diff --git a/install/infra/modules/gke/cluster.tf b/install/infra/modules/gke/cluster.tf new file mode 100644 index 00000000000000..a0f89054c88501 --- /dev/null +++ b/install/infra/modules/gke/cluster.tf @@ -0,0 +1,151 @@ +resource "google_service_account" "cluster_sa" { + account_id = local.gke_sa + display_name = "Service Account managed by TF for GKE cluster" +} + +resource "google_project_iam_member" "gke-sa-iam-storage" { + for_each = local.gke_iam_roles + + project = var.project + role = each.key + member = "serviceAccount:${google_service_account.cluster_sa.email}" +} + +resource "google_container_cluster" "gitpod-cluster" { + name = var.cluster_name + location = var.zone == null ? var.region : var.zone + + min_master_version = var.cluster_version + + remove_default_node_pool = true + + network = google_compute_network.vpc.name + subnetwork = google_compute_subnetwork.subnet.name + + initial_node_count = 1 + release_channel { + channel = "UNSPECIFIED" + } + + ip_allocation_policy { + cluster_secondary_range_name = "cluster-secondary-ip-range" + services_secondary_range_name = "services-secondary-ip-range" + } + + network_policy { + enabled = true + provider = "CALICO" + } + + addons_config { + http_load_balancing { + disabled = false + } + + horizontal_pod_autoscaling { + disabled = false + } + + dns_cache_config { + enabled = true + } + } +} + +resource "google_container_node_pool" "services" { + name = "services-${var.cluster_name}" + location = google_container_cluster.gitpod-cluster.location + cluster = google_container_cluster.gitpod-cluster.name + version = var.cluster_version // kubernetes version + initial_node_count = 1 + max_pods_per_node = 110 + + node_config { + service_account = google_service_account.cluster_sa.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + + labels = { + "gitpod.io/workload_meta" = true + "gitpod.io/workload_ide" = true + } + + preemptible = false + image_type = "UBUNTU_CONTAINERD" + disk_type = "pd-ssd" + disk_size_gb = var.services_disk_size_gb + machine_type = var.services_machine_type + tags = ["gke-node", "${var.project}-gke"] + metadata = { + disable-legacy-endpoints = "true" + } + } + + autoscaling { + min_node_count = 1 + max_node_count = var.max_node_count_services + } + + management { + auto_repair = true + auto_upgrade = false + } +} + +resource "google_container_node_pool" "workspaces" { + name = "workspaces-${var.cluster_name}" + location = google_container_cluster.gitpod-cluster.location + cluster = google_container_cluster.gitpod-cluster.name + version = var.cluster_version // kubernetes version + initial_node_count = 1 + max_pods_per_node = 110 + + node_config { + service_account = google_service_account.cluster_sa.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + + labels = { + "gitpod.io/workload_workspace_services" = true + "gitpod.io/workload_workspace_regular" = true + "gitpod.io/workload_workspace_headless" = true + } + + preemptible = false + image_type = "UBUNTU_CONTAINERD" + disk_type = "pd-ssd" + disk_size_gb = var.workspaces_disk_size_gb + machine_type = var.workspaces_machine_type + tags = ["gke-node", "${var.project}-gke"] + metadata = { + disable-legacy-endpoints = "true" + } + } + + autoscaling { + min_node_count = 1 + max_node_count = var.max_node_count_workspaces + } + + management { + auto_repair = true + auto_upgrade = false + } +} + +module "gke_auth" { + depends_on = [google_container_node_pool.workspaces] + + source = "terraform-google-modules/kubernetes-engine/google//modules/auth" + + project_id = var.project + location = google_container_cluster.gitpod-cluster.location + cluster_name = var.cluster_name +} + +resource "local_file" "kubeconfig" { + filename = var.kubeconfig + content = module.gke_auth.kubeconfig_raw +} diff --git a/install/infra/modules/gke/database.tf b/install/infra/modules/gke/database.tf new file mode 100644 index 00000000000000..3065eed368f13a --- /dev/null +++ b/install/infra/modules/gke/database.tf @@ -0,0 +1,61 @@ +resource "google_service_account" "db_sa" { + count = var.enable_external_database ? 1 : 0 + + account_id = local.db_sa + display_name = "Service Account managed by TF for object storage" +} + +resource "google_project_iam_member" "db-sa-iam" { + count = var.enable_external_database ? 1 : 0 + + project = var.project + role = "roles/cloudsql.client" + + member = "serviceAccount:${google_service_account.db_sa[count.index].email}" +} + +resource "google_service_account_key" "db_sa_key" { + count = var.enable_external_database ? 1 : 0 + + service_account_id = google_service_account.db_sa[count.index].name +} + +resource "random_string" "random" { + length = 4 + upper = false + special = false +} + +resource "google_sql_database_instance" "gitpod" { + count = var.enable_external_database ? 1 : 0 + name = "sql-${var.cluster_name}-${random_string.random.result}" // we cannot reuse the same name for 1 week + database_version = "MYSQL_5_7" + region = var.region + settings { + tier = "db-n1-standard-2" + } + deletion_protection = false +} + +resource "random_password" "password" { + count = var.enable_external_database ? 1 : 0 + + length = 16 + special = true + override_special = "!#$%&*()-_=+[]{}<>:?" +} + +resource "google_sql_database" "database" { + count = var.enable_external_database ? 1 : 0 + name = "gitpod" + instance = google_sql_database_instance.gitpod[count.index].name + charset = "utf8" + collation = "utf8_general_ci" +} + +resource "google_sql_user" "users" { + count = var.enable_external_database ? 1 : 0 + name = "gitpod" + instance = google_sql_database_instance.gitpod[count.index].name + password = random_password.password[count.index].result +} diff --git a/install/infra/modules/gke/dns.tf b/install/infra/modules/gke/dns.tf new file mode 100644 index 00000000000000..7f2ad63e9433ca --- /dev/null +++ b/install/infra/modules/gke/dns.tf @@ -0,0 +1,33 @@ +resource "google_service_account" "dns_sa" { + count = var.domain_name == null ? 0 : 1 + + account_id = local.dns_sa + display_name = "Service Account managed by TF for DNS" +} + +resource "google_project_iam_member" "dns-sa-iam" { + count = var.domain_name == null ? 0 : 1 + + project = var.project + role = "roles/dns.admin" + + member = "serviceAccount:${google_service_account.dns_sa[count.index].email}" +} + +resource "google_service_account_key" "dns_sa_key" { + count = var.domain_name == null ? 0 : 1 + + service_account_id = google_service_account.dns_sa[count.index].name +} + +resource "google_dns_managed_zone" "gitpod-dns-zone" { + count = var.domain_name == null ? 0 : 1 + + name = "zone-${var.cluster_name}" + dns_name = "${var.domain_name}." + description = "Terraform managed DNS zone for ${var.cluster_name}" + force_destroy = true + labels = { + app = "gitpod" + } +} diff --git a/install/infra/modules/gke/local.tf b/install/infra/modules/gke/local.tf new file mode 100644 index 00000000000000..22d2861fd9ec85 --- /dev/null +++ b/install/infra/modules/gke/local.tf @@ -0,0 +1,19 @@ +locals { + gke_sa = "gke-sa-${var.cluster_name}" + gke_iam_roles = toset([ + "roles/storage.admin", + "roles/logging.logWriter", + "roles/monitoring.metricWriter", + "roles/container.admin" + ]) + + obj_sa = "obj-sa-${var.cluster_name}" + obj_iam_roles = var.enable_external_registry ? toset([ + "roles/storage.admin", + "roles/storage.objectAdmin", + ]) : [] + + db_sa = "db-sa-${var.cluster_name}" + + dns_sa = "dns-sa-${var.cluster_name}" +} diff --git a/install/infra/modules/gke/main.tf b/install/infra/modules/gke/main.tf index d51a62e05258d2..f07b127cb3628f 100644 --- a/install/infra/modules/gke/main.tf +++ b/install/infra/modules/gke/main.tf @@ -2,231 +2,8 @@ terraform { required_version = ">= 1.0.3" } -terraform { - backend "gcs" { - bucket = "gitpod-gke" - prefix = "tf-state" - } -} - provider "google" { project = var.project - credentials = var.credentials region = var.region zone = var.zone } - -resource "google_compute_network" "vpc" { - name = "vpc-${var.cluster_name}" - auto_create_subnetworks = "false" -} - -resource "google_compute_subnetwork" "subnet" { - name = "subnet-${var.cluster_name}" - region = var.region - network = google_compute_network.vpc.name - ip_cidr_range = "10.255.0.0/16" - - secondary_ip_range { - range_name = "cluster-secondary-ip-range" - ip_cidr_range = "10.0.0.0/12" - } - - secondary_ip_range { - range_name = "services-secondary-ip-range" - ip_cidr_range = "10.64.0.0/12" - } -} - -resource "google_container_cluster" "gitpod-cluster" { - name = var.cluster_name - location = var.zone == null ? var.region : var.zone - - min_master_version = var.cluster_version - - remove_default_node_pool = true - - network = google_compute_network.vpc.name - subnetwork = google_compute_subnetwork.subnet.name - - initial_node_count = 1 - release_channel { - channel = "UNSPECIFIED" - } - - ip_allocation_policy { - cluster_secondary_range_name = "cluster-secondary-ip-range" - services_secondary_range_name = "services-secondary-ip-range" - } - - network_policy { - enabled = true - provider = "CALICO" - } - - addons_config { - http_load_balancing { - disabled = false - } - - horizontal_pod_autoscaling { - disabled = false - } - - dns_cache_config { - enabled = true - } - } -} - -resource "google_container_node_pool" "services" { - name = "services-${var.cluster_name}" - location = google_container_cluster.gitpod-cluster.location - cluster = google_container_cluster.gitpod-cluster.name - version = var.cluster_version // kubernetes version - initial_node_count = 1 - max_pods_per_node = 110 - - node_config { - oauth_scopes = [ - "https://www.googleapis.com/auth/cloud-platform" - ] - - labels = { - "gitpod.io/workload_meta" = true - "gitpod.io/workload_ide" = true - } - - preemptible = false - image_type = "UBUNTU_CONTAINERD" - disk_type = "pd-ssd" - disk_size_gb = var.services_disk_size_gb - machine_type = var.services_machine_type - tags = ["gke-node", "${var.project}-gke"] - metadata = { - disable-legacy-endpoints = "true" - } - } - - autoscaling { - min_node_count = 1 - max_node_count = var.max_node_count_services - } - - management { - auto_repair = true - auto_upgrade = false - } -} - -resource "google_container_node_pool" "workspaces" { - name = "workspaces-${var.cluster_name}" - location = google_container_cluster.gitpod-cluster.location - cluster = google_container_cluster.gitpod-cluster.name - version = var.cluster_version // kubernetes version - initial_node_count = 1 - max_pods_per_node = 110 - - node_config { - oauth_scopes = [ - "https://www.googleapis.com/auth/cloud-platform" - ] - - labels = { - "gitpod.io/workload_workspace_services" = true - "gitpod.io/workload_workspace_regular" = true - "gitpod.io/workload_workspace_headless" = true - } - - preemptible = false - image_type = "UBUNTU_CONTAINERD" - disk_type = "pd-ssd" - disk_size_gb = var.workspaces_disk_size_gb - machine_type = var.workspaces_machine_type - tags = ["gke-node", "${var.project}-gke"] - metadata = { - disable-legacy-endpoints = "true" - } - } - - autoscaling { - min_node_count = 1 - max_node_count = var.max_node_count_workspaces - } - - management { - auto_repair = true - auto_upgrade = false - } -} - -resource "random_string" "random" { - length = 4 - upper = false - special = false -} - -resource "google_sql_database_instance" "gitpod" { - count = var.enable_external_database ? 1 : 0 - name = "sql-${var.cluster_name}-${random_string.random.result}" // we cannot reuse the same name for 1 week - database_version = "MYSQL_5_7" - region = var.region - settings { - tier = "db-n1-standard-2" - } - deletion_protection = false -} - -resource "random_password" "password" { - count = var.enable_external_database ? 1 : 0 - - length = 16 - special = true - override_special = "!#$%&*()-_=+[]{}<>:?" -} - -resource "google_sql_database" "database" { - count = var.enable_external_database ? 1 : 0 - name = "gitpod" - instance = google_sql_database_instance.gitpod[count.index].name - charset = "utf8" - collation = "utf8_general_ci" -} - -resource "google_sql_user" "users" { - count = var.enable_external_database ? 1 : 0 - name = "gitpod" - instance = google_sql_database_instance.gitpod[count.index].name - password = random_password.password[count.index].result -} - -resource "google_dns_managed_zone" "gitpod-dns-zone" { - count = var.domain_name == null ? 0 : 1 - - name = "zone-${var.cluster_name}" - dns_name = "${var.domain_name}." - description = "Terraform managed DNS zone for ${var.cluster_name}" - force_destroy = true - labels = { - app = "gitpod" - } -} - -data "google_container_registry_repository" "gitpod" { - count = var.enable_external_registry ? 1 : 0 -} - -module "gke_auth" { - depends_on = [google_container_node_pool.workspaces] - - source = "terraform-google-modules/kubernetes-engine/google//modules/auth" - - project_id = var.project - location = google_container_cluster.gitpod-cluster.location - cluster_name = var.cluster_name -} - -resource "local_file" "kubeconfig" { - filename = var.kubeconfig - content = module.gke_auth.kubeconfig_raw -} diff --git a/install/infra/modules/gke/network.tf b/install/infra/modules/gke/network.tf new file mode 100644 index 00000000000000..560bddf86276ce --- /dev/null +++ b/install/infra/modules/gke/network.tf @@ -0,0 +1,21 @@ +resource "google_compute_network" "vpc" { + name = "vpc-${var.cluster_name}" + auto_create_subnetworks = "false" +} + +resource "google_compute_subnetwork" "subnet" { + name = "subnet-${var.cluster_name}" + region = var.region + network = google_compute_network.vpc.name + ip_cidr_range = "10.255.0.0/16" + + secondary_ip_range { + range_name = "cluster-secondary-ip-range" + ip_cidr_range = "10.0.0.0/12" + } + + secondary_ip_range { + range_name = "services-secondary-ip-range" + ip_cidr_range = "10.64.0.0/12" + } +} diff --git a/install/infra/modules/gke/output.tf b/install/infra/modules/gke/output.tf index 1b47e86ac098d4..0bd8f6ec582a8e 100644 --- a/install/infra/modules/gke/output.tf +++ b/install/infra/modules/gke/output.tf @@ -28,7 +28,7 @@ output "database" { instance = "${var.project}:${var.region}:${google_sql_database_instance.gitpod[0].name}" username = "${google_sql_user.users[0].name}" password = random_password.password[0].result - service_account_key = "Upload the JSON file corresponding the service account credentials" + service_account_key = base64decode(google_service_account_key.db_sa_key[0].private_key) }, "No database created") } @@ -38,15 +38,20 @@ output "registry" { url = data.google_container_registry_repository.gitpod[0].repository_url server = regex("[^/?#]*", data.google_container_registry_repository.gitpod[0].repository_url) username = "_json_key" - password = "Copy paste the content of the service account credentials JSON file" + password = base64decode(google_service_account_key.obj_sa_key[0].private_key) }, "No container registry created") } +output "dns_credentials" { + sensitive = true + value = var.domain_name == null ? "" : base64decode(google_service_account_key.dns_sa_key[0].private_key) +} + output "storage" { sensitive = true value = try({ - region = var.region - project = var.project - credentials = "Upload the JSON file corresponding the service account credentials" + region = var.region + project = var.project + service_account_key = base64decode(google_service_account_key.obj_sa_key[0].private_key) }, "No GCS bucket created for object storage") } diff --git a/install/infra/modules/gke/registry.tf b/install/infra/modules/gke/registry.tf new file mode 100644 index 00000000000000..d8239f987ef63a --- /dev/null +++ b/install/infra/modules/gke/registry.tf @@ -0,0 +1,24 @@ +resource "google_service_account" "object_storage_sa" { + count = var.enable_external_registry ? 1 : 0 + + account_id = local.obj_sa + display_name = "Service Account managed by TF for object storage" +} + +resource "google_project_iam_member" "obj-sa-iam-admin" { + for_each = local.obj_iam_roles + + project = var.project + role = each.key + member = "serviceAccount:${google_service_account.object_storage_sa[0].email}" +} + +resource "google_service_account_key" "obj_sa_key" { + count = var.enable_external_registry ? 1 : 0 + + service_account_id = google_service_account.object_storage_sa[count.index].name +} + +data "google_container_registry_repository" "gitpod" { + count = var.enable_external_registry ? 1 : 0 +} diff --git a/install/infra/modules/gke/storage.tf b/install/infra/modules/gke/storage.tf new file mode 100644 index 00000000000000..e69de29bb2d1d6 diff --git a/install/infra/modules/gke/variables.tf b/install/infra/modules/gke/variables.tf index 680ecb3c7b9ccb..0ec984d2fa527c 100644 --- a/install/infra/modules/gke/variables.tf +++ b/install/infra/modules/gke/variables.tf @@ -68,11 +68,6 @@ variable "workspaces_disk_size_gb" { default = 512 } -variable "credentials" { - description = "Path to the JSON file storing Google service account credentials" - default = "" -} - variable "domain_name" { description = "Domain name register with Cloud DNS, leave empty if you want to manage it yourself" default = null diff --git a/install/infra/modules/tools/cert-manager/main.tf b/install/infra/modules/tools/cert-manager/main.tf index c19f364cb6ccea..d8467cbbd9b51c 100644 --- a/install/infra/modules/tools/cert-manager/main.tf +++ b/install/infra/modules/tools/cert-manager/main.tf @@ -39,29 +39,3 @@ resource "helm_release" "cert" { command = "echo 'Waiting for cert-manager validating webhook to get its CA injected, so we can start to apply custom resources ...' && sleep 60" } } - -# the following is only for GCP managed DNS setup - -data local_file "gcp_credentials" { - count = var.credentials == null ? 0 : 1 - filename = var.credentials -} - -provider "kubernetes" { - config_path = var.kubeconfig -} - -resource "kubernetes_secret" "dns_solver" { - count = var.credentials == null ? 0 : 1 - depends_on = [ - helm_release.cert, - data.local_file.gcp_credentials, - ] - metadata { - name = "clouddns-dns01-solver" - namespace = "cert-manager" - } - data = { - "keys.json" = "${data.local_file.gcp_credentials[0].content}" - } -} diff --git a/install/infra/modules/tools/cert-manager/variables.tf b/install/infra/modules/tools/cert-manager/variables.tf index 765a5f288e2979..5ea319dcea4b34 100644 --- a/install/infra/modules/tools/cert-manager/variables.tf +++ b/install/infra/modules/tools/cert-manager/variables.tf @@ -2,8 +2,3 @@ variable "kubeconfig" { description = "Path to the KUBECONFIG file to connect to the cluster" default = "./kubeconfig" } - -variable "credentials" { - description = "Path to the JSON file storing Google SA keyfile to grant access to managed DNS usage(do not provide if not using managed DNS)" - default = null -} diff --git a/install/infra/modules/tools/cloud-dns-external-dns/main.tf b/install/infra/modules/tools/cloud-dns-external-dns/main.tf index 75c2d79bf6f38c..bf991dfe3c619d 100644 --- a/install/infra/modules/tools/cloud-dns-external-dns/main.tf +++ b/install/infra/modules/tools/cloud-dns-external-dns/main.tf @@ -2,17 +2,6 @@ provider "kubernetes" { config_path = var.kubeconfig } -data local_file "gcp_credentials" { - filename = var.credentials -} - -provider "google" { - credentials = var.credentials - project = var.project - region = var.region - zone = var.zone -} - provider "helm" { kubernetes { config_path = var.kubeconfig @@ -35,7 +24,7 @@ resource "kubernetes_secret" "external_dns" { namespace = "external-dns" } data = { - "credentials.json" = data.local_file.gcp_credentials.content + "credentials.json" = var.credentials } } diff --git a/install/infra/modules/tools/cloud-dns-external-dns/variables.tf b/install/infra/modules/tools/cloud-dns-external-dns/variables.tf index ba90701864c37d..bc9e11a11dfbf2 100644 --- a/install/infra/modules/tools/cloud-dns-external-dns/variables.tf +++ b/install/infra/modules/tools/cloud-dns-external-dns/variables.tf @@ -3,23 +3,12 @@ variable "kubeconfig" { default = "./kubeconfig" } -variable "project" { - description = "Google cloud Region to perform operations in" - default = "dns-for-playgrounds" -} - -variable "region" { - description = "Google cloud Region to perform operations in" - default = "europe-west1" -} - -variable "zone" { - description = "Google cloud Zone to perform operations in" - default = "europe-west1-d" +variable "credentials" { + description = "Google service account credentials" } -variable "credentials" { - description = "Path to the JSON file storing Google service account credentials" +variable "project" { + description = "GCP project to associate with" } variable "txt_owner_id" { diff --git a/install/infra/modules/tools/issuer/main.tf b/install/infra/modules/tools/issuer/main.tf index 5f12d9eec0f6f7..a33798b9a1150f 100644 --- a/install/infra/modules/tools/issuer/main.tf +++ b/install/infra/modules/tools/issuer/main.tf @@ -2,7 +2,7 @@ provider "kubernetes" { config_path = var.kubeconfig } -resource "kubernetes_secret" "dns_solver" { +resource "kubernetes_secret" "aws_dns_solver" { count = var.secretAccessKey == null ? 0 : 1 metadata { name = "route53-credentials" @@ -13,6 +13,20 @@ resource "kubernetes_secret" "dns_solver" { } } +# the following is only for GCP managed DNS setup + +resource "kubernetes_secret" "gcp_dns_solver" { + count = var.gcp_credentials == null ? 0 : 1 + + metadata { + name = "clouddns-dns01-solver" + namespace = "cert-manager" + } + data = { + "keys.json" = var.gcp_credentials + } +} + resource "kubernetes_manifest" "clusterissuer_gitpod" { manifest = { diff --git a/install/infra/modules/tools/issuer/variables.tf b/install/infra/modules/tools/issuer/variables.tf index eaa5a4346c2fc5..686d1a7a6f67ec 100644 --- a/install/infra/modules/tools/issuer/variables.tf +++ b/install/infra/modules/tools/issuer/variables.tf @@ -11,6 +11,10 @@ variable "secretAccessKey" { default = null } +variable "gcp_credentials" { + default = null +} + variable "issuer_name" { default = "route53" } diff --git a/install/infra/single-cluster/gcp/Makefile b/install/infra/single-cluster/gcp/Makefile index 97df445ff63c0c..41d0a7546c1698 100644 --- a/install/infra/single-cluster/gcp/Makefile +++ b/install/infra/single-cluster/gcp/Makefile @@ -51,33 +51,49 @@ output-url: output-nameservers: @echo "" - @echo "Nameservers for the domain(to be added as NS records in your domain provider):" + @echo "🟢 Nameservers for the domain(to be added as NS records in your domain provider):" @echo "=================" @terraform output -json nameservers | jq output-storage: @echo "" - @echo "Object storage:" + @echo "🟢 Object storage:" @echo "==============" - @terraform output -json storage | jq + @echo "Choose 'GCP' Storage provider" + @echo "" + @echo "Storage region = $$(terraform output -json storage | yq r - region)" + @echo "Project ID = $$(terraform output -json storage | yq r - project)" + @echo "Service account key = Upload the file 'gs-credentials.json' created in this directory" + @terraform output -json storage | yq r - service_account_key > gs-credentials.json + @echo "" output-registry: @echo "" - @echo "GCR registry:" + @echo "🟢 GCR registry:" @echo "==================" - @terraform output -json registry | jq + @echo "Container registry URL = $$(terraform output -json registry | yq r - url)" + @echo "Container registry server = $$(terraform output -json registry | yq r - server)" + @echo "Container registry username = $$(terraform output -json registry | yq r - username)" + @echo "Container registry password = Copy paste the following JSON key" + @echo "" + @terraform output -json registry | yq r - password output-database: @echo "" - @echo "Database:" + @echo "🟢 Database:" @echo "========" @echo "Tick the option 'Use Google Cloud SQL Proxy' if using this database" - @terraform output -json database | jq + @echo "" + @echo "CloudSQL connection name = $$(terraform output -json database | yq r - instance)" + @echo "Username = $$(terraform output -json database | yq r - username)" + @echo "Password = $$(terraform output -json database | yq r - password)" + @echo "GCP service account key = Upload the file 'mysql-credentials.json' created in this directory" + @terraform output -json database | yq r - service_account_key > mysql-credentials.json @echo "" output-issuer: @echo "" - @echo "ClusterIssuer name:" + @echo "🟢 ClusterIssuer name:" @echo "=================" @terraform output -json cluster_issuer | jq diff --git a/install/infra/single-cluster/gcp/README.md b/install/infra/single-cluster/gcp/README.md index 751e97d26f90bf..9917f7f5ffa845 100644 --- a/install/infra/single-cluster/gcp/README.md +++ b/install/infra/single-cluster/gcp/README.md @@ -37,11 +37,11 @@ Before starting the installation process, you need: * Store the JSON credentials corresponding to the service account locally in a file * Create and configure GCS bucket for terraform backend * Create a [GCS bucket](https://cloud.google.com/storage) to store the terraform backend state - * Replace the name of the bucket in [`main.tf`](./main.tf) - currently it is set as `gitpod-tf` - * Provide [credentials to access the bucket](https://www.terraform.io/language/settings/backends/gcs#credentials) for terraform by running: - ``` - export GOOGLE_BACKEND_CREDENTIALS=/path/to/the/account/key.json - ``` + * Replace the name of the bucket in [`main.tf`](./main.tf) - currently there is this placeholder there `` +* Set the environment variable `GOOGLE_APPLICATION_CREDENTIALS` to point to the downloaded JSON key of the service account to authenticate terraform: + ``` + export GOOGLE_APPLICATION_CREDENTIALS=/path/to/account/key.json + ``` ## Update the `terraform.tfvars` file with appropriate values @@ -50,13 +50,14 @@ by terraform to create the cluster. While some of them are fairly straightforward like the name of the cluster(`cluster_name`), others need a bit more attention: -### Credentials and project configuration +### Project configuration To configure against a standing GCP account, we expect the the key corresponding to the service account stored as a JSON file. The path to the JSON file is -expected to be provided as a value to the `credentials` field. Alongside, one is +expected to be set as value to the environment variable `GOOGLE_APPLICATION_CREDENTIALS` as explained above. +Alongside, one is expected to provide the name of the project(`project` field) corresponding to -this service account and region in with the cluster to be created(`region` +this service account and region in with the cluster is to be created(`region` field). If you want your cluster to be zonal(only existing in one zone), you can provide a zone corresponding to the project(`zone` field), else the cluster will be regional. diff --git a/install/infra/single-cluster/gcp/cluster.tf b/install/infra/single-cluster/gcp/cluster.tf index 136cc795198dd5..92e6f352dfbd2b 100644 --- a/install/infra/single-cluster/gcp/cluster.tf +++ b/install/infra/single-cluster/gcp/cluster.tf @@ -1,7 +1,6 @@ module "gke" { source = "../../modules/gke" - credentials = var.credentials cluster_name = var.cluster_name kubeconfig = var.kubeconfig cluster_version = var.cluster_version diff --git a/install/infra/single-cluster/gcp/main.tf b/install/infra/single-cluster/gcp/main.tf index 4cfce62d2aacfb..483cd7a8295044 100644 --- a/install/infra/single-cluster/gcp/main.tf +++ b/install/infra/single-cluster/gcp/main.tf @@ -1,6 +1,6 @@ terraform { backend "gcs" { - bucket = "gitpod-tf" + bucket = "" prefix = "gcp/terraform.state" } diff --git a/install/infra/single-cluster/gcp/terraform.tfvars b/install/infra/single-cluster/gcp/terraform.tfvars index 76d013a58b3233..319865272cb33a 100644 --- a/install/infra/single-cluster/gcp/terraform.tfvars +++ b/install/infra/single-cluster/gcp/terraform.tfvars @@ -7,7 +7,6 @@ domain_name = "your_domain_name.com" region = "europe-west1" zone = "europe-west1-d" project = "my-gcp-project" -credentials = "/path/to/account/key.json" cluster_version = "1.22" diff --git a/install/infra/single-cluster/gcp/tools.tf b/install/infra/single-cluster/gcp/tools.tf index bcfa6b1cd8ccb2..1767352a2b8451 100644 --- a/install/infra/single-cluster/gcp/tools.tf +++ b/install/infra/single-cluster/gcp/tools.tf @@ -2,21 +2,19 @@ module "certmanager" { source = "../../modules/tools/cert-manager" kubeconfig = var.kubeconfig - credentials = var.credentials } module "externaldns" { source = "../../modules/tools/cloud-dns-external-dns" kubeconfig = var.kubeconfig - credentials = var.credentials + credentials = module.gke.dns_credentials project = var.project - region = var.region - zone = var.zone } module "cluster-issuer" { source = "../../modules/tools/issuer" kubeconfig = var.kubeconfig + gcp_credentials = module.gke.dns_credentials issuer_name = "cloudDNS" cert_manager_issuer = { project = var.project diff --git a/install/infra/single-cluster/gcp/variables.tf b/install/infra/single-cluster/gcp/variables.tf index fa0e0b981fb817..45e4a67c41c60b 100644 --- a/install/infra/single-cluster/gcp/variables.tf +++ b/install/infra/single-cluster/gcp/variables.tf @@ -1,7 +1,3 @@ -variable "credentials" { - description = "Path to JSON file authenticating to GCP service account" -} - variable "project" { description = "GCP project to create the resources in" } diff --git a/install/tests/main.tf b/install/tests/main.tf index 344327c4aae16a..9f8f7257c0efec 100644 --- a/install/tests/main.tf +++ b/install/tests/main.tf @@ -13,6 +13,11 @@ variable "project" { default = "sh-automated-tests" } variable "sa_creds" { default = null } variable "dns_sa_creds" { default = null } +data local_file "dns_credentials" { + filename = var.dns_sa_creds +} + + variable "eks_node_image_id" { default = null } @@ -34,7 +39,6 @@ module "gke" { cluster_name = "gp-${var.TEST_ID}" project = var.project - credentials = var.sa_creds kubeconfig = var.kubeconfig region = "europe-west1" zone = "europe-west1-d" @@ -60,6 +64,7 @@ module "k3s" { module "gcp-issuer" { source = "../infra/modules/tools/issuer" kubeconfig = var.kubeconfig + gcp_credentials = data.local_file.dns_credentials.content issuer_name = "cloudDNS" cert_manager_issuer = { project = "dns-for-playgrounds" @@ -107,14 +112,14 @@ module "certmanager" { source = "../infra/modules/tools/cert-manager" kubeconfig = var.kubeconfig - credentials = var.dns_sa_creds } module "clouddns-externaldns" { # source = "github.com/gitpod-io/gitpod//install/infra/terraform/tools/external-dns?ref=main" source = "../infra/modules/tools/cloud-dns-external-dns" kubeconfig = var.kubeconfig - credentials = var.dns_sa_creds + credentials = data.local_file.dns_credentials.content + project = "dns-for-playgrounds" } module "azure-externaldns" {