[terraform] #874: terraform module for AWS #942
Conversation
…se it is not required in the dependency.
…ource and worker node group
|
|
...oy/infrastructure/dependencies/terraform-aws-kubernetes/AWSLoadBalancerControllerPolicy.json
Show resolved
Hide resolved
deploy/infrastructure/dependencies/terraform-aws-kubernetes/README.md
Outdated
Show resolved
Hide resolved
| @@ -119,7 +120,7 @@ of this .pem file here as /public-certs/YOUR-KEY-NAME.pem replacing YOUR-KEY-NAM | |||
| if using the provided us-demo.pem, use the path /public-certs/us-demo.pem. Note that your .pem file should built | |||
| in the docker image or mounted manually. | |||
| Example: | |||
| ```json | |||
| ``` | |||
There was a problem hiding this comment.
nit: I'd recommend (substituting backticks where appropriate)
Example 1 (dummy auth):
'''json
{
public_key_pem_path = "/test-certs/auth2.pem"
}
'''
Example 2:
'''json
{
public_key_pem_path = "/jwt-public-certs/us-demo.pem"
}
'''
There was a problem hiding this comment.
They have to be backticks though (not apostrophes); I didn't put backticks in my recommendation because then the preview wouldn't have rendered correctly :)
deploy/infrastructure/dependencies/terraform-commons-dss/default_latest.tf
Outdated
Show resolved
Hide resolved
deploy/infrastructure/modules/terraform-aws-dss/terraform.dev.example.tfvars
Show resolved
Hide resolved
| @@ -147,23 +150,3 @@ variable "kubernetes_namespace" { | |||
| } | |||
| } | |||
|
|
|||
| variable "app_hostname" { | |||
There was a problem hiding this comment.
This whole block with app_hostname and crdb_hostname_suffix needs to be re-added back, this breaks terraform plan command.
There was a problem hiding this comment.
Thank you @hrishiballal for the feedback, may I kindly ask you to try again with the latest version of this branch. I just pushed a fix. The issue was introduced with 695e252. The problem should be solved. Tested planning with terraform-aws-dss and terraform-google-dss
| @@ -0,0 +1,74 @@ | |||
| # terraform-aws-dss | |||
There was a problem hiding this comment.
I'm not sure if we already talked about this or not, but these READMEs seem a little hidden down in the tree of directories. This might be for another PR, but I think there should be a README in the top level deploy directory that:
- quickly explains the
infrastructuredirectory contains terraform code for setting up k8s in different clouds - points to:
deploy/infrastructure/modules/terraform-aws-dss/README.mddeploy/infrastructure/modules/terraform-google-dss/README.md
There was a problem hiding this comment.
Sounds like the right moment to add the README indeed.
| 1. Install [terraform](https://developer.hashicorp.com/terraform/downloads). | ||
| 2. Install tools from [Prerequisites](../../../../build/README.md) | ||
| 3. Install provider specific tools: | ||
| 1. [Amazon Web Services](./README.md#amazon-web-services) |
There was a problem hiding this comment.
Isn't that a broken link? Where is it supposed to go?
There was a problem hiding this comment.
It is actually correct. Markdown creates an anchor for each titles and it can be reference using the url's fragment. In this case, it points to the next section in the same document.
This prepares the ground for an aggregated README with all cloud providers.
| If providing the access token public key via JWKS, do not provide this parameter. | ||
| If providing a .pem file directly as the public key to validate incoming access tokens, specify the name | ||
| of this .pem file here as /public-certs/YOUR-KEY-NAME.pem replacing YOUR-KEY-NAME as appropriate. For instance, | ||
| if using the provided us-demo.pem, use the path /public-certs/us-demo.pem. Note that your .pem file should built |
There was a problem hiding this comment.
I think this should be:
| if using the provided us-demo.pem, use the path /public-certs/us-demo.pem. Note that your .pem file should built | |
| if using the provided us-demo.pem, use the path /public-certs/us-demo.pem. Note that your .pem file should be built |
| @@ -0,0 +1,27 @@ | |||
| # This file is an example, please adapt it to your configuration. | |||
| # See TFVARS.md for full set of variables and related descriptions. | |||
There was a problem hiding this comment.
I think this should be:
| # See TFVARS.md for full set of variables and related descriptions. | |
| # See TFVARS.md for the full set of variables and related descriptions. |
| 6. In the new directory (ie /deploy/infrastructure/personal/terraform-aws-dss-dev), initialize terraform: `terraform init`. | ||
| 7. Run `terraform plan` to check that the configuration is valid. It will display the resources which will be provisioned. | ||
| 8. Run `terraform apply` to deploy the cluster. (This operation may take up to 15 min.) | ||
| 9. If `aws_route53_zone_id` was not provided, configure the DNS resolution to the public ip addresses and for SSL certificate validation. |
There was a problem hiding this comment.
I would recommend slightly rewording this: if aws_route53_zone_id is provided, please make sure that the domain or sub-domain in the Route 53 zone is mapped to Route53 via NS entries, e.g. see instuctitions for a sub-domain
There was a problem hiding this comment.
Thanks, I modified the description to point directly to the Setup DNS documentation and added a reference to domain delegation instructions (see aba1ddb)
| 2. Run `./get-credentials.sh` to login to kubernetes. You can now access the cluster with `kubectl`. | ||
| 3. Generate the certificates using `./make-certs.sh`. Follow script instructions if you are not initializing the cluster. | ||
| 4. Deploy the certificates using `./apply-certs.sh`. | ||
| 5. Run `tk apply .` to deploy the services to kubernetes. (This may take up to 30 min) |
There was a problem hiding this comment.
I am getting a Kubernetes version error here. Maybe AWS expects a particular version:
The output of kubectl version --client is below:
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.1", GitCommit:"8f94681cd294aa8cfd3407b8191f6c70214973a4", GitTreeState:"clean", BuildDate:"2023-01-18T15:58:16Z", GoVersion:"go1.19.5", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v4.5.7
When I install kubectl version as 1.24.10-00 in Ubuntu it works no problems.
|
I can confirm that DSS installation works and having run the prober tests, they pass / work as well. |
| ## Clean up | ||
|
|
||
| 1. Note that the following operations can't be reverted and all data will be lost. | ||
| 2. To delete all resources, run `tk destroy .` in the workspace folder. |
There was a problem hiding this comment.
There is no command called tk destroy . , did you mean tk delete . ?
There was a problem hiding this comment.
For some reason, tanka is generating an error when I do tk delete .
There was a problem hiding this comment.
The deletion process works its just that tanka gives a error.
There was a problem hiding this comment.
Thanks, fixed in the documentation
This PR introduces a terraform module (
terraform-aws-dss) to deploy the DSS to AWS using Elastic Kubernetes Service.Summary of changes:
dependencies/terraform-aws-kubernetes. See terraform-aws-kubernetes/README for design notes.terraform-commons-dss: introduction of two variables (gateway_cert_nameandworkload_subnet) to support the new cloud provider and generate the correct tanka configuration.Tankamanifests have been updated to support google and aws specific kubernetes resources. Note that the changes to the metadata variables should be backward compatible.:and/) Scripts inbuild/have been updated to replace it by_.google_kubernetes_storage_classvariable has been removed fromterraform-google-kubernetessince it is not required by the dependency.The PR is quiet big, so please let me know if it is not manageable and I will break it down.