Merge branch 'main' into chore/check-template-exists

Author: sitole

Makefile

@@ -69,6 +69,7 @@ build-and-upload:build-and-upload/orchestrator
 build-and-upload:build-and-upload/template-manager
 build-and-upload:build-and-upload/envd
 build-and-upload:build-and-upload/clickhouse-migrator
+build-and-upload:build-and-upload/nomad-nodepool-apm
 build-and-upload/clean-nfs-cache:
 	./scripts/confirm.sh $(TERRAFORM_ENVIRONMENT)
 	GCP_PROJECT_ID=$(GCP_PROJECT_ID) $(MAKE) -C packages/orchestrator build-and-upload/clean-nfs-cache
@@ -183,6 +184,13 @@ local-infra:
 	docker compose --file ./packages/local-dev/docker-compose.yaml up --abort-on-container-failure
 
 
+# Migration: Detach old template-manager-system job from Terraform state
+# TODO: Remove after template-manager migration is complete
+.PHONY: migrate-template-manager-detach
+migrate-template-manager-detach:
+	./scripts/confirm.sh $(TERRAFORM_ENVIRONMENT)
+	$(MAKE) -C iac/provider-gcp migrate-template-manager-detach
+
 # TODO 2025-12-29: [ENG-3410] - Remove after migration period (14 days)
 define env_var_or_default
 $(if $(value $(strip $(1))),$($(strip $(1))),$(2))

go.work

@@ -8,6 +8,7 @@ use (
 	./packages/docker-reverse-proxy
 	./packages/envd
 	./packages/local-dev
+	./packages/nomad-nodepool-apm
 	./packages/orchestrator
 	./packages/shared
 

iac/provider-gcp/Makefile

@@ -162,6 +162,14 @@ provider-login:
 	gcloud --quiet auth configure-docker "$(GCP_REGION)-docker.pkg.dev"
 	gcloud --quiet auth application-default login
 
+# Migration: Detach old template-manager-system job from Terraform state
+# This keeps the Nomad job running but removes it from Terraform management
+# TODO: Remove after template-manager migration is complete
+.PHONY: migrate-template-manager-detach
+migrate-template-manager-detach:
+	@ printf "Detaching old template-manager-system from Terraform state for env: `tput setaf 2``tput bold`$(ENV)`tput sgr0`\n"
+	$(tf_vars) $(TF) state rm module.nomad.nomad_job.template_manager || true
+
 # TODO 2025-12-29: [ENG-3410] - Remove after migration period (14 days)
 .PHONY: migrate-clusters-terraform
 migrate-clusters-terraform:

iac/provider-gcp/nomad/jobs/nomad-autoscaler.hcl

@@ -0,0 +1,93 @@
+job "nomad-autoscaler" {
+  type     = "service"
+  node_pool = "${node_pool}"
+
+  group "autoscaler" {
+    count = 1
+
+    network {
+      port "http" {}
+    }
+
+    task "autoscaler" {
+      driver = "raw_exec"
+
+      config {
+        command = "/bin/bash"
+        args    = ["-c", "chmod +x local/plugins/nomad-nodepool-apm && ./local/nomad-autoscaler agent -config local/config.hcl -plugin-dir local/plugins"]
+      }
+
+      artifact {
+        source      = "https://releases.hashicorp.com/nomad-autoscaler/${autoscaler_version}/nomad-autoscaler_${autoscaler_version}_linux_amd64.zip"
+        destination = "local"
+      }
+
+      # Custom nodepool APM plugin
+      artifact {
+        source      = "gcs::https://www.googleapis.com/storage/v1/${bucket_name}/nomad-nodepool-apm"
+        destination = "local/plugins/nomad-nodepool-apm"
+        mode        = "file"
+        options {
+          checksum = "md5:${nomad_nodepool_apm_checksum}"
+        }
+      }
+
+      template {
+        data        = <<-EOF
+          # Nomad Autoscaler configuration
+          
+          nomad {
+            address = "http://{{ env "NOMAD_IP_http" }}:4646"
+            token   = "${nomad_token}"
+          }
+
+          # Enable the HTTP health API
+          http {
+            bind_address = "0.0.0.0"
+            bind_port    = {{ env "NOMAD_PORT_http" }}
+          }
+
+          # Policy configuration
+          # Policies are defined in Nomad job scaling blocks, not files
+          policy {
+            default_cooldown = "2m"
+          }
+
+          # Plugin directory for external plugins
+          plugin_dir = "local/plugins"
+
+          # APM plugins configuration - custom plugin for node pool count
+          apm "nomad-nodepool-apm" {
+            driver = "nomad-nodepool-apm"
+            config = {
+              nomad_address = "http://{{ env "NOMAD_IP_http" }}:4646"
+              nomad_token   = "${nomad_token}"
+            }
+          }
+
+          # Use built-in nomad-target for job scaling (no config needed, uses nomad block above)
+        EOF
+        destination = "local/config.hcl"
+      }
+
+      resources {
+        cpu    = 256
+        memory = 256
+      }
+
+      service {
+        name     = "nomad-autoscaler"
+        port     = "http"
+        provider = "nomad"
+
+        check {
+          type     = "http"
+          path     = "/v1/health"
+          interval = "10s"
+          timeout  = "2s"
+        }
+      }
+    }
+  }
+}
+

iac/provider-gcp/nomad/jobs/template-manager.hcl

@@ -1,16 +1,49 @@
-job "template-manager-system" {
-  type = "system"
+job "template-manager" {
+  type = "service"
   node_pool  = "${node_pool}"
-  priority = 70
+  priority = 75
+
+  group "template-manager" {
+    # Count is fetched from current Nomad state to preserve autoscaler-managed value
+    count = ${current_count}
+
+    # Ensure one allocation per node (like a system job)
+    constraint {
+      operator = "distinct_hosts"
+      value    = "true"
+    }
 
-# https://developer.hashicorp.com/nomad/docs/job-specification/update
 %{ if update_stanza }
-  update {
-    max_parallel      = 1    # Update only 1 node at a time
-  }
-%{ endif }
+    # Scaling policy to match node count in the pool
+    # Uses the nomad-nodepool APM plugin
+    scaling {
+      enabled = true
+      min     = 2
+      max     = 10000  # Effectively unlimited
 
-  group "template-manager" {
+      policy {
+        evaluation_interval = "10s"
+        cooldown            = "2m"
+
+        check "match_node_count" {
+          source = "nomad-nodepool-apm"
+          query  = "${node_pool}"
+
+          strategy "pass-through" {}
+        }
+      }
+    }
+
+    # Rolling update configuration for service jobs
+    # https://developer.hashicorp.com/nomad/docs/job-specification/update
+    update {
+      max_parallel      = 1
+      min_healthy_time  = "10s"
+      healthy_deadline  = "2m"
+      progress_deadline = "80m"  # Must be > healthy_deadline and > kill_timeout
+      auto_revert       = false
+    }
+%{ endif }
 
     // Try to restart the task indefinitely
     // Tries to restart every 5 seconds

iac/provider-gcp/nomad/main.tf

@@ -463,10 +463,25 @@ data "external" "template_manager" {
   }
 }
 
+# Get current template-manager count from Nomad to preserve autoscaler-managed value
+# This prevents Terraform from resetting count on job updates
+# Default depends on whether scaling is enabled (min=2) or not (min=1)
+data "external" "template_manager_count" {
+  program = ["bash", "${path.module}/scripts/get-nomad-job-count.sh"]
+
+  query = {
+    nomad_addr  = "https://nomad.${var.domain_name}"
+    nomad_token = var.nomad_acl_token_secret
+    job_name    = "template-manager"
+    min_count   = var.template_manages_clusters_size_gt_1 ? "2" : "1"
+  }
+}
+
 resource "nomad_job" "template_manager" {
   jobspec = templatefile("${path.module}/jobs/template-manager.hcl", {
     update_stanza = var.template_manages_clusters_size_gt_1
     node_pool     = var.builder_node_pool
+    current_count = tonumber(data.external.template_manager_count.result.count)
 
     gcp_project      = var.gcp_project_id
     gcp_region       = var.gcp_region
@@ -493,6 +508,37 @@ resource "nomad_job" "template_manager" {
     shared_chunk_cache_path         = var.shared_chunk_cache_path
   })
 }
+
+data "google_storage_bucket_object" "nomad_nodepool_apm" {
+  count = var.template_manages_clusters_size_gt_1 ? 1 : 0
+
+  name   = "nomad-nodepool-apm"
+  bucket = var.fc_env_pipeline_bucket_name
+}
+
+data "external" "nomad_nodepool_apm_checksum" {
+  count = var.template_manages_clusters_size_gt_1 ? 1 : 0
+
+  program = ["bash", "${path.module}/scripts/checksum.sh"]
+
+  query = {
+    base64 = data.google_storage_bucket_object.nomad_nodepool_apm[0].md5hash
+  }
+}
+
+# Nomad Autoscaler - required for template-manager dynamic scaling
+resource "nomad_job" "nomad_autoscaler" {
+  count = var.template_manages_clusters_size_gt_1 ? 1 : 0
+
+  jobspec = templatefile("${path.module}/jobs/nomad-autoscaler.hcl", {
+    node_pool                   = var.api_node_pool
+    autoscaler_version          = var.nomad_autoscaler_version
+    bucket_name                 = var.fc_env_pipeline_bucket_name
+    nomad_token                 = var.nomad_acl_token_secret
+    nomad_nodepool_apm_checksum = data.external.nomad_nodepool_apm_checksum[0].result.hex
+  })
+}
+
 resource "nomad_job" "loki" {
   jobspec = templatefile("${path.module}/jobs/loki.hcl", {
     gcp_zone = var.gcp_zone

iac/provider-gcp/nomad/scripts/get-nomad-job-count.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# Get current job count from Nomad API to preserve autoscaler-managed values.
+# This prevents Terraform from resetting count on job updates.
+#
+# IMPORTANT: This script fails on Nomad API errors (network, auth, TLS) to prevent
+# accidental scale-downs. Only a 404 (job not found) falls back to min_count.
+#
+# Based on: https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external#processing-json-in-shell-scripts
+
+set -euo pipefail
+
+# Extract arguments from the input into shell variables.
+eval "$(jq -r '@sh "ADDR=\(.nomad_addr) TOKEN=\(.nomad_token) JOB=\(.job_name) MIN=\(.min_count)"')"
+
+# Fetch job info and capture HTTP status code
+RESPONSE=$(curl -s -w "\n---HTTP_STATUS:%{http_code}" -H "X-Nomad-Token: $TOKEN" \
+  "$ADDR/v1/job/$JOB" 2>&1)
+CURL_EXIT=$?
+
+# Extract HTTP code and body
+HTTP_CODE=$(echo "$RESPONSE" | grep '^---HTTP_STATUS:' | sed 's/---HTTP_STATUS://')
+BODY=$(echo "$RESPONSE" | grep -v '^---HTTP_STATUS:')
+
+# Handle curl-level failures (network, TLS, DNS, etc.)
+if [ $CURL_EXIT -ne 0 ]; then
+  echo "ERROR: Failed to connect to Nomad API at $ADDR (curl exit code: $CURL_EXIT)" >&2
+  echo "This may indicate a network issue, TLS error, or DNS failure." >&2
+  echo "Refusing to proceed to prevent accidental scale-down." >&2
+  exit 1
+fi
+
+# Handle HTTP error responses
+if [ -z "$HTTP_CODE" ]; then
+  echo "ERROR: Could not determine HTTP status code from Nomad API response" >&2
+  exit 1
+fi
+
+if [ "$HTTP_CODE" = "404" ]; then
+  # Job doesn't exist yet - use minimum count
+  COUNT="$MIN"
+elif [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then
+  # Success - parse the count from response
+  COUNT=$(echo "$BODY" | jq -r '.TaskGroups[0].Count // empty' 2>/dev/null)
+  if ! [[ "$COUNT" =~ ^[0-9]+$ ]]; then
+    echo "ERROR: Failed to parse job count from Nomad API response" >&2
+    echo "Response body: $BODY" >&2
+    exit 1
+  fi
+else
+  # Any other HTTP error (403, 500, 502, etc.) - fail to prevent bad state
+  echo "ERROR: Nomad API returned HTTP $HTTP_CODE for job/$JOB" >&2
+  echo "Response: $BODY" >&2
+  echo "Refusing to proceed to prevent accidental scale-down." >&2
+  exit 1
+fi
+
+# Ensure COUNT is at least MIN
+if [ "$COUNT" -lt "$MIN" ]; then
+  COUNT="$MIN"
+fi
+
+# Safely produce a JSON object containing the result value.
+jq -n --arg count "$COUNT" '{"count":$count}'
+

iac/provider-gcp/nomad/variables.tf

@@ -290,6 +290,12 @@ variable "template_manages_clusters_size_gt_1" {
   type = bool
 }
 
+variable "nomad_autoscaler_version" {
+  type        = string
+  description = "Version of the Nomad Autoscaler to deploy"
+  default     = "0.4.5"
+}
+
 # Redis
 variable "redis_port" {
   type = object({

packages/api/go.mod

@@ -45,7 +45,7 @@ require (
 	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
-	github.com/hashicorp/nomad/api v0.0.0-20231208134655-099ee06a607c
+	github.com/hashicorp/nomad/api v0.0.0-20240813123601-b34a6fe10b82
 	github.com/jackc/pgx/v5 v5.7.4
 	github.com/jellydator/ttlcache/v3 v3.4.0
 	github.com/launchdarkly/go-sdk-common/v3 v3.3.0
@@ -164,6 +164,7 @@ require (
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/mfridman/interpolate v0.0.2 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.2-0.20210821155943-2d9075ca8770 // indirect
 	github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/go-archive v0.1.0 // indirect
@@ -195,6 +196,7 @@ require (
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/sethvargo/go-retry v0.3.0 // indirect
 	github.com/shirou/gopsutil/v4 v4.25.6 // indirect
+	github.com/shoenig/test v1.8.2 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/speakeasy-api/openapi-overlay v0.9.0 // indirect