From 3f127bf922ae76b81a2abc636a476cced1613abe Mon Sep 17 00:00:00 2001 From: Pierre Bastianelli Date: Fri, 16 Feb 2024 16:23:43 -0800 Subject: [PATCH 1/2] chore: removing tf jobs and importing chart --- helm/cas-ciip-portal/Chart.lock | 11 ++- helm/cas-ciip-portal/Chart.yaml | 5 +- .../templates/bucket-provisioning-job.yaml | 45 --------- .../templates/jobs/terraform-apply.yaml | 76 -------------- .../templates/jobs/terraform-modules.yaml | 14 --- .../jobs/terraform-service-account.yaml | 35 ------- helm/cas-ciip-portal/terraform/main.tf | 99 ------------------- helm/cas-ciip-portal/terraform/variables.tf | 33 ------- helm/cas-ciip-portal/values.yaml | 4 + 9 files changed, 15 insertions(+), 307 deletions(-) delete mode 100644 helm/cas-ciip-portal/templates/bucket-provisioning-job.yaml delete mode 100644 helm/cas-ciip-portal/templates/jobs/terraform-apply.yaml delete mode 100644 helm/cas-ciip-portal/templates/jobs/terraform-modules.yaml delete mode 100644 helm/cas-ciip-portal/templates/jobs/terraform-service-account.yaml delete mode 100644 helm/cas-ciip-portal/terraform/main.tf delete mode 100644 helm/cas-ciip-portal/terraform/variables.tf diff --git a/helm/cas-ciip-portal/Chart.lock b/helm/cas-ciip-portal/Chart.lock index 2744255e5..419796f82 100644 --- a/helm/cas-ciip-portal/Chart.lock +++ b/helm/cas-ciip-portal/Chart.lock @@ -1,7 +1,10 @@ dependencies: - name: cas-postgres repository: https://bcgov.github.io/cas-postgres/ - version: 0.8.4 + version: 0.9.1 +- name: terraform-bucket-provision + repository: https://bcgov.github.io/cas-pipeline/ + version: 0.1.2 - name: mailhog repository: https://codecentric.github.io/helm-charts/ version: 3.3.0 @@ -16,6 +19,6 @@ dependencies: version: 1.0.7 - name: nginx-sidecar repository: https://bcgov.github.io/cas-template-app - version: 0.1.12 -digest: sha256:bfc589e80ce40eea666fd0a0102aed37f94e00323557c355ea9778820a5ac873 -generated: "2023-05-12T15:40:26.643889932-07:00" + version: 0.1.13 +digest: sha256:a0a9397ec66fc31006c74a026d1e73731d5bb1a2c0c26c3f69d3f07e888909b7 +generated: "2024-02-16T16:21:38.845613-08:00" diff --git a/helm/cas-ciip-portal/Chart.yaml b/helm/cas-ciip-portal/Chart.yaml index 8af96afb9..31aa21093 100644 --- a/helm/cas-ciip-portal/Chart.yaml +++ b/helm/cas-ciip-portal/Chart.yaml @@ -6,8 +6,11 @@ version: 0.3.62 appVersion: 2.23.3 dependencies: - name: cas-postgres - version: "0.8.4" + version: "0.9.1" repository: https://bcgov.github.io/cas-postgres/ + - name: terraform-bucket-provision + version: "0.1.2" + repository: https://bcgov.github.io/cas-pipeline/ - name: mailhog version: "3.3.0" repository: "https://codecentric.github.io/helm-charts/" diff --git a/helm/cas-ciip-portal/templates/bucket-provisioning-job.yaml b/helm/cas-ciip-portal/templates/bucket-provisioning-job.yaml deleted file mode 100644 index 116553a76..000000000 --- a/helm/cas-ciip-portal/templates/bucket-provisioning-job.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "cas-ciip-portal.fullname" . }}-backup-bucket-provisioner-{{ randAlphaNum 5 | lower }} -spec: - parallelism: 1 - completions: 1 - backoffLimit: 0 - template: - metadata: - name: {{ template "cas-ciip-portal.fullname" . }}-backup-bucket-provisioner - labels: {{ include "cas-ciip-portal.labels" . | nindent 8 }} - spec: - activeDeadlineSeconds: 1200 - containers: - - name: bucket-provisioner - resources: - limits: - cpu: 100m - memory: 256Mi - requests: - cpu: 100m - memory: 256Mi - image: {{ .Values.image.casShelf.repository }}:{{ .Values.image.casShelf.tag }} - imagePullPolicy: {{ .Values.image.casShelf.pullPolicy }} - env: - - name: TFC_TOKEN - valueFrom: - secretKeyRef: - key: token - name: terraform-cloud-workspace - - name: TFC_WORKSPACE_ID - valueFrom: - secretKeyRef: - key: workspace_id - name: terraform-cloud-workspace - command: - - /usr/bin/env - - bash - - -c - - | - set -xeuo pipefail; - /script.sh {{ .Release.Namespace | quote }} ciip-backups; - /script.sh {{ .Release.Namespace | quote }} ciip-documents; - restartPolicy: Never diff --git a/helm/cas-ciip-portal/templates/jobs/terraform-apply.yaml b/helm/cas-ciip-portal/templates/jobs/terraform-apply.yaml deleted file mode 100644 index 21365db86..000000000 --- a/helm/cas-ciip-portal/templates/jobs/terraform-apply.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: terraform-apply - labels: - component: backend - namespace: "{{ .Release.Namespace }}" - annotations: - "helm.sh/hook": pre-install, pre-upgrade -spec: - backoffLimit: 0 - activeDeadlineSeconds: 900 - template: - spec: - serviceAccountName: "terraform-kubernetes-service-account" - containers: - - name: terraform-apply - resources: "{{ toYaml .Values.devops.resources | nindent 12 }}" - image: "{{ .Values.devops.image.repository }}:{{ .Values.devops.sourceRepoImageTag | default .Values.devops.image.tag }}" - imagePullPolicy: "{{ .Values.devops.image.pullPolicy }}" - volumeMounts: - - mountPath: /etc/gcp - name: service-account-credentials-volume - readOnly: True - - mountPath: /etc/tf - name: terraform-backend-config-volume - readOnly: True - - name: tf-working-dir - mountPath: /working - readOnly: False - - name: terraform-modules - mountPath: /terraform - readOnly: False - env: - - name: TF_VAR_project_id - valueFrom: - secretKeyRef: - name: gcp-credentials-secret - key: gcp_project_id - - name: TF_VAR_openshift_namespace - value: {{ .Release.Namespace | quote }} - - name: TF_VAR_apps - value: '["ciip-backups", "ciip-documents", "ciip-2018"]' - - name: kubernetes_host - value: "https://api.silver.devops.gov.bc.ca:6443" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: "/etc/gcp/credentials.json" - command: - - /bin/sh - - -c - - | - set -euo pipefail; - cp -r /terraform/. /working; - cd working; - export TF_VAR_kubernetes_token=$( cat /var/run/secrets/kubernetes.io/serviceaccount/token ); - terraform init -backend-config=/etc/tf/gcs.tfbackend; - terraform apply -var="kubernetes_host=$kubernetes_host" -auto-approve; - restartPolicy: Never - volumes: - - name: service-account-credentials-volume - secret: - secretName: gcp-credentials-secret # pragma: allowlist secret - items: - - key: sa_json - path: credentials.json - - name: terraform-backend-config-volume - secret: - secretName: gcp-credentials-secret # pragma: allowlist secret - items: - - key: tf_backend - path: gcs.tfbackend - - name: tf-working-dir - emptyDir: {} - - name: terraform-modules - configMap: - name: terraform-modules diff --git a/helm/cas-ciip-portal/templates/jobs/terraform-modules.yaml b/helm/cas-ciip-portal/templates/jobs/terraform-modules.yaml deleted file mode 100644 index 90346a7ad..000000000 --- a/helm/cas-ciip-portal/templates/jobs/terraform-modules.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: terraform-modules - namespace: {{ .Release.Namespace }} - # Because terraform-apply.yaml is pre-install, pre-upgrade, this configmap needs to be in place before it - annotations: - "helm.sh/hook": pre-install, pre-upgrade - "helm.sh/hook-weight": "-10" -binaryData: -{{- range $path, $data := .Files.Glob "terraform/**.tf" }} -{{ $path | base | indent 2 }}: >- -{{- $data | toString | b64enc | nindent 4 }} -{{ end }} diff --git a/helm/cas-ciip-portal/templates/jobs/terraform-service-account.yaml b/helm/cas-ciip-portal/templates/jobs/terraform-service-account.yaml deleted file mode 100644 index 663ab9177..000000000 --- a/helm/cas-ciip-portal/templates/jobs/terraform-service-account.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: "terraform-secret-admin" - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-install, pre-upgrade -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "terraform-kubernetes-service-account" - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-install, pre-upgrade ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "terraform-kubernetes-service-account-secret-admin-binding" - namespace: {{ .Release.Namespace }} - annotations: - "helm.sh/hook": pre-install, pre-upgrade -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "terraform-secret-admin" -subjects: -- kind: ServiceAccount - name: "terraform-kubernetes-service-account" - namespace: {{ .Release.Namespace }} diff --git a/helm/cas-ciip-portal/terraform/main.tf b/helm/cas-ciip-portal/terraform/main.tf deleted file mode 100644 index 2629873e5..000000000 --- a/helm/cas-ciip-portal/terraform/main.tf +++ /dev/null @@ -1,99 +0,0 @@ -terraform { - required_version = ">=1.4.6" - - required_providers { - kubernetes = { - source = "hashicorp/kubernetes" - version = "~> 2.23" - } - google = { - source = "hashicorp/google" - version = "~> 5.2.0" - } - } - - backend "gcs" {} -} - -# Configure OCP infrastructure to setup the host and authentication token -provider "kubernetes" { - host = var.kubernetes_host - token = var.kubernetes_token -} - -# Configure GCP infrastructure to setup the credentials, default project and location (zone and/or region) for your resources -provider "google" { - project = var.project_id - region = local.region - credentials = "/Users/jolarouc/Repositories/cas-cif/.scratch/credentials.json" -} - -# Create GCS buckets -resource "google_storage_bucket" "bucket" { - for_each = { for v in var.apps : v => v } - name = "${var.openshift_namespace}-${each.value}" - location = local.region -} - -# Create GCP service accounts for each GCS bucket -resource "google_service_account" "account" { - for_each = { for v in var.apps : v => v } - account_id = "sa-${var.openshift_namespace}-${each.value}" - display_name = "${var.openshift_namespace}-${each.value} Service Account" - depends_on = [google_storage_bucket.bucket] -} - -# Assign Storage Admin role for the corresponding service accounts -resource "google_storage_bucket_iam_member" "admin" { - for_each = { for v in var.apps : v => v } - bucket = "${var.openshift_namespace}-${each.value}" - role = "roles/storage.admin" - member = "serviceAccount:${google_service_account.account[each.key].email}" - depends_on = [google_service_account.account] -} - -# Create viewer GCP service accounts for each GCS bucket -resource "google_service_account" "viewer_account" { - for_each = { for v in var.apps : v => v } - account_id = "ro-${var.openshift_namespace}-${each.value}" - display_name = "${var.openshift_namespace}-${each.value} Viewer Service Account" - depends_on = [google_storage_bucket.bucket] -} - -# Assign (manually created) Storage Viewer role for the corresponding service accounts -resource "google_storage_bucket_iam_member" "viewer" { - for_each = { for v in var.apps : v => v } - bucket = "${var.openshift_namespace}-${each.value}" - role = "projects/${var.project_id}/roles/${var.iam_storage_role_template_id}" - member = "serviceAccount:${google_service_account.viewer_account[each.key].email}" - depends_on = [google_service_account.viewer_account] -} - -# Create keys for the service accounts -resource "google_service_account_key" "key" { - for_each = { for v in var.apps : v => v } - service_account_id = google_service_account.account[each.key].name -} - -# Create keys for the viewer service accounts -resource "google_service_account_key" "viewer_key" { - for_each = { for v in var.apps : v => v } - service_account_id = google_service_account.viewer_account[each.key].name -} - -resource "kubernetes_secret" "secret_sa" { - for_each = { for v in var.apps : v => v } - metadata { - name = "gcp-${var.openshift_namespace}-${each.value}-service-account-key" - namespace = var.openshift_namespace - labels = { - created-by = "Terraform" - } - } - - data = { - "bucket_name" = "${var.openshift_namespace}-${each.value}" - "credentials.json" = base64decode(google_service_account_key.key[each.key].private_key) - "viewer_credentials.json" = base64decode(google_service_account_key.viewer_key[each.key].private_key) - } -} diff --git a/helm/cas-ciip-portal/terraform/variables.tf b/helm/cas-ciip-portal/terraform/variables.tf deleted file mode 100644 index d1919e69a..000000000 --- a/helm/cas-ciip-portal/terraform/variables.tf +++ /dev/null @@ -1,33 +0,0 @@ -# Since variables could be overridden via environment variables, use local values to define immutable values -locals { - # The GCP region to create things in. https://cloud.google.com/compute/docs/regions-zones" - region = "northamerica-northeast1" # Montreal -} - -variable "project_id" { - description = "The ID of the GCP project" -} - -variable "kubernetes_host" { - description = "The hostname of the OCP cluster" -} - -variable "kubernetes_token" { - description = "The authentication token of the OCP cluster" -} - -variable "apps" { - type = list(string) - description = "The list of app names for the OCP project in a namespace" -} - -variable "openshift_namespace" { - type = string - description = "The OCP project namespace" -} - -variable "iam_storage_role_template_id" { - type = string - description = "ID for a custom IAM role template we manually created in GCP for Storage Viewers" - default = "casStorageViewer" -} diff --git a/helm/cas-ciip-portal/values.yaml b/helm/cas-ciip-portal/values.yaml index 68e5bee21..87e237372 100644 --- a/helm/cas-ciip-portal/values.yaml +++ b/helm/cas-ciip-portal/values.yaml @@ -184,3 +184,7 @@ devops: cpu: 100m memory: 64Mi ephemeral-storage: 256Mi + +terraform-bucket-provision: + terraform: + namespace_apps: '["ciip-backups", "ciip-documents", "ciip-2018"]' From 1bb866195d0a6bcffd24c214c0de5cdf13f49ead Mon Sep 17 00:00:00 2001 From: Pierre Bastianelli Date: Fri, 16 Feb 2024 17:49:03 -0800 Subject: [PATCH 2/2] chore: rebuilding images