new dns terraform

Author: iQQBot

.werft/build.ts

@@ -73,7 +73,8 @@ const installerSlices = {
     INSTALLER_RENDER: "installer render",
     INSTALLER_POST_PROCESSING: "installer post processing",
     APPLY_INSTALL_MANIFESTS: "installer apply",
-    DEPLOYMENT_WAITING: "monitor server deployment"
+    DEPLOYMENT_WAITING: "monitor server deployment",
+    DNS_ADD_RECORD: "add dns record"
 }
 
 const vmSlices = {
@@ -396,6 +397,7 @@ export async function deployToDevWithInstaller(deploymentConfig: DeploymentConfi
 
     // Now we want to execute further kubectl operations only in the created namespace
     setKubectlContextNamespace(namespace, metaEnv({ slice: installerSlices.SET_CONTEXT }));
+    werft.done(installerSlices.SET_CONTEXT)
 
     // trigger certificate issuing
     try {
@@ -578,6 +580,39 @@ export async function deployToDevWithInstaller(deploymentConfig: DeploymentConfi
     } catch (err) {
         werft.fail(installerSlices.DEPLOYMENT_WAITING, err);
     }
+    let wsProxyLBIP = null
+    werft.log(installerSlices.DNS_ADD_RECORD, "Getting ws-proxy loadbalancer IP");
+    for (let i = 0; i < 60; i++) {
+        try {
+            let lb = exec(`kubectl -n ${deploymentConfig.namespace} get service ws-proxy -o=jsonpath='{.status.loadBalancer.ingress[0].ip}'`, { silent: true })
+            if (lb.length > 4) {
+                wsProxyLBIP = lb
+                break
+            }
+            await sleep(1000)
+        } catch (err) {
+            await sleep(1000)
+        }
+    }
+    if (wsProxyLBIP == null) {
+        werft.fail(installerSlices.DNS_ADD_RECORD, new Error("Can't get ws-proxy loadbalancer IP"));
+    }
+    werft.log(installerSlices.DNS_ADD_RECORD, "Get ws-proxy loadbalancer IP: " + wsProxyLBIP);
+
+    var cmd = `set -x \
+    && cd /workspace/.werft/dns \
+    && rm -rf .terraform* \
+    && export GOOGLE_APPLICATION_CREDENTIALS="${GCLOUD_SERVICE_ACCOUNT_PATH}" \
+    && terraform init -backend-config='prefix=${deploymentConfig.namespace}' -migrate-state -upgrade \
+    && terraform apply -auto-approve \
+        -var 'dns_zone_domain=gitpod-dev.com' \
+        -var 'domain=${deploymentConfig.domain}' \
+        -var 'ingress_ip=${getCoreDevIngressIP()}' \
+        -var 'ws_proxy_ip=${wsProxyLBIP}'`;
+
+    werft.log(installerSlices.DNS_ADD_RECORD, "Terraform command for create dns record: " + cmd)
+    exec(cmd, { ...metaEnv(), slice: installerSlices.DNS_ADD_RECORD });
+    werft.done(installerSlices.DNS_ADD_RECORD);
 
     // TODO: Fix sweeper, it does not appear to be doing clean-up
     werft.log('sweeper', 'installing Sweeper');

.werft/dns/main.tf

@@ -0,0 +1,56 @@
+# https://www.terraform.io/docs/providers/google/guides/provider_reference.html
+provider "google" {
+  project = "gitpod-dev"
+  region  = "europe-west-3"
+  # Relies on GOOGLE_APPLICATION_CREDENTIALS pointing to the service account file
+}
+
+# Added for compatibility with old branches, can be deleted if compatibility is not needed
+provider "kubectl" {
+  load_config_file       = true
+}
+
+locals {
+  # As we did create the zone and IP manually beforehand: have the zone name statically determined
+  dns_zone_name  = replace(trimsuffix(var.dns_zone_domain, ".-"), ".", "-")
+  project        = "gitpod-dev"
+  region         = "europe-west-3"
+}
+
+#
+# DNS records
+#
+
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set
+resource "google_dns_record_set" "gitpod" {
+  count        = length(var.ingress_subdomains)
+  name         = "${var.ingress_subdomains[count.index]}${var.domain}."
+  type         = "A"
+  ttl          = 300
+  managed_zone = local.dns_zone_name
+  rrdatas      = [var.ingress_ip]
+  project      = local.project
+}
+resource "google_dns_record_set" "gitpod_ws" {
+  name         = "${var.ws_proxy_subdomain}${var.domain}."
+  type         = "A"
+  ttl          = 300
+  managed_zone = local.dns_zone_name
+  rrdatas      = [var.ws_proxy_ip]
+  project      = local.project
+}
+
+#
+# End
+#
+resource "null_resource" "done" {
+  depends_on = [
+    google_dns_record_set.gitpod,
+    google_dns_record_set.gitpod_ws,
+  ]
+}
+
+
+output "done" {
+  value = null_resource.done.id
+}

.werft/dns/variables.tf

@@ -0,0 +1,28 @@
+# e.g.: gitpod-dev.com
+variable "dns_zone_domain" {
+    type = string
+}
+
+# e.g.: my-branch.staging.gitpod-dev.com
+variable "domain" {
+    type = string
+}
+
+# e.g.: ["", "*.", "*.ws-dev."]
+variable "ingress_subdomains" {
+    type = list(string)
+    default = ["", "*."]
+}
+
+variable "ws_proxy_subdomain" {
+    type = string
+    default = "*.ws-dev."
+}
+
+variable "ingress_ip" {
+    type = string
+}
+
+variable "ws_proxy_ip" {
+    type = string
+}

.werft/dns/versions.tf

@@ -0,0 +1,18 @@
+terraform {
+  backend "gcs" {
+    bucket  = "gitpod-core-dev-terraform"
+  }
+  required_providers {
+    google = {
+      source = "hashicorp/google"
+      version = "3.63.0"
+    }
+
+    # Added for compatibility with old branches, can be deleted if compatibility is not needed
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = "1.10.1"
+    }
+  }
+  required_version = ">= 0.13"
+}

.werft/post-process.sh

@@ -206,6 +206,8 @@ while [ "$i" -le "$DOCS" ]; do
       WS_HOST_SUFFIX_EXPR="s/\"workspaceHostSuffix\": \".$CURRENT_WS_HOST_NAME\"/\"workspaceHostSuffix\": \".$NEW_WS_HOST_NAME\"/"
       sed -i "$WS_HOST_SUFFIX_EXPR" /tmp/"$NAME"overrides.yaml
 
+      sed -i "s/x-wsproxy-host/Host/" /tmp/"$NAME"overrides.yaml
+
       CURRENT_WS_SUFFIX_REGEX=$DEV_BRANCH.$STAGING_HOST_NAME
       # In this, we only do a find replace on a given line if we find workspaceHostSuffixRegex on the line
       sed -i -e "/workspaceHostSuffixRegex/s/$CURRENT_WS_SUFFIX_REGEX/$DEV_BRANCH\\\\\\\\.staging\\\\\\\\.gitpod-dev\\\\\\\\.com/g" /tmp/"$NAME"overrides.yaml
@@ -216,7 +218,10 @@ while [ "$i" -le "$DOCS" ]; do
     if [[ "ws-proxy" == "$NAME" ]] && [[ "$KIND" == "Service" ]]; then
       WORK="overrides for $NAME $KIND"
       echo "$WORK"
-      yq w -i k8s.yaml -d "$i" "metadata.annotations[cloud.google.com/neg]" '{"exposed_ports": {"22":{}}}'
+      # notice that current we use array index
+      yq w -i k8s.yaml -d "$i" "spec.ports.(name==http-proxy).port" 80
+      yq w -i k8s.yaml -d "$i" "spec.ports.(name==https-proxy).port" 443
+      yq w -i k8s.yaml -d "$i" "metadata.annotations[cloud.google.com/neg]" '{"exposed_ports": {"22":{},"80":{},"443":{}}}'
       yq w -i k8s.yaml -d "$i" spec.type LoadBalancer
    fi
 

.werft/util/certs.ts

@@ -134,6 +134,7 @@ export async function installCertficate(werft, params: InstallCertificateParams,
     }
     if (!notReadyYet) {
         werft.log('certificate', `copied certificate from "${params.certNamespace}/${params.certName}" to "${params.destinationNamespace}/${params.certSecretName}"`);
+        werft.done('certificate')
     } else {
         werft.fail('certificate', `failed to copy certificate from "${params.certNamespace}/${params.certName}" to "${params.destinationNamespace}/${params.certSecretName}"`)
     }

installer/pkg/config/v1/validation.go

@@ -169,7 +169,7 @@ func (v version) ClusterValidation(rcfg interface{}) cluster.ValidationChecks {
 			}
 			if len(signers) == 0 {
 				errors = append(errors, cluster.ValidationError{
-					Message: fmt.Sprintf("Secret '%s' not contain any valild host key", secretName),
+					Message: fmt.Sprintf("Secret '%s' does not contain a valid host key", secretName),
 					Type:    cluster.ValidationStatusError,
 				})
 			}