chore: Improve queue bootstrapping (#57)

* chore: Improve queue bootstrapping * Fix users creation * Fix setup for rpc user
demeter-run · Jul 26, 2024 · 6fa6e66 · 6fa6e66
1 parent 1c48ee4
commit 6fa6e66
Show file tree

Hide file tree

Showing 5 changed files with 128 additions and 30 deletions.
diff --git a/bootstrap/queue/chart.tf b/bootstrap/queue/chart.tf
@@ -8,9 +8,11 @@ resource "helm_release" "redpanda" {
   values = [templatefile(
     "${path.module}/values.yml.tftpl",
     {
-      users          = var.users,
-      admin_username = var.admin_username,
+      admin_username = var.admin_username
       admin_password = var.admin_password
+      rpc_username   = var.rpc_username
+      rpc_password   = var.rpc_password
+      daemon_users   = var.daemon_users
     }
   )]
 

diff --git a/bootstrap/queue/main.tf b/bootstrap/queue/main.tf
@@ -7,17 +7,28 @@ variable "instance_name" {
 }
 
 variable "admin_username" {
-  type = string
+  type    = string
+  default = "admin"
 }
 
 variable "admin_password" {
   type = string
 }
 
-variable "users" {
+variable "rpc_username" {
+  type    = string
+  default = "rpc"
+}
+
+variable "rpc_password" {
+  type = string
+}
+
+variable "daemon_users" {
   type = list(object({
-    name     = string
-    password = string
+    name          = string
+    password      = string
+    consumer_name = string
   }))
 }
 
@@ -52,3 +63,8 @@ variable "replicas" {
   type    = number
   default = 3
 }
+
+variable "replication" {
+  type    = number
+  default = null
+}
diff --git a/bootstrap/queue/setup.sh.tftpl b/bootstrap/queue/setup.sh.tftpl
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+set -e  # Exit immediately if any command fails
+
+# Define reusable rpk parameters
+RPK_PARAMS='-X sasl.mechanism=SCRAM-SHA-256 -X user=${admin_username} -X pass=${admin_password}'
+
+topic_exists() {
+    rpk $RPK_PARAMS topic list | grep -q "$1"
+}
+
+acl_exists() {
+    rpk $RPK_PARAMS acl user list | grep -q "$1"
+}
+
+# Create topic, if it doesn't exist
+if ! topic_exists "${events_topic}"; then
+    echo "Creating topic '${events_topic}'"
+    rpk $RPK_PARAMS topic create ${events_topic} \
+      -r "${replication}" \          # Replication factor
+      -c "cleanup.policy=compact" \  # Don't delete old stuff
+      -c "retention.ms=-1"           # Keep forever
+
+else
+    echo "Topic '${events_topic}' already exists"
+fi
+
+# Create RPC user.
+if ! acl_exists "User:${rpc_username}"; then
+    echo "Creating user: ${rpc_username}"
+    rpk $RPK_PARAMS acl user create ${rpc_username} -p '${rpc_password}' --mechanism SCRAM-SHA-256
+    rpk $RPK_PARAMS acl create \
+      --allow-principal User:${rpc_username} \
+      --operation all --topic ${events_topic}
+    rpk $RPK_PARAMS acl create \
+      --allow-principal User:${rpc_username} \
+      --operation all --group '${rpc_username}-*' --resource-pattern-type prefixed
+else
+    echo "User ${rpc_username} already exist"
+fi
+
+# Define ACLs for daemon users, only read with a particular username
+%{ for user in daemon_users }
+if ! acl_exists "User:${user.name}"; then
+    echo "Creating ACLs for ${user.name}"
+    rpk $RPK_PARAMS acl user create ${user.name} -p '${user.password}' --mechanism SCRAM-SHA-256
+    rpk $RPK_PARAMS acl create \
+      --allow-principal User:${user.name} \
+      --operation read --topic ${events_topic} \
+      --operation read --group ${user.consumer_name}
+else
+    echo "User ${user.name} already exist"
+fi
+%{ endfor }
+
+echo "Setup complete."
diff --git a/bootstrap/queue/create_topic_job.tf → bootstrap/queue/setup_job.tf b/bootstrap/queue/create_topic_job.tf → bootstrap/queue/setup_job.tf
@@ -1,19 +1,45 @@
 locals {
-  create_topic_job_name = "fabric-queue-create-topic"
+  setup_job_name       = "fabric-queue-setup"
+  setup_configmap_name = "fabric-queue-setup-config"
+  replication          = coalesce(var.replication, var.replicas)
+  events_topic         = "events"
 }
 
-resource "kubernetes_job_v1" "fabric_queue_create_topic" {
-  depends_on = [helm_release.redpanda]
+resource "kubernetes_config_map_v1" "fabric_queue_setup_config" {
+  metadata {
+    name      = local.setup_configmap_name
+    namespace = var.namespace
+  }
+
+  data = {
+    "setup.sh" = "${templatefile(
+      "${path.module}/setup.sh.tftpl",
+      {
+        admin_username = var.admin_username
+        admin_password = var.admin_password
+        rpc_username   = var.rpc_username
+        rpc_password   = var.rpc_password
+        replication    = local.replication
+        events_topic   = local.events_topic
+        daemon_users   = var.daemon_users
+      }
+    )}"
+  }
+}
+
+
+resource "kubernetes_job_v1" "fabric_queue_setup" {
+  depends_on = [helm_release.redpanda, kubernetes_config_map_v1.fabric_queue_setup_config]
 
   metadata {
-    name      = local.create_topic_job_name
+    name      = local.setup_job_name
     namespace = var.namespace
   }
   spec {
     template {
       metadata {
         labels = {
-          "demeter.run/instance" = local.create_topic_job_name
+          "demeter.run/instance" = local.setup_job_name
         }
       }
       spec {
@@ -22,18 +48,9 @@ resource "kubernetes_job_v1" "fabric_queue_create_topic" {
         }
 
         container {
-          name  = "main"
-          image = "docker.redpanda.com/redpandadata/redpanda:v23.3.18"
-          command = [
-            "rpk",
-            "-X", "sasl.mechanism=SCRAM-SHA-256",
-            "-X", "user=${var.admin_username}",
-            "-X", "pass=${var.admin_password}",
-            "topic", "create", "events",
-            "-r", "${var.replicas}",
-            "-c", "cleanup.policy=compact",
-            "-c", "retention.ms=-1",
-          ]
+          name              = "main"
+          image             = "docker.redpanda.com/redpandadata/redpanda:v23.3.18"
+          command           = ["/bin/sh", "/var/setup/setup.sh"]
           image_pull_policy = "Always"
 
           volume_mount {
@@ -51,13 +68,18 @@ resource "kubernetes_job_v1" "fabric_queue_create_topic" {
             mount_path = "/etc/redpanda"
           }
 
+          volume_mount {
+            name       = "setup"
+            mount_path = "/var/setup"
+          }
+
           resources {
             limits = {
-              cpu    = "500m"
+              cpu    = "200m"
               memory = "512Mi"
             }
             requests = {
-              cpu    = "500m"
+              cpu    = "200m"
               memory = "512Mi"
             }
           }
@@ -84,6 +106,13 @@ resource "kubernetes_job_v1" "fabric_queue_create_topic" {
           }
         }
 
+        volume {
+          name = "setup"
+          config_map {
+            name = local.setup_configmap_name
+          }
+        }
+
         toleration {
           effect   = "NoSchedule"
           key      = "demeter.run/compute-profile"

diff --git a/bootstrap/queue/values.yml.tftpl b/bootstrap/queue/values.yml.tftpl
@@ -22,11 +22,6 @@ auth:
       - name: ${admin_username}
         password: ${admin_password}
         mechanism: SCRAM-SHA-256
-      %{ for user in users }
-      - name: ${user.name}
-        password: ${user.password}
-        mechanism: SCRAM-SHA-256
-      %{ endfor }
 
 # -- TLS settings.
 # https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/