Add state backend in OCI bucket

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>
kcp-dev · May 7, 2024 · 12dd4f8 · 12dd4f8
1 parent d90df40
commit 12dd4f8
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 10 deletions.
diff --git a/iac/oci-prow-worker/.gitignore b/iac/oci-prow-worker/.gitignore
@@ -1,2 +1,6 @@
+# Terraform folder
 .terraform
+# Make sure to not allow checking in tfvars by mistake
 *.tfvars
+# Environment variables are often stored in this file
+.env
diff --git a/iac/oci-prow-worker/Makefile b/iac/oci-prow-worker/Makefile
@@ -1,4 +1,13 @@
 OPENTOFU_CLI ?= tofu
 
+init:
+	$(OPENTOFU_CLI) init
+
 fmt:
 	$(OPENTOFU_CLI) fmt
+
+plan:
+	$(OPENTOFU_CLI) plan
+
+apply:
+	$(OPENTOFU_CLI) apply
diff --git a/iac/oci-prow-worker/README.md b/iac/oci-prow-worker/README.md
@@ -1,3 +1,11 @@
 # oci-prow-cluster
 
-This directory deploys the `oci-prow-cluster` OKE cluster in OCI (Oracle Cloud) via [OpenTofu](https://opentofu.org)
+This directory deploys the `oci-prow-cluster` OKE cluster in OCI (Oracle Cloud) via [OpenTofu](https://opentofu.org). A shared state is stored in a OCI storage bucket, please make sure to use that. Usually, this code shouldn't be executed directly but run by Prow.
+
+## Required Environment Variables
+
+The following environment variables are required before running any `make` targets:
+
+- `AWS_ACCESS_KEY_ID`: Needs to be the key ID for a [Customer Secret Key](https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#Working2) to access OCI's S3-compatible storage buckets.
+- `AWS_SECRET_ACCESS_KEY`: Needs to be the secret for a [Customer Secret Key](https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#Working2) to access OCI's S3-compatible storage buckets.
+- `AWS_ENDPOINT_URL_S3`: Needs to be `https://<object namespace>.compat.objectstorage.us-sanjose-1.oraclecloud.com`. Replace `<object namespace>` with the namespace displayed on the bucket (see OCI Console for this information).
diff --git a/iac/oci-prow-worker/cluster.tf b/iac/oci-prow-worker/cluster.tf
@@ -1,6 +1,6 @@
 resource "oci_containerengine_cluster" "prow" {
   name               = "oci-prow-worker"
-  kubernetes_version = "v1.29.1"
+  kubernetes_version = var.kubernetes_version
 
   compartment_id = var.oci_compartment_ocid
   vcn_id         = oci_core_vcn.prow.id
@@ -11,22 +11,30 @@ resource "oci_containerengine_cluster" "prow" {
 }
 
 resource "oci_containerengine_node_pool" "prow_worker" {
-  cluster_id         = oci_containerengine_cluster.prow.id
-  compartment_id     = var.oci_compartment_ocid
-  kubernetes_version = "v1.29.1"
+  cluster_id     = oci_containerengine_cluster.prow.id
+  compartment_id = var.oci_compartment_ocid
+  subnet_ids     = oci_core_subnet.prow_worker_cluster[*].id
+
+  kubernetes_version = var.kubernetes_version
   name               = "prow-worker"
-  node_shape         = "VM.Standard2.1"
-  subnet_ids         = oci_core_subnet.prow_worker_cluster[*].id
+  ssh_public_key     = var.node_pool_ssh_public_key
 
-  ssh_public_key      = var.node_pool_ssh_public_key
+  # this matches t3.2xlarge sizings.
+  node_shape = "VM.Standard.A1.Flex"
+  node_shape_config {
+    memory_in_gbs = 32
+    ocpus         = 8
+  }
 
   node_config_details {
-    size = 3
+    size = var.node_pool_worker_size
+    # create placement_configs for each availability domain.
+    # There happens to be only a single one in us-sanjose-1.
     dynamic "placement_configs" {
       for_each = oci_core_subnet.prow_worker_cluster
       content {
         availability_domain = data.oci_identity_availability_domains.availability_domains.availability_domains[index(oci_core_subnet.prow_worker_cluster, placement_configs.value)].id
-        subnet_id = placement_configs.value.id
+        subnet_id           = placement_configs.value.id
       }
     }
   }

diff --git a/iac/oci-prow-worker/terraform.tf b/iac/oci-prow-worker/terraform.tf
@@ -5,4 +5,17 @@ terraform {
       version = "5.36.0"
     }
   }
+
+  # make sure to set AWS_ENDPOINT_URL_S3 to 'https://<object namespace>.compat.objectstorage.us-sanjose-1.oraclecloud.com'.
+  backend "s3" {
+    bucket = "kcp-opentofu-state"
+    region = "us-sanjose-1"
+    key    = "ci-prow-worker/tf.tfstate"
+
+    skip_region_validation      = true
+    skip_credentials_validation = true
+    skip_requesting_account_id  = true
+    use_path_style              = true
+    skip_metadata_api_check     = true
+  }
 }
diff --git a/iac/oci-prow-worker/variables.tf b/iac/oci-prow-worker/variables.tf
@@ -24,3 +24,13 @@ variable "oci_region" {
 variable "node_pool_ssh_public_key" {
   type = string
 }
+
+variable "node_pool_worker_size" {
+  type    = number
+  default = 3
+}
+
+variable "kubernetes_version" {
+  type = string
+  default = "v1.29.1"
+}