From 12dd4f872500406b25490a619cbed16ca86c953d Mon Sep 17 00:00:00 2001 From: Marvin Beckers Date: Tue, 7 May 2024 15:57:39 +0200 Subject: [PATCH] Add state backend in OCI bucket Signed-off-by: Marvin Beckers --- iac/oci-prow-worker/.gitignore | 4 ++++ iac/oci-prow-worker/Makefile | 9 +++++++++ iac/oci-prow-worker/README.md | 10 +++++++++- iac/oci-prow-worker/cluster.tf | 26 +++++++++++++++++--------- iac/oci-prow-worker/terraform.tf | 13 +++++++++++++ iac/oci-prow-worker/variables.tf | 10 ++++++++++ 6 files changed, 62 insertions(+), 10 deletions(-) diff --git a/iac/oci-prow-worker/.gitignore b/iac/oci-prow-worker/.gitignore index 1ed4733..cc49b2f 100644 --- a/iac/oci-prow-worker/.gitignore +++ b/iac/oci-prow-worker/.gitignore @@ -1,2 +1,6 @@ +# Terraform folder .terraform +# Make sure to not allow checking in tfvars by mistake *.tfvars +# Environment variables are often stored in this file +.env diff --git a/iac/oci-prow-worker/Makefile b/iac/oci-prow-worker/Makefile index e5b865b..5b19532 100644 --- a/iac/oci-prow-worker/Makefile +++ b/iac/oci-prow-worker/Makefile @@ -1,4 +1,13 @@ OPENTOFU_CLI ?= tofu +init: + $(OPENTOFU_CLI) init + fmt: $(OPENTOFU_CLI) fmt + +plan: + $(OPENTOFU_CLI) plan + +apply: + $(OPENTOFU_CLI) apply diff --git a/iac/oci-prow-worker/README.md b/iac/oci-prow-worker/README.md index 419f631..fd6c2e9 100644 --- a/iac/oci-prow-worker/README.md +++ b/iac/oci-prow-worker/README.md @@ -1,3 +1,11 @@ # oci-prow-cluster -This directory deploys the `oci-prow-cluster` OKE cluster in OCI (Oracle Cloud) via [OpenTofu](https://opentofu.org) +This directory deploys the `oci-prow-cluster` OKE cluster in OCI (Oracle Cloud) via [OpenTofu](https://opentofu.org). A shared state is stored in a OCI storage bucket, please make sure to use that. Usually, this code shouldn't be executed directly but run by Prow. + +## Required Environment Variables + +The following environment variables are required before running any `make` targets: + +- `AWS_ACCESS_KEY_ID`: Needs to be the key ID for a [Customer Secret Key](https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#Working2) to access OCI's S3-compatible storage buckets. +- `AWS_SECRET_ACCESS_KEY`: Needs to be the secret for a [Customer Secret Key](https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm#Working2) to access OCI's S3-compatible storage buckets. +- `AWS_ENDPOINT_URL_S3`: Needs to be `https://.compat.objectstorage.us-sanjose-1.oraclecloud.com`. Replace `` with the namespace displayed on the bucket (see OCI Console for this information). diff --git a/iac/oci-prow-worker/cluster.tf b/iac/oci-prow-worker/cluster.tf index 13160e5..f0abc97 100644 --- a/iac/oci-prow-worker/cluster.tf +++ b/iac/oci-prow-worker/cluster.tf @@ -1,6 +1,6 @@ resource "oci_containerengine_cluster" "prow" { name = "oci-prow-worker" - kubernetes_version = "v1.29.1" + kubernetes_version = var.kubernetes_version compartment_id = var.oci_compartment_ocid vcn_id = oci_core_vcn.prow.id @@ -11,22 +11,30 @@ resource "oci_containerengine_cluster" "prow" { } resource "oci_containerengine_node_pool" "prow_worker" { - cluster_id = oci_containerengine_cluster.prow.id - compartment_id = var.oci_compartment_ocid - kubernetes_version = "v1.29.1" + cluster_id = oci_containerengine_cluster.prow.id + compartment_id = var.oci_compartment_ocid + subnet_ids = oci_core_subnet.prow_worker_cluster[*].id + + kubernetes_version = var.kubernetes_version name = "prow-worker" - node_shape = "VM.Standard2.1" - subnet_ids = oci_core_subnet.prow_worker_cluster[*].id + ssh_public_key = var.node_pool_ssh_public_key - ssh_public_key = var.node_pool_ssh_public_key + # this matches t3.2xlarge sizings. + node_shape = "VM.Standard.A1.Flex" + node_shape_config { + memory_in_gbs = 32 + ocpus = 8 + } node_config_details { - size = 3 + size = var.node_pool_worker_size + # create placement_configs for each availability domain. + # There happens to be only a single one in us-sanjose-1. dynamic "placement_configs" { for_each = oci_core_subnet.prow_worker_cluster content { availability_domain = data.oci_identity_availability_domains.availability_domains.availability_domains[index(oci_core_subnet.prow_worker_cluster, placement_configs.value)].id - subnet_id = placement_configs.value.id + subnet_id = placement_configs.value.id } } } diff --git a/iac/oci-prow-worker/terraform.tf b/iac/oci-prow-worker/terraform.tf index 7de03d7..3f3bc24 100644 --- a/iac/oci-prow-worker/terraform.tf +++ b/iac/oci-prow-worker/terraform.tf @@ -5,4 +5,17 @@ terraform { version = "5.36.0" } } + + # make sure to set AWS_ENDPOINT_URL_S3 to 'https://.compat.objectstorage.us-sanjose-1.oraclecloud.com'. + backend "s3" { + bucket = "kcp-opentofu-state" + region = "us-sanjose-1" + key = "ci-prow-worker/tf.tfstate" + + skip_region_validation = true + skip_credentials_validation = true + skip_requesting_account_id = true + use_path_style = true + skip_metadata_api_check = true + } } diff --git a/iac/oci-prow-worker/variables.tf b/iac/oci-prow-worker/variables.tf index 9e58363..7da26a3 100644 --- a/iac/oci-prow-worker/variables.tf +++ b/iac/oci-prow-worker/variables.tf @@ -24,3 +24,13 @@ variable "oci_region" { variable "node_pool_ssh_public_key" { type = string } + +variable "node_pool_worker_size" { + type = number + default = 3 +} + +variable "kubernetes_version" { + type = string + default = "v1.29.1" +}