From 6fa6e661fd87acae7acaef724a14d91c62366ae3 Mon Sep 17 00:00:00 2001 From: Felipe Gonzalez Date: Fri, 26 Jul 2024 19:10:32 -0300 Subject: [PATCH] chore: Improve queue bootstrapping (#57) * chore: Improve queue bootstrapping * Fix users creation * Fix setup for rpc user --- bootstrap/queue/chart.tf | 6 +- bootstrap/queue/main.tf | 24 +++++-- bootstrap/queue/setup.sh.tftpl | 56 ++++++++++++++++ .../{create_topic_job.tf => setup_job.tf} | 67 +++++++++++++------ bootstrap/queue/values.yml.tftpl | 5 -- 5 files changed, 128 insertions(+), 30 deletions(-) create mode 100644 bootstrap/queue/setup.sh.tftpl rename bootstrap/queue/{create_topic_job.tf => setup_job.tf} (52%) diff --git a/bootstrap/queue/chart.tf b/bootstrap/queue/chart.tf index 15b6004..257a07e 100644 --- a/bootstrap/queue/chart.tf +++ b/bootstrap/queue/chart.tf @@ -8,9 +8,11 @@ resource "helm_release" "redpanda" { values = [templatefile( "${path.module}/values.yml.tftpl", { - users = var.users, - admin_username = var.admin_username, + admin_username = var.admin_username admin_password = var.admin_password + rpc_username = var.rpc_username + rpc_password = var.rpc_password + daemon_users = var.daemon_users } )] diff --git a/bootstrap/queue/main.tf b/bootstrap/queue/main.tf index eb8f78a..f14a80c 100644 --- a/bootstrap/queue/main.tf +++ b/bootstrap/queue/main.tf @@ -7,17 +7,28 @@ variable "instance_name" { } variable "admin_username" { - type = string + type = string + default = "admin" } variable "admin_password" { type = string } -variable "users" { +variable "rpc_username" { + type = string + default = "rpc" +} + +variable "rpc_password" { + type = string +} + +variable "daemon_users" { type = list(object({ - name = string - password = string + name = string + password = string + consumer_name = string })) } @@ -52,3 +63,8 @@ variable "replicas" { type = number default = 3 } + +variable "replication" { + type = number + default = null +} diff --git a/bootstrap/queue/setup.sh.tftpl b/bootstrap/queue/setup.sh.tftpl new file mode 100644 index 0000000..570041d --- /dev/null +++ b/bootstrap/queue/setup.sh.tftpl @@ -0,0 +1,56 @@ +#!/bin/bash + +set -e # Exit immediately if any command fails + +# Define reusable rpk parameters +RPK_PARAMS='-X sasl.mechanism=SCRAM-SHA-256 -X user=${admin_username} -X pass=${admin_password}' + +topic_exists() { + rpk $RPK_PARAMS topic list | grep -q "$1" +} + +acl_exists() { + rpk $RPK_PARAMS acl user list | grep -q "$1" +} + +# Create topic, if it doesn't exist +if ! topic_exists "${events_topic}"; then + echo "Creating topic '${events_topic}'" + rpk $RPK_PARAMS topic create ${events_topic} \ + -r "${replication}" \ # Replication factor + -c "cleanup.policy=compact" \ # Don't delete old stuff + -c "retention.ms=-1" # Keep forever + +else + echo "Topic '${events_topic}' already exists" +fi + +# Create RPC user. +if ! acl_exists "User:${rpc_username}"; then + echo "Creating user: ${rpc_username}" + rpk $RPK_PARAMS acl user create ${rpc_username} -p '${rpc_password}' --mechanism SCRAM-SHA-256 + rpk $RPK_PARAMS acl create \ + --allow-principal User:${rpc_username} \ + --operation all --topic ${events_topic} + rpk $RPK_PARAMS acl create \ + --allow-principal User:${rpc_username} \ + --operation all --group '${rpc_username}-*' --resource-pattern-type prefixed +else + echo "User ${rpc_username} already exist" +fi + +# Define ACLs for daemon users, only read with a particular username +%{ for user in daemon_users } +if ! acl_exists "User:${user.name}"; then + echo "Creating ACLs for ${user.name}" + rpk $RPK_PARAMS acl user create ${user.name} -p '${user.password}' --mechanism SCRAM-SHA-256 + rpk $RPK_PARAMS acl create \ + --allow-principal User:${user.name} \ + --operation read --topic ${events_topic} \ + --operation read --group ${user.consumer_name} +else + echo "User ${user.name} already exist" +fi +%{ endfor } + +echo "Setup complete." diff --git a/bootstrap/queue/create_topic_job.tf b/bootstrap/queue/setup_job.tf similarity index 52% rename from bootstrap/queue/create_topic_job.tf rename to bootstrap/queue/setup_job.tf index 28a4b2e..d927c9a 100644 --- a/bootstrap/queue/create_topic_job.tf +++ b/bootstrap/queue/setup_job.tf @@ -1,19 +1,45 @@ locals { - create_topic_job_name = "fabric-queue-create-topic" + setup_job_name = "fabric-queue-setup" + setup_configmap_name = "fabric-queue-setup-config" + replication = coalesce(var.replication, var.replicas) + events_topic = "events" } -resource "kubernetes_job_v1" "fabric_queue_create_topic" { - depends_on = [helm_release.redpanda] +resource "kubernetes_config_map_v1" "fabric_queue_setup_config" { + metadata { + name = local.setup_configmap_name + namespace = var.namespace + } + + data = { + "setup.sh" = "${templatefile( + "${path.module}/setup.sh.tftpl", + { + admin_username = var.admin_username + admin_password = var.admin_password + rpc_username = var.rpc_username + rpc_password = var.rpc_password + replication = local.replication + events_topic = local.events_topic + daemon_users = var.daemon_users + } + )}" + } +} + + +resource "kubernetes_job_v1" "fabric_queue_setup" { + depends_on = [helm_release.redpanda, kubernetes_config_map_v1.fabric_queue_setup_config] metadata { - name = local.create_topic_job_name + name = local.setup_job_name namespace = var.namespace } spec { template { metadata { labels = { - "demeter.run/instance" = local.create_topic_job_name + "demeter.run/instance" = local.setup_job_name } } spec { @@ -22,18 +48,9 @@ resource "kubernetes_job_v1" "fabric_queue_create_topic" { } container { - name = "main" - image = "docker.redpanda.com/redpandadata/redpanda:v23.3.18" - command = [ - "rpk", - "-X", "sasl.mechanism=SCRAM-SHA-256", - "-X", "user=${var.admin_username}", - "-X", "pass=${var.admin_password}", - "topic", "create", "events", - "-r", "${var.replicas}", - "-c", "cleanup.policy=compact", - "-c", "retention.ms=-1", - ] + name = "main" + image = "docker.redpanda.com/redpandadata/redpanda:v23.3.18" + command = ["/bin/sh", "/var/setup/setup.sh"] image_pull_policy = "Always" volume_mount { @@ -51,13 +68,18 @@ resource "kubernetes_job_v1" "fabric_queue_create_topic" { mount_path = "/etc/redpanda" } + volume_mount { + name = "setup" + mount_path = "/var/setup" + } + resources { limits = { - cpu = "500m" + cpu = "200m" memory = "512Mi" } requests = { - cpu = "500m" + cpu = "200m" memory = "512Mi" } } @@ -84,6 +106,13 @@ resource "kubernetes_job_v1" "fabric_queue_create_topic" { } } + volume { + name = "setup" + config_map { + name = local.setup_configmap_name + } + } + toleration { effect = "NoSchedule" key = "demeter.run/compute-profile" diff --git a/bootstrap/queue/values.yml.tftpl b/bootstrap/queue/values.yml.tftpl index f8af6e3..592878c 100644 --- a/bootstrap/queue/values.yml.tftpl +++ b/bootstrap/queue/values.yml.tftpl @@ -22,11 +22,6 @@ auth: - name: ${admin_username} password: ${admin_password} mechanism: SCRAM-SHA-256 - %{ for user in users } - - name: ${user.name} - password: ${user.password} - mechanism: SCRAM-SHA-256 - %{ endfor } # -- TLS settings. # https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/