[preview] configure cert-issuer

vulkoingim · roboquat · commit cc61e54c2d3e · 2022-10-31T10:05:05.000+01:00
diff --git a/.werft/jobs/build/job-config.ts b/.werft/jobs/build/job-config.ts
@@ -1,6 +1,6 @@
-import { exec } from "../../util/shell";
-import { Werft } from "../../util/werft";
-import { previewNameFromBranchName } from "../../util/preview";
+import {exec} from "../../util/shell";
+import {Werft} from "../../util/werft";
+import {previewNameFromBranchName} from "../../util/preview";
 
 type WithIntegrationTests = "skip" | "all" | "workspace" | "ide" | "webapp";
 
@@ -36,6 +36,9 @@ export interface JobConfig {
     replicatedVersion: string;
     observability: Observability;
     withLargeVM: boolean;
+    certIssuer: string;
+    recreatePreview: boolean;
+    recreateVm: boolean;
 }
 
 export interface PreviewEnvironmentConfig {
@@ -74,7 +77,7 @@ export function jobConfig(werft: Werft, context: any): JobConfig {
         return raw.split(",").map((e) => e.trim());
     })();
 
-    const coverageOutput = exec("mktemp -d", { silent: true }).stdout.trim();
+    const coverageOutput = exec("mktemp -d", {silent: true}).stdout.trim();
 
     // Main build should only contain the annotations below:
     // ['with-contrib', 'publish-to-npm', 'publish-to-jb-marketplace', 'with-clean-slate-deployment']
@@ -97,10 +100,22 @@ export function jobConfig(werft: Werft, context: any): JobConfig {
     const withObservability = "with-observability" in buildConfig && !mainBuild;
     const withLargeVM = "with-large-vm" in buildConfig && !mainBuild;
     const withLocalPreview = "with-local-preview" in buildConfig || mainBuild
+    const recreatePreview = "recreate-preview" in buildConfig
+    const recreateVm = mainBuild || "recreate-vm" in buildConfig;
 
     const withIntegrationTests = parseWithIntegrationTests(werft, sliceId, buildConfig["with-integration-tests"]);
     const withPreview = decideWithPreview({werft, sliceID: sliceId, buildConfig, mainBuild, withIntegrationTests})
 
+    switch (buildConfig["cert-issuer"]) {
+        case "letsencrypt":
+            buildConfig["cert-issuer"] = "letsencrypt-issuer-gitpod-core-dev"
+            break
+        case "zerossl":
+        default:
+            buildConfig["cert-issuer"] = "zerossl-issuer-gitpod-core-dev"
+    }
+    const certIssuer = buildConfig["cert-issuer"];
+
     const repository: Repository = {
         owner: context.Repository.owner,
         repo: context.Repository.repo,
@@ -155,6 +170,9 @@ export function jobConfig(werft: Werft, context: any): JobConfig {
         withLocalPreview,
         workspaceFeatureFlags,
         withLargeVM,
+        certIssuer,
+        recreatePreview,
+        recreateVm,
     };
 
     werft.logOutput(sliceId, JSON.stringify(jobConfig, null, 2));
@@ -186,8 +204,8 @@ function parseVersion(context: any) {
     return version;
 }
 
-function decideWithPreview(options: {werft: Werft, sliceID: string, buildConfig: any, mainBuild: boolean, withIntegrationTests: WithIntegrationTests}) {
-    const {werft, sliceID, buildConfig, mainBuild, withIntegrationTests } = options
+function decideWithPreview(options: { werft: Werft, sliceID: string, buildConfig: any, mainBuild: boolean, withIntegrationTests: WithIntegrationTests }) {
+    const {werft, sliceID, buildConfig, mainBuild, withIntegrationTests} = options
     if (mainBuild) {
         werft.log(sliceID, "with-preview is disabled for main builds")
         return false
diff --git a/.werft/jobs/build/prepare.ts b/.werft/jobs/build/prepare.ts
@@ -89,7 +89,7 @@ function configureStaticClustersAccess() {
 
 async function decideHarvesterVMCreation(werft: Werft, config: JobConfig) {
     // always try to create - usually it will be no-op, but if tf changed for any reason we would reconcile
-    if (config.withPreview && (!vmExists({ name: config.previewEnvironment.destname }) || config.cleanSlateDeployment)) {
+    if (config.withPreview && (!vmExists({ name: config.previewEnvironment.destname }) || config.cleanSlateDeployment || config.recreatePreview || config.recreateVm)) {
         await createVM(werft, config);
     }
     werft.done(prepareSlices.BOOT_VM);
@@ -101,19 +101,16 @@ async function createVM(werft: Werft, config: JobConfig) {
     const cpu = config.withLargeVM ? 12 : 6;
     const memory = config.withLargeVM ? 24 : 12;
 
-    // -replace=... forces recreation of the resource
-    const planArgs = config.cleanSlateDeployment ? "-replace=harvester_virtualmachine.harvester" : ""
-
     const environment = {
         // We pass the GCP credentials explicitly, otherwise for some reason TF doesn't pick them up
         "GOOGLE_BACKEND_CREDENTIALS": GCLOUD_SERVICE_ACCOUNT_PATH,
         "GOOGLE_APPLICATION_CREDENTIALS": GCLOUD_SERVICE_ACCOUNT_PATH,
+        "TF_VAR_cert_issuer": config.certIssuer,
         "TF_VAR_kubeconfig_path": GLOBAL_KUBECONFIG_PATH,
         "TF_VAR_preview_name": config.previewEnvironment.destname,
         "TF_VAR_vm_cpu": `${cpu}`,
         "TF_VAR_vm_memory": `${memory}Gi`,
-        "TF_VAR_vm_storage_class": "longhorn-gitpod-k3s-202209251218-onereplica",
-        "TF_CLI_ARGS_plan": planArgs
+        "TF_VAR_vm_storage_class": "longhorn-gitpod-k3s-202209251218-onereplica"
     }
 
     const variables = Object
@@ -122,9 +119,16 @@ async function createVM(werft: Werft, config: JobConfig) {
         .map(([key, value]) => `${key}="${value}"`)
         .join(" ")
 
-    if (config.cleanSlateDeployment) {
+    if (config.recreatePreview){
+        werft.log(prepareSlices.BOOT_VM, "Recreating environment");
+        await execStream(`${variables} \
+                                   leeway run dev/preview:delete-preview`, {slice: prepareSlices.BOOT_VM});
+    }else if (config.cleanSlateDeployment || config.recreateVm) {
         werft.log(prepareSlices.BOOT_VM, "Cleaning previously created VM");
-        await execStream(`${variables} leeway run dev/preview:create-preview`, {slice: prepareSlices.BOOT_VM});
+        // -replace=... forces recreation of the resource
+        await execStream(`${variables} \
+                                   TF_CLI_ARGS_plan=-replace=harvester_virtualmachine.harvester \
+                                   leeway run dev/preview:create-preview`, {slice: prepareSlices.BOOT_VM});
     }
 
     werft.log(prepareSlices.BOOT_VM, "Creating  VM");
diff --git a/dev/preview/BUILD.yaml b/dev/preview/BUILD.yaml
@@ -11,6 +11,7 @@ scripts:
   - name: create-preview
     description: Provisions a new preview environment
     script: |
+      export TF_VAR_cert_issuer="${TF_VAR_cert_issuer:-zerossl-issuer-gitpod-core-dev}"
       export TF_VAR_dev_kube_path="${TF_VAR_dev_kube_path:-/home/gitpod/.kube/config}"
       export TF_VAR_dev_kube_context="${TF_VAR_dev_kube_context:-dev}"
       export TF_VAR_harvester_kube_path="${TF_VAR_harvester_kube_path:-/home/gitpod/.kube/config}"
diff --git a/dev/preview/infrastructure/harvester/cert.tf b/dev/preview/infrastructure/harvester/cert.tf
@@ -21,7 +21,7 @@ resource "kubernetes_manifest" "cert" {
       ]
       issuerRef = {
         kind = "ClusterIssuer"
-        name = "zerossl-issuer-gitpod-core-dev"
+        name = var.cert_issuer
       }
       renewBefore = "24h0m0s"
       secretName  = "harvester-${var.preview_name}"
diff --git a/dev/preview/infrastructure/harvester/variables.tf b/dev/preview/infrastructure/harvester/variables.tf
@@ -44,3 +44,9 @@ variable "harvester_ingress_ip" {
   default     = "159.69.172.117"
   description = "Ingress IP in Harvester cluster"
 }
+
+variable "cert_issuer" {
+  type        = string
+  default     = "zerossl-issuer-gitpod-core-dev"
+  description = "Certificate issuer"
+}

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ resource "kubernetes_manifest" "cert" {`
`21`	`21`	`]`
`22`	`22`	`issuerRef = {`
`23`	`23`	`kind = "ClusterIssuer"`
`24`		`- name = "zerossl-issuer-gitpod-core-dev"`
	`24`	`+ name = var.cert_issuer`
`25`	`25`	`}`
`26`	`26`	`renewBefore = "24h0m0s"`
`27`	`27`	`secretName = "harvester-${var.preview_name}"`