resource "kubernetes_deployment" "control-api" {
}
spec {
container {
image = "ghcr.io/datalens-tech/datalens-control-api:${local.data_api_version}"
image = "ghcr.io/datalens-tech/datalens-control-api:${local.control_api_version}"
name = "app-control-api"
port {
container_port = 8080
Expand Down Expand Up @@ -163,10 +163,6 @@ resource "kubernetes_deployment" "control-api" {
}
}
}

depends_on = [
data.shell_script.kubeconfig,
]
}

resource "kubernetes_service" "control-api_service" {
Expand All @@ -185,8 +181,4 @@ resource "kubernetes_service" "control-api_service" {
}
type = "ClusterIP"
}

depends_on = [
data.shell_script.kubeconfig,
]
}
8 changes: 0 additions & 8 deletions deploy/terraform/k8s-app-data-api.tf
Original file line number Diff line number Diff line change
Expand Up @@ -195,10 +195,6 @@ resource "kubernetes_deployment" "data-api" {
}
}
}

depends_on = [
data.shell_script.kubeconfig,
]
}

resource "kubernetes_service" "data-api_service" {
Expand All @@ -217,8 +213,4 @@ resource "kubernetes_service" "data-api_service" {
}
type = "ClusterIP"
}

depends_on = [
data.shell_script.kubeconfig,
]
}
8 changes: 0 additions & 8 deletions deploy/terraform/k8s-app-ui.tf
Original file line number Diff line number Diff line change
Expand Up @@ -164,10 +164,6 @@ resource "kubernetes_deployment" "ui" {
}
}
}

depends_on = [
data.shell_script.kubeconfig,
]
}

resource "kubernetes_service" "ui_service" {
Expand All @@ -187,8 +183,4 @@ resource "kubernetes_service" "ui_service" {
}
type = "NodePort"
}

depends_on = [
data.shell_script.kubeconfig,
]
}
8 changes: 0 additions & 8 deletions deploy/terraform/k8s-app-us.tf
Original file line number Diff line number Diff line change
Expand Up @@ -157,10 +157,6 @@ resource "kubernetes_deployment" "us" {
}
}
}

depends_on = [
data.shell_script.kubeconfig,
]
}

resource "kubernetes_service" "us_service" {
Expand All @@ -179,8 +175,4 @@ resource "kubernetes_service" "us_service" {
}
type = "ClusterIP"
}

depends_on = [
data.shell_script.kubeconfig,
]
}
16 changes: 0 additions & 16 deletions deploy/terraform/k8s-app-zitadel.tf
Original file line number Diff line number Diff line change
Expand Up @@ -231,10 +231,6 @@ resource "kubernetes_deployment" "zitadel" {
}
}
}

depends_on = [
data.shell_script.kubeconfig,
]
}

resource "kubernetes_job" "zitadel_init_job" {
Expand Down Expand Up @@ -283,10 +279,6 @@ resource "kubernetes_job" "zitadel_init_job" {
backoff_limit = 5
active_deadline_seconds = 600
}

depends_on = [
data.shell_script.kubeconfig,
]
}

resource "kubernetes_job" "zitadel_setup_job" {
Expand Down Expand Up @@ -335,10 +327,6 @@ resource "kubernetes_job" "zitadel_setup_job" {
backoff_limit = 5
active_deadline_seconds = 600
}

depends_on = [
data.shell_script.kubeconfig,
]
}

resource "kubernetes_service" "zitadel_service" {
Expand All @@ -360,8 +348,4 @@ resource "kubernetes_service" "zitadel_service" {
}
type = "NodePort"
}

depends_on = [
data.shell_script.kubeconfig,
]
}
4 changes: 0 additions & 4 deletions deploy/terraform/k8s-logs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,5 @@ resource "helm_release" "logging" {
# fix helm chart error with missed escaping json
}), ",", "\\,"), "\\n", "\\\\n"), "{", "\\{"), "}", "\\}")
}

depends_on = [
data.shell_script.kubeconfig,
]
}

19 changes: 19 additions & 0 deletions deploy/terraform/k8s-monitoring.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
resource "helm_release" "monitoring" {
for_each = toset(local.k8s_monitoring ? ["main"] : [])

name = "monitoring"

repository = "https://prometheus-community.github.io/helm-charts"
chart = "kube-prometheus-stack"
version = "62.7.0"

timeout = 240
namespace = "monitoring"
create_namespace = true
cleanup_on_fail = true

set {
name = "installCRDs"
value = true
}
}
8 changes: 0 additions & 8 deletions deploy/terraform/k8s-secrets.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,6 @@ resource "helm_release" "secrets" {

version = "0.9.20"
repository = "oci://${local.cr_endpoint}/yc-marketplace/yandex-cloud/external-secrets/chart"

depends_on = [
data.shell_script.kubeconfig,
]
}

resource "kubernetes_secret" "secrets" {
Expand All @@ -36,7 +32,6 @@ resource "kubernetes_secret" "secrets" {

depends_on = [
helm_release.secrets,
data.shell_script.kubeconfig,
]
}

Expand Down Expand Up @@ -65,7 +60,6 @@ resource "kubernetes_manifest" "secrets" {
depends_on = [
helm_release.secrets,
kubernetes_secret.secrets,
data.shell_script.kubeconfig,
]
}

Expand Down Expand Up @@ -179,7 +173,6 @@ resource "kubernetes_manifest" "lockbox" {
depends_on = [
helm_release.secrets,
kubernetes_secret.secrets,
data.shell_script.kubeconfig,
]
}

Expand Down Expand Up @@ -224,7 +217,6 @@ resource "kubernetes_manifest" "lockbox-zitadel" {
depends_on = [
helm_release.secrets,
kubernetes_secret.secrets,
data.shell_script.kubeconfig,
]
}

Expand Down
85 changes: 32 additions & 53 deletions deploy/terraform/kubeconfig.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
provider "shell" {
interpreter = ["/usr/bin/env", "bash", "-c"]
}

locals {
cluster_endpoint = local.k8s_cluster_endpoint
cluster_trusted_ca = base64encode(local.k8s_cluster_ca_certificate)
Expand All @@ -13,59 +9,42 @@ locals {
}

locals {
kubeconfig = {
apiVersion = "v1",
kind = "Config"
clusters = [
{
name = "yc-managed-k8s-${yandex_kubernetes_cluster.this.id}",
cluster = {
certificate-authority-data = local.cluster_trusted_ca
server = local.cluster_endpoint
}
kubeconfig = yamlencode({
apiVersion = "v1"
clusters = [{
name = "${local.service}-managed-k8s"
cluster = {
"server" = local.cluster_endpoint
"certificate-authority-data" = local.cluster_trusted_ca
}
],
contexts = [
{
name = "yc-managed-k8s-backends",
context = {
cluster = "yc-managed-k8s-${yandex_kubernetes_cluster.this.id}",
user = "yc-managed-k8s-${yandex_kubernetes_cluster.this.id}",
}]
users = [{
name = "yc-managed-k8s-user"
user = {
exec = {
apiVersion = "client.authentication.k8s.io/v1beta1",
command = local.cli_command,
args = local.cli_command_args,
provideClusterInfo = false
env = null
}
}
],
current-context = "yc-managed-k8s-backends",
preferences = {},
users = [
{
name = "yc-managed-k8s-${yandex_kubernetes_cluster.this.id}",
user = {
exec = {
apiVersion = "client.authentication.k8s.io/v1beta1",
command = local.cli_command,
args = local.cli_command_args,
provideClusterInfo = false
}
}
}]
contexts = [{
name = "yc-managed-k8s-ctx",
context = {
cluster = "${local.service}-managed-k8s",
user = "yc-managed-k8s-user",
}
]
}
}],
apiVersion = "v1",
kind = "Config",
preferences = {},
})
}

data "shell_script" "kubeconfig" {
depends_on = [
yandex_vpc_security_group.this
]

lifecycle_commands {
read = <<-CMD
set -euo pipefail
echo "$KUBECONFIG_DATA" > "$KUBECONFIG_FILE"
echo "{\"path\": \"${local.kubeconfig_path}\"}"
CMD
}
environment = {
KUBECONFIG_DATA = yamlencode(local.kubeconfig)
KUBECONFIG_FILE = local.kubeconfig_path
}
resource "local_file" "kubeconfig" {
content = local.kubeconfig
filename = local.kubeconfig_path
file_permission = "0600"
}
5 changes: 4 additions & 1 deletion deploy/terraform/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,11 @@ locals {
# auto create github runner
is_create_github_runner = true

k8s_monitoring = true

# use local k8s ipv4 by security reason
k8s_allow_from_public_net = true
k8s_use_external_ipv4 = true
k8s_connect_by_internal_ipv4 = true
k8s_connect_by_internal_ipv4 = false
}

Loading

0 comments on commit 42dc67e

Please sign in to comment.