new dns terraform

Author: iQQBot

.werft/build.ts

@@ -4,7 +4,7 @@ import * as path from 'path';
 import { exec, ExecOptions } from './util/shell';
 import { Werft } from './util/werft';
 import { waitForDeploymentToSucceed, wipeAndRecreateNamespace, setKubectlContextNamespace, deleteNonNamespaceObjects, findFreeHostPorts, createNamespace, helmInstallName } from './util/kubectl';
-import { newIssueCertficate, installCertficate, IssueCertificateParams, InstallCertificateParams } from './util/certs';
+import { issueCertficate, installCertficate, IssueCertificateParams, InstallCertificateParams } from './util/certs';
 import { reportBuildFailureInSlack } from './util/slack';
 import * as semver from 'semver';
 import * as util from 'util';
@@ -77,6 +77,7 @@ const installerSlices = {
     INSTALLER_POST_PROCESSING: "installer post processing",
     APPLY_INSTALL_MANIFESTS: "installer apply",
     DEPLOYMENT_WAITING: "monitor server deployment",
+    DNS_ADD_RECORD: "add dns record"
 }
 
 const vmSlices = {
@@ -303,6 +304,8 @@ export async function build(context, version) {
         withVM,
     };
 
+    exec(`kubectl --namespace keys get secret host-key -o yaml > /workspace/host-key.yaml`)
+
     if (withVM) {
         werft.phase(phases.VM, "Start VM");
 
@@ -431,6 +434,7 @@ export async function deployToDevWithInstaller(deploymentConfig: DeploymentConfi
         // in a VM, the secrets have alreay been copied
         // If using core-dev, we want to execute further kubectl operations only in the created namespace
         setKubectlContextNamespace(namespace, metaEnv({ slice: installerSlices.SET_CONTEXT }));
+        werft.done(installerSlices.SET_CONTEXT)
         try {
             werft.log(installerSlices.ISSUE_CERTIFICATES, "organizing a certificate for the preview environment...");
 
@@ -535,7 +539,7 @@ export async function deployToDevWithInstaller(deploymentConfig: DeploymentConfi
 
         werft.log("SSH gateway hostkey", "copy host-key from secret")
         try {
-            exec(`kubectl --namespace keys get secret host-key -o yaml \
+            exec(`cat /workspace/host-key.yaml \
             | yq w - metadata.namespace ${namespace} \
             | yq d - metadata.uid \
             | yq d - metadata.resourceVersion \
@@ -610,6 +614,8 @@ export async function deployToDevWithInstaller(deploymentConfig: DeploymentConfi
         werft.fail(installerSlices.DEPLOYMENT_WAITING, err);
     }
 
+    await addDNSRecord(deploymentConfig.namespace, deploymentConfig.domain, !withVM)
+
     // TODO: Fix sweeper, it does not appear to be doing clean-up
     werft.log('sweeper', 'installing Sweeper');
     const sweeperVersion = deploymentConfig.sweeperImage.split(":")[1];
@@ -695,7 +701,7 @@ export async function deployToDevWithHelm(deploymentConfig: DeploymentConfig, wo
         await issueMetaCerts(namespace, domain);
         await installMetaCertificates(namespace);
         werft.done('certificate');
-
+        await addDNSRecord(deploymentConfig.namespace, deploymentConfig.domain, false)
         werft.done('prep');
     } catch (err) {
         werft.fail('prep', err);
@@ -893,10 +899,50 @@ export async function deployToDevWithHelm(deploymentConfig: DeploymentConfig, wo
     }
 }
 
+async function addDNSRecord(namespace: string, domain: string, isLoadbalancer: boolean) {
+    let wsProxyLBIP = null
+    if (isLoadbalancer === true) {
+        werft.log(installerSlices.DNS_ADD_RECORD, "Getting ws-proxy loadbalancer IP");
+        for (let i = 0; i < 60; i++) {
+            try {
+                let lb = exec(`kubectl -n ${namespace} get service ws-proxy -o=jsonpath='{.status.loadBalancer.ingress[0].ip}'`, { silent: true })
+                if (lb.length > 4) {
+                    wsProxyLBIP = lb
+                    break
+                }
+                await sleep(1000)
+            } catch (err) {
+                await sleep(1000)
+            }
+        }
+        if (wsProxyLBIP == null) {
+            werft.fail(installerSlices.DNS_ADD_RECORD, new Error("Can't get ws-proxy loadbalancer IP"));
+        }
+        werft.log(installerSlices.DNS_ADD_RECORD, "Get ws-proxy loadbalancer IP: " + wsProxyLBIP);
+    } else {
+        wsProxyLBIP = getCoreDevIngressIP()
+    }
+
+    var cmd = `set -x \
+    && cd /workspace/.werft/dns \
+    && rm -rf .terraform* \
+    && export GOOGLE_APPLICATION_CREDENTIALS="${GCLOUD_SERVICE_ACCOUNT_PATH}" \
+    && terraform init -backend-config='prefix=${namespace}' -migrate-state -upgrade \
+    && terraform apply -auto-approve \
+        -var 'dns_zone_domain=gitpod-dev.com' \
+        -var 'domain=${domain}' \
+        -var 'ingress_ip=${getCoreDevIngressIP()}' \
+        -var 'ws_proxy_ip=${wsProxyLBIP}'`;
+
+    werft.log(installerSlices.DNS_ADD_RECORD, "Terraform command for create dns record: " + cmd)
+    exec(cmd, { ...metaEnv(), slice: installerSlices.DNS_ADD_RECORD });
+    werft.done(installerSlices.DNS_ADD_RECORD);
+}
+
 export async function issueMetaCerts(namespace: string, domain: string) {
     let additionalSubdomains: string[] = ["", "*.", "*.ws-dev."]
     var metaClusterCertParams = new IssueCertificateParams();
-    metaClusterCertParams.pathToTerraform = "/workspace/.werft/certs";
+    metaClusterCertParams.pathToTemplate = "/workspace/.werft/util/templates";
     metaClusterCertParams.gcpSaPath = GCLOUD_SERVICE_ACCOUNT_PATH;
     metaClusterCertParams.namespace = namespace;
     metaClusterCertParams.certNamespace = "certs";
@@ -905,7 +951,7 @@ export async function issueMetaCerts(namespace: string, domain: string) {
     metaClusterCertParams.ip = getCoreDevIngressIP();
     metaClusterCertParams.bucketPrefixTail = ""
     metaClusterCertParams.additionalSubdomains = additionalSubdomains
-    await newIssueCertficate(werft, metaClusterCertParams, metaEnv());
+    await issueCertficate(werft, metaClusterCertParams, metaEnv());
 }
 
 async function installMetaCertificates(namespace: string) {

.werft/certs/cert/main.tf

@@ -0,0 +1,56 @@
+# https://www.terraform.io/docs/providers/google/guides/provider_reference.html
+provider "google" {
+  project = "gitpod-dev"
+  region  = "europe-west-3"
+  # Relies on GOOGLE_APPLICATION_CREDENTIALS pointing to the service account file
+}
+
+# Added for compatibility with old branches, can be deleted if compatibility is not needed
+provider "kubectl" {
+  load_config_file       = true
+}
+
+locals {
+  # As we did create the zone and IP manually beforehand: have the zone name statically determined
+  dns_zone_name  = replace(trimsuffix(var.dns_zone_domain, ".-"), ".", "-")
+  project        = "gitpod-dev"
+  region         = "europe-west-3"
+}
+
+#
+# DNS records
+#
+
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set
+resource "google_dns_record_set" "gitpod" {
+  count        = length(var.ingress_subdomains)
+  name         = "${var.ingress_subdomains[count.index]}${var.domain}."
+  type         = "A"
+  ttl          = 300
+  managed_zone = local.dns_zone_name
+  rrdatas      = [var.ingress_ip]
+  project      = local.project
+}
+resource "google_dns_record_set" "gitpod_ws" {
+  name         = "${var.ws_proxy_subdomain}${var.domain}."
+  type         = "A"
+  ttl          = 300
+  managed_zone = local.dns_zone_name
+  rrdatas      = [var.ws_proxy_ip]
+  project      = local.project
+}
+
+#
+# End
+#
+resource "null_resource" "done" {
+  depends_on = [
+    google_dns_record_set.gitpod,
+    google_dns_record_set.gitpod_ws,
+  ]
+}
+
+
+output "done" {
+  value = null_resource.done.id
+}

.werft/certs/cert/outputs.tf

@@ -1,7 +1,3 @@
-variable "namespace" {
-    type = string
-}
-
 # e.g.: gitpod-dev.com
 variable "dns_zone_domain" {
     type = string
@@ -12,16 +8,21 @@ variable "domain" {
     type = string
 }
 
-# e.g.: ["", "*.", "*.ws."]
-variable "subdomains" {
+# e.g.: ["", "*.", "*.ws-dev."]
+variable "ingress_subdomains" {
     type = list(string)
+    default = ["", "*."]
+}
+
+variable "ws_proxy_subdomain" {
+    type = string
+    default = "*.ws-dev."
 }
 
-variable "public_ip" {
+variable "ingress_ip" {
     type = string
 }
 
-variable "cert_namespace" {
+variable "ws_proxy_ip" {
     type = string
-    default = "certs"
 }

.werft/certs/cert/variables.tf

@@ -7,6 +7,8 @@ terraform {
       source = "hashicorp/google"
       version = "3.63.0"
     }
+
+    # Added for compatibility with old branches, can be deleted if compatibility is not needed
     kubectl = {
       source  = "gavinbunney/kubectl"
       version = "1.10.1"

.werft/certs/cert/versions.tf

@@ -216,7 +216,17 @@ while [ "$i" -le "$DOCS" ]; do
     if [[ "ws-proxy" == "$NAME" ]] && [[ "$KIND" == "Service" ]]; then
       WORK="overrides for $NAME $KIND"
       echo "$WORK"
-      yq w -i k8s.yaml -d "$i" "metadata.annotations[cloud.google.com/neg]" '{"exposed_ports": {"22":{}}}'
+      # Provide harvester compatibility by adding ports instead of modifying the original ports
+      yq w -i k8s.yaml -d "$i" "spec.ports[+].name" http-lb
+      yq w -i k8s.yaml -d "$i" "spec.ports.(name==http-lb).port" 80
+      yq w -i k8s.yaml -d "$i" "spec.ports.(name==http-lb).protocol" TCP
+      yq w -i k8s.yaml -d "$i" "spec.ports.(name==http-lb).targetPort" 8080
+
+      yq w -i k8s.yaml -d "$i" "spec.ports[+].name" https-lb
+      yq w -i k8s.yaml -d "$i" "spec.ports.(name==https-lb).port" 443
+      yq w -i k8s.yaml -d "$i" "spec.ports.(name==https-lb).protocol" TCP
+      yq w -i k8s.yaml -d "$i" "spec.ports.(name==https-lb).targetPort" 9090
+      yq w -i k8s.yaml -d "$i" "metadata.annotations[cloud.google.com/neg]" '{"exposed_ports": {"22":{},"80":{},"443":{}}}'
       yq w -i k8s.yaml -d "$i" spec.type LoadBalancer
    fi