diff --git a/README.md b/README.md index e34682c1f..b6e45c4e4 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ To make a release provide a commit that: - removes the next parts from `version` fields across the repo. - updates the package-lock files. - updates the `node/monitor` .vsix file in `demo/dockerfiles/demo-theia-monitor-vscode`. -- updates the helm chart versions in `terraform/modules/helm` to the new version. +- updates the helm chart version in `terraform/modules/theia-cloud/variables.tf` to the new version. When this commit is merged it should not result in pushed artifacts. Create a `releases/` branch. This will be used in the future if any backports are necessary. Also it makes versions easier to find. diff --git a/node/landing-page/package.json b/node/landing-page/package.json index b17137eea..a7699fa14 100644 --- a/node/landing-page/package.json +++ b/node/landing-page/package.json @@ -12,7 +12,7 @@ }, "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "20.0.5", + "keycloak-js": "26.2.4", "react": "^18.2.0", "react-dom": "^18.2.0" }, diff --git a/node/landing-page/src/App.tsx b/node/landing-page/src/App.tsx index f71abc783..affd992fc 100644 --- a/node/landing-page/src/App.tsx +++ b/node/landing-page/src/App.tsx @@ -1,6 +1,13 @@ import './App.css'; -import { AppDefinition, getTheiaCloudConfig, LaunchRequest, PingRequest, TheiaCloud, TheiaCloudConfig } from '@eclipse-theiacloud/common'; +import { + AppDefinition, + getTheiaCloudConfig, + LaunchRequest, + PingRequest, + TheiaCloud, + TheiaCloudConfig +} from '@eclipse-theiacloud/common'; import Keycloak, { KeycloakConfig } from 'keycloak-js'; import { useEffect, useState } from 'react'; @@ -78,11 +85,11 @@ function App(): JSX.Element { } if (config.useKeycloak) { keycloakConfig = { - url: config.keycloakAuthUrl, + url: config.keycloakAuthUrl!, realm: config.keycloakRealm!, clientId: config.keycloakClientId! }; - const keycloak = Keycloak(keycloakConfig); + const keycloak = new Keycloak(keycloakConfig!); keycloak .init({ onLoad: 'check-sso', @@ -100,8 +107,8 @@ function App(): JSX.Element { } } }) - .catch(() => { - console.error('Authentication Failed'); + .catch((err: any) => { + console.error('Authentication Failed', err); }); } } @@ -112,7 +119,7 @@ function App(): JSX.Element { document.title = `${selectedAppName} - Try Now`; const authenticate = (): void => { - const keycloak = Keycloak(keycloakConfig); + const keycloak = new Keycloak(keycloakConfig!); keycloak .init({ onLoad: 'login-required', @@ -132,8 +139,8 @@ function App(): JSX.Element { } } }) - .catch(() => { - console.error('Authentication Failed'); + .catch((err: any) => { + console.error('Authentication Failed', err); setError('Authentication failed'); }); }; @@ -152,8 +159,21 @@ function App(): JSX.Element { : 'ws-' + TheiaCloudConfig.getServiceAuthToken(config) + '-' + selectedAppDefinition + '-' + email; TheiaCloud.launchAndRedirect( config.useEphemeralStorage - ? LaunchRequest.ephemeral(config.serviceUrl, TheiaCloudConfig.getServiceAuthToken(config), appDefinition, 5, email) - : LaunchRequest.createWorkspace(config.serviceUrl, TheiaCloudConfig.getServiceAuthToken(config), appDefinition, 5, email, workspace), + ? LaunchRequest.ephemeral( + config.serviceUrl, + TheiaCloudConfig.getServiceAuthToken(config), + appDefinition, + 5, + email + ) + : LaunchRequest.createWorkspace( + config.serviceUrl, + TheiaCloudConfig.getServiceAuthToken(config), + appDefinition, + 5, + email, + workspace + ), { timeout: 60000, retries: 5, accessToken: token } ) .catch((err: Error) => { diff --git a/node/package-lock.json b/node/package-lock.json index ef2f51762..f30fbe590 100644 --- a/node/package-lock.json +++ b/node/package-lock.json @@ -60,7 +60,7 @@ "license": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "20.0.5", + "keycloak-js": "26.2.4", "react": "^18.2.0", "react-dom": "^18.2.0" }, @@ -627,21 +627,6 @@ } } }, - "landing-page/node_modules/yaml": { - "version": "2.8.1", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.1.tgz", - "integrity": "sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw==", - "dev": true, - "license": "ISC", - "optional": true, - "peer": true, - "bin": { - "yaml": "bin.mjs" - }, - "engines": { - "node": ">= 14.6" - } - }, "node_modules/@adobe/css-tools": { "version": "4.4.4", "resolved": "https://registry.npmjs.org/@adobe/css-tools/-/css-tools-4.4.4.tgz", @@ -7102,26 +7087,6 @@ "bare-path": "^3.0.0" } }, - "node_modules/base64-js": { - "version": "1.5.1", - "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz", - "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==", - "funding": [ - { - "type": "github", - "url": "https://github.com/sponsors/feross" - }, - { - "type": "patreon", - "url": "https://www.patreon.com/feross" - }, - { - "type": "consulting", - "url": "https://feross.org/support" - } - ], - "license": "MIT" - }, "node_modules/baseline-browser-mapping": { "version": "2.8.20", "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.8.20.tgz", @@ -13503,12 +13468,6 @@ "url": "https://github.com/sponsors/panva" } }, - "node_modules/js-sha256": { - "version": "0.9.0", - "resolved": "https://registry.npmjs.org/js-sha256/-/js-sha256-0.9.0.tgz", - "integrity": "sha512-sga3MHh9sgQN2+pJ9VYZ+1LPwXOxuBJBA5nrR5/ofPfuiJBE2hnjsaN8se8JznOmGLN2p49Pe5U/ttafcs/apA==", - "license": "MIT" - }, "node_modules/js-tokens": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz", @@ -13775,14 +13734,13 @@ } }, "node_modules/keycloak-js": { - "version": "20.0.5", - "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-20.0.5.tgz", - "integrity": "sha512-7+M5Uni4oNlAmbjM/lDJzFHu2+PGqU6/bvmTBuQssE1fJ7ZyNeCRHgFoaVfFpIU3m6aAFwPUko4lVcn4kPXP5Q==", + "version": "26.2.4", + "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-26.2.4.tgz", + "integrity": "sha512-PnXpR3ubETGOt0B/Qt2lxmPbkZr5bc3vlQsOqDoTPPQsZRp7JjhTKxlJ187uWh8qJhvBab6Gsjb06a8ayOPfuw==", "license": "Apache-2.0", - "dependencies": { - "base64-js": "^1.5.1", - "js-sha256": "^0.9.0" - } + "workspaces": [ + "test" + ] }, "node_modules/keyv": { "version": "4.5.4", @@ -18870,20 +18828,6 @@ } } }, - "node_modules/tailwindcss/node_modules/yaml": { - "version": "2.8.1", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.1.tgz", - "integrity": "sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw==", - "license": "ISC", - "optional": true, - "peer": true, - "bin": { - "yaml": "bin.mjs" - }, - "engines": { - "node": ">= 14.6" - } - }, "node_modules/tapable": { "version": "2.3.0", "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz", @@ -20802,7 +20746,7 @@ "license": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "^17.0.1", + "keycloak-js": "26.2.4", "react": "^18.2.0", "react-dom": "^18.2.0", "react-scripts": "5.0.1", @@ -20831,16 +20775,6 @@ "node": ">=12" } }, - "testing-page/node_modules/keycloak-js": { - "version": "17.0.1", - "resolved": "https://registry.npmjs.org/keycloak-js/-/keycloak-js-17.0.1.tgz", - "integrity": "sha512-mbLBSoogCBX5VYeKCdEz8BaRWVL9twzSqArRU3Mo3Z7vEO1mghGZJ5IzREfiMEi7kTUZtk5i9mu+Yc0koGkK6g==", - "license": "Apache-2.0", - "dependencies": { - "base64-js": "^1.5.1", - "js-sha256": "^0.9.0" - } - }, "testing-page/node_modules/react-refresh": { "version": "0.11.0", "resolved": "https://registry.npmjs.org/react-refresh/-/react-refresh-0.11.0.tgz", @@ -20922,21 +20856,6 @@ "optional": true } } - }, - "testing-page/node_modules/typescript": { - "version": "4.9.5", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.9.5.tgz", - "integrity": "sha512-1FXk9E2Hm+QzZQ7z+McJiHL4NW1F2EzMu9Nq9i3zAaGqibafqYwCVU6WyWAuyQRRzOlxou8xZSyXLEN8oKj24g==", - "license": "Apache-2.0", - "optional": true, - "peer": true, - "bin": { - "tsc": "bin/tsc", - "tsserver": "bin/tsserver" - }, - "engines": { - "node": ">=4.2.0" - } } } } diff --git a/node/testing-page/package.json b/node/testing-page/package.json index e2647f4ee..bbce3f8b2 100644 --- a/node/testing-page/package.json +++ b/node/testing-page/package.json @@ -5,7 +5,7 @@ "private": true, "dependencies": { "@eclipse-theiacloud/common": "1.3.0-next", - "keycloak-js": "^17.0.1", + "keycloak-js": "26.2.4", "react": "^18.2.0", "react-dom": "^18.2.0", "react-scripts": "5.0.1", diff --git a/terraform/ci-configurations/.terraform.lock.hcl b/terraform/ci-configurations/.terraform.lock.hcl index f77128e1d..0fe5e74d2 100644 --- a/terraform/ci-configurations/.terraform.lock.hcl +++ b/terraform/ci-configurations/.terraform.lock.hcl @@ -26,7 +26,7 @@ provider "registry.terraform.io/gavinbunney/kubectl" { provider "registry.terraform.io/hashicorp/helm" { version = "3.0.2" - constraints = ">= 3.0.2" + constraints = ">= 2.0.0, >= 3.0.2" hashes = [ "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=", "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0", @@ -44,9 +44,30 @@ provider "registry.terraform.io/hashicorp/helm" { ] } +provider "registry.terraform.io/hashicorp/http" { + version = "3.6.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:FekY+4cjIw3QBdpk2dVQ20+t8AeDwCK/VaKOnjfeJvw=", + "zh:0996c7db5d7627bc6ab8c4d217f18fb122d60e99e454812b080ee5695cad1003", + "zh:25b7ee0ba9edc912a00365c776d062ae7c66d94050c6c13038447c8e8b95ddf2", + "zh:29c4ba54add6eee7f1d0034d331ba0f14f3046234b1f7520a537e6444e4521b7", + "zh:30a3aa3ef978f8142daf2ced3f9f1ecda8b0831cdc6911e7e930e95eab191b4f", + "zh:30bf0810acdfe96e799ed9b64cb70e96d6f7c033621e0373b9897513977c49c5", + "zh:4ecaaf3dfd20feaa2b92af521018501bc7d874b6a6642ef86ea4cc3c251d737a", + "zh:661760406e3d5372e6725d18ca80734996f21adabc02d82e36ed6d8db07cad7d", + "zh:70dd9556bd2633082efd9681421f89dd4abdde6fcd84834627fa4b8b8f9e7afe", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:973a72066866579ac6fa0e0c9e9eee8e77d238cf78f1b1f96ce6536052fa73ce", + "zh:b2ac9463a9499b478147186027fabee65c04b8f6d963a8df3d49241ce5784fe2", + "zh:c6acc05dc3456c0001b5fb99e1b57005f5a3d3d766f9bddfc21ffe8364fa7535", + "zh:f97f2d57ebcefe62f0644f58e8ba68593f8f05baf7856c99953396aedd14e415", + ] +} + provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.38.0" - constraints = ">= 2.38.0" + constraints = ">= 2.0.0, >= 2.38.0" hashes = [ "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", diff --git a/terraform/ci-configurations/e2e_tests.tf b/terraform/ci-configurations/e2e_tests.tf index e3ea050a5..932874061 100644 --- a/terraform/ci-configurations/e2e_tests.tf +++ b/terraform/ci-configurations/e2e_tests.tf @@ -58,37 +58,32 @@ resource "kubernetes_persistent_volume_v1" "minikube" { } } -module "helm" { - source = "../modules/helm" +module "cluster_prerequisites" { + source = "../modules/cluster-prerequisites" depends_on = [kubernetes_persistent_volume_v1.minikube] - install_ingress_controller = false - ingress_controller_type = var.ingress_controller_type - install_theia_cloud_base = false - install_theia_cloud_crds = false - install_theia_cloud = false - install_selfsigned_issuer = true - cert_manager_issuer_email = "jdoe@theia-cloud.io" - cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" - cert_manager_common_name = "${var.ingress_ip}.nip.io" - hostname = "${var.ingress_ip}.nip.io" - service_type = "ClusterIP" - postgresql_storageClass = "manual" - postgresql_volumePermissions = true - keycloak_admin_password = "admin" - postgresql_enabled = true - postgres_postgres_password = "admin" - postgres_password = "admin" - loadBalancerIP = "" - cloudProvider = "MINIKUBE" + hostname = "${var.ingress_ip}.nip.io" + keycloak_admin_password = "admin" + postgres_password = "admin" + install_cert_manager = true + install_selfsigned_issuer = true + install_ingress_controller = false + cert_manager_issuer_email = "jdoe@theia-cloud.io" + ingress_controller_type = var.ingress_controller_type + ingress_class_name = var.ingress_controller_type + ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" + ingress_cert_manager_common_name = "${var.ingress_ip}.nip.io" + postgres_storage_class = "manual" + postgres_volume_permissions = true + cloud_provider = "MINIKUBE" } provider "keycloak" { client_id = "admin-cli" username = "admin" password = "admin" - url = "https://${var.ingress_ip}.nip.io/keycloak" + url = module.cluster_prerequisites.keycloak_url tls_insecure_skip_verify = true # only for minikube self signed initial_login = false client_timeout = 60 @@ -97,16 +92,15 @@ provider "keycloak" { module "keycloak" { source = "../modules/keycloak" - depends_on = [module.helm] + depends_on = [module.cluster_prerequisites] - hostname = "${var.ingress_ip}.nip.io" keycloak_test_user_foo_password = "foo" keycloak_test_user_bar_password = "bar" valid_redirect_uri = "*" } resource "helm_release" "theia-cloud-crds" { - depends_on = [module.keycloak] + depends_on = [module.cluster_prerequisites] name = "theia-cloud-crds" chart = "../../../theia-cloud-helm/charts/theia-cloud-crds" @@ -122,7 +116,7 @@ resource "helm_release" "theia-cloud-crds" { } resource "helm_release" "theia-cloud-base" { - depends_on = [module.keycloak] + depends_on = [module.cluster_prerequisites] name = "theia-cloud-base" chart = "../../../theia-cloud-helm/charts/theia-cloud-base" @@ -177,7 +171,7 @@ resource "helm_release" "theia-cloud" { name = "operator.eagerStart" value = var.eager_start } - ] + ] } resource "kubectl_manifest" "theia-cloud-monitor-theia-popup" { @@ -315,7 +309,6 @@ resource "kubectl_manifest" "theia-cloud-monitor-vscode-timeout" { notifyAfter: 15 EOF } - resource "kubectl_manifest" "theia-cloud-demo" { depends_on = [helm_release.theia-cloud] yaml_body = <<-EOF @@ -349,5 +342,3 @@ resource "kubectl_manifest" "theia-cloud-demo" { notifyAfter: 30 EOF } - - diff --git a/terraform/configurations/gke_getting_started/.terraform.lock.hcl b/terraform/configurations/gke_getting_started/.terraform.lock.hcl index 3c18a69ac..550f5467e 100644 --- a/terraform/configurations/gke_getting_started/.terraform.lock.hcl +++ b/terraform/configurations/gke_getting_started/.terraform.lock.hcl @@ -46,7 +46,7 @@ provider "registry.terraform.io/hashicorp/google" { provider "registry.terraform.io/hashicorp/helm" { version = "3.0.2" - constraints = ">= 3.0.2" + constraints = ">= 2.0.0, >= 3.0.2" hashes = [ "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=", "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0", @@ -64,6 +64,47 @@ provider "registry.terraform.io/hashicorp/helm" { ] } +provider "registry.terraform.io/hashicorp/http" { + version = "3.6.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:FekY+4cjIw3QBdpk2dVQ20+t8AeDwCK/VaKOnjfeJvw=", + "zh:0996c7db5d7627bc6ab8c4d217f18fb122d60e99e454812b080ee5695cad1003", + "zh:25b7ee0ba9edc912a00365c776d062ae7c66d94050c6c13038447c8e8b95ddf2", + "zh:29c4ba54add6eee7f1d0034d331ba0f14f3046234b1f7520a537e6444e4521b7", + "zh:30a3aa3ef978f8142daf2ced3f9f1ecda8b0831cdc6911e7e930e95eab191b4f", + "zh:30bf0810acdfe96e799ed9b64cb70e96d6f7c033621e0373b9897513977c49c5", + "zh:4ecaaf3dfd20feaa2b92af521018501bc7d874b6a6642ef86ea4cc3c251d737a", + "zh:661760406e3d5372e6725d18ca80734996f21adabc02d82e36ed6d8db07cad7d", + "zh:70dd9556bd2633082efd9681421f89dd4abdde6fcd84834627fa4b8b8f9e7afe", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:973a72066866579ac6fa0e0c9e9eee8e77d238cf78f1b1f96ce6536052fa73ce", + "zh:b2ac9463a9499b478147186027fabee65c04b8f6d963a8df3d49241ce5784fe2", + "zh:c6acc05dc3456c0001b5fb99e1b57005f5a3d3d766f9bddfc21ffe8364fa7535", + "zh:f97f2d57ebcefe62f0644f58e8ba68593f8f05baf7856c99953396aedd14e415", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "3.1.0" + constraints = ">= 2.0.0" + hashes = [ + "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=", + "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0", + "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20", + "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c", + "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65", + "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0", + "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a", + "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1", + "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98", + "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1", + "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f", + ] +} + provider "registry.terraform.io/mrparkers/keycloak" { version = "4.4.0" constraints = ">= 4.4.0" diff --git a/terraform/configurations/gke_getting_started/gke_getting_started.tf b/terraform/configurations/gke_getting_started/gke_getting_started.tf index 7ae5b1a44..9c305b8eb 100644 --- a/terraform/configurations/gke_getting_started/gke_getting_started.tf +++ b/terraform/configurations/gke_getting_started/gke_getting_started.tf @@ -16,11 +16,6 @@ variable "keycloak_admin_password" { sensitive = true } -variable "postgres_postgres_password" { - description = "Keycloak Postgres DB Postgres (Admin) Password" - sensitive = true -} - variable "postgres_password" { description = "Keycloak Postgres DB Password" sensitive = true @@ -50,6 +45,12 @@ resource "google_compute_address" "host_ip" { name = "theia-cloud-ingress-ip" } +provider "kubernetes" { + host = module.cluster.cluster_host + token = module.cluster.cluster_token + cluster_ca_certificate = module.cluster.cluster_ca_certificate +} + provider "helm" { kubernetes = { host = module.cluster.cluster_host @@ -65,27 +66,70 @@ provider "kubectl" { cluster_ca_certificate = module.cluster.cluster_ca_certificate } -module "helm" { - source = "../../modules/helm" +# Manually install cert-manager to have its CRDs available for the theia-cloud-base module, which installs the cluster issuer for let's encrypt. +resource "helm_release" "cert_manager" { + name = "cert-manager" + repository = "https://charts.jetstack.io" + chart = "cert-manager" + version = "v1.17.4" + namespace = "cert-manager" + create_namespace = true + + set = [ + { + name = "installCRDs" + value = "true" + } + ] +} + +# Install theia-cloud-base first because we re-use the "letsencrypt-prod" ClusterIssuer created by that module for the Keycloak ingress installed in the cluster prerequisites module. +module "theia-cloud-base" { + source = "../../modules/theia-cloud" + + depends_on = [helm_release.cert_manager] + + install_theia_cloud_crds = false + install_theia_cloud = false + hostname = "${google_compute_address.host_ip.address}.sslip.io" + cert_manager_issuer_email = var.cert_manager_issuer_email +} + +module "cluster_prerequisites" { + source = "../../modules/cluster-prerequisites" + + depends_on = [module.theia-cloud-base] + hostname = "${google_compute_address.host_ip.address}.sslip.io" + keycloak_admin_password = var.keycloak_admin_password + postgres_password = var.postgres_password + install_cert_manager = false + install_ingress_controller = true + install_selfsigned_issuer = false + cert_manager_issuer_email = var.cert_manager_issuer_email + ingress_controller_type = var.ingress_controller_type + ingress_class_name = var.ingress_controller_type + ingress_cert_manager_cluster_issuer = "letsencrypt-prod" + load_balancer_ip = google_compute_address.host_ip.address +} + +module "theia-cloud" { + source = "../../modules/theia-cloud" + + depends_on = [module.cluster_prerequisites] - install_ingress_controller = true - ingress_controller_type = var.ingress_controller_type - cert_manager_issuer_email = var.cert_manager_issuer_email - cert_manager_cluster_issuer = "letsencrypt-prod" - cert_manager_common_name = "${google_compute_address.host_ip.address}.sslip.io" - hostname = "${google_compute_address.host_ip.address}.sslip.io" - keycloak_admin_password = var.keycloak_admin_password - postgresql_enabled = true - postgres_postgres_password = var.postgres_postgres_password - postgres_password = var.postgres_password - loadBalancerIP = google_compute_address.host_ip.address + install_theia_cloud_base = false + hostname = "${google_compute_address.host_ip.address}.sslip.io" + ingress_controller_type = var.ingress_controller_type + cert_manager_issuer_email = var.cert_manager_issuer_email + cloud_provider = "K8S" + keycloak_url = module.cluster_prerequisites.keycloak_url } provider "keycloak" { client_id = "admin-cli" username = "admin" password = var.keycloak_admin_password - url = "https://${google_compute_address.host_ip.address}.sslip.io/keycloak" + url = module.cluster_prerequisites.keycloak_url initial_login = false client_timeout = 60 } @@ -93,9 +137,8 @@ provider "keycloak" { module "keycloak" { source = "../../modules/keycloak" - depends_on = [module.helm] + depends_on = [module.cluster_prerequisites] - hostname = "${google_compute_address.host_ip.address}.sslip.io" keycloak_test_user_foo_password = "foo" keycloak_test_user_bar_password = "bar" valid_redirect_uri = "https://${google_compute_address.host_ip.address}.sslip.io/*" diff --git a/terraform/configurations/minikube_getting_started/.terraform.lock.hcl b/terraform/configurations/minikube_getting_started/.terraform.lock.hcl deleted file mode 100644 index 0d65fc5db..000000000 --- a/terraform/configurations/minikube_getting_started/.terraform.lock.hcl +++ /dev/null @@ -1,128 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = ">= 1.19.0" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", - "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", - "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", - "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", - "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", - "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", - "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", - "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", - "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", - "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", - "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", - "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", - "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", - ] -} - -provider "registry.terraform.io/hashicorp/external" { - version = "2.3.5" - hashes = [ - "h1:smKSos4zs57pJjQrNuvGBpSWth2el9SgePPbPHo0aps=", - "zh:6e89509d056091266532fa64de8c06950010498adf9070bf6ff85bc485a82562", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:86868aec05b58dc0aa1904646a2c26b9367d69b890c9ad70c33c0d3aa7b1485a", - "zh:a2ce38fda83a62fa5fb5a70e6ca8453b168575feb3459fa39803f6f40bd42154", - "zh:a6c72798f4a9a36d1d1433c0372006cc9b904e8cfd60a2ae03ac5b7d2abd2398", - "zh:a8a3141d2fc71c86bf7f3c13b0b3be8a1b0f0144a47572a15af4dfafc051e28a", - "zh:aa20a1242eb97445ad26ebcfb9babf2cd675bdb81cac5f989268ebefa4ef278c", - "zh:b58a22445fb8804e933dcf835ab06c29a0f33148dce61316814783ee7f4e4332", - "zh:cb5626a661ee761e0576defb2a2d75230a3244799d380864f3089c66e99d0dcc", - "zh:d1acb00d20445f682c4e705c965e5220530209c95609194c2dc39324f3d4fcce", - "zh:d91a254ba77b69a29d8eae8ed0e9367cbf0ea6ac1a85b58e190f8cb096a40871", - "zh:f6592327673c9f85cdb6f20336faef240abae7621b834f189c4a62276ea5db41", - ] -} - -provider "registry.terraform.io/hashicorp/helm" { - version = "3.0.2" - constraints = ">= 3.0.2" - hashes = [ - "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=", - "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0", - "zh:3b4c436a41e4fbae5f152852a9bd5c97db4460af384e26977477a40adf036690", - "zh:617a372f5bb2288f3faf5fd4c878a68bf08541cf418a3dbb8a19bc41ad4a0bf2", - "zh:84de431479548c96cb61c495278e320f361e80ab4f8835a5425ece24a9b6d310", - "zh:8b4cf5f81d10214e5e1857d96cff60a382a22b9caded7f5d7a92e5537fc166c1", - "zh:baeb26a00ffbcf3d507cdd940b2a2887eee723af5d3319a53eec69048d5e341e", - "zh:ca05a8814e9bf5fbffcd642df3a8d9fae9549776c7057ceae6d6f56471bae80f", - "zh:ca4bf3f94dedb5c5b1a73568f2dad7daf0ef3f85e688bc8bc2d0e915ec148366", - "zh:d331f2129fd3165c4bda875c84a65555b22eb007801522b9e017d065ac69b67e", - "zh:e583b2b478dde67da28e605ab4ef6521c2e390299b471d7d8ef05a0b608dcdad", - "zh:f238b86611647c108c073d265f8891a2738d3158c247468ae0ff5b1a3ac4122a", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.38.0" - constraints = ">= 2.38.0" - hashes = [ - "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", - "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", - "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", - "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", - "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", - "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", - "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", - "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", - "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", - "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", - "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", - ] -} - -provider "registry.terraform.io/mrparkers/keycloak" { - version = "4.4.0" - constraints = ">= 4.4.0" - hashes = [ - "h1:FH9j76zRv05qxk7I/w0mycmBEuew/+XP+Qx+Ptz/onw=", - "zh:0116d63fb4a4436d67cc793038899e0de23c3a5c78f5bf3cf76ee006ad886979", - "zh:0fa399fcdeef21dd914ff7413b8489e47900cbe7bc65b50eeb0d75b71a2b561d", - "zh:30371fee6d0ae438908b1bf03278f6d0a0cb2992a97814028676a05a55d92f19", - "zh:39218a95fe6430ac2b44470cb991dbb98f57c5306017a80b81d3a319855094f4", - "zh:3b436c471cde4eb9120f609e3aecf12d383e8032aeb9cd12c7476faa7c8b4afb", - "zh:9a2a5cc77332e6cd9f6d101d3aff35520a2361fc02f4d436fe176dbd5351f24b", - "zh:9a89cc61c303100174cda3783b13fa4f6e2648eb436c1259d1c72264998534e8", - "zh:b588cd78d9939523de1fa8202c2757c497a20dcf2bf67cf4daf61836194bfe3a", - "zh:c04e6ac2367f55d9cd0893ebebbecb9da685312077e8a7fff299b8d8009955d5", - "zh:c23286693edf2024272219f6728bb7eded5ee087956fc527a63f10ea9ec9c9e4", - "zh:d7a29a2023f17b24236079789931d53662a2696b13d30140cb75dc0e693a1f94", - "zh:ddc0cad0a8ec9e5afc4f4502aed75089c3e9e0bc6da9d4b796728ef5580b94ef", - "zh:de8833a1a0a726401380e52302892de782dddb7efa51122c33104dde8e119561", - "zh:dee864f90327b149d126d603c5ed58cc196682153ebd1bfa73dd67398f6cbe38", - "zh:f63ef9950ebb06fa1daad784a3d0f342803f65404107186bdadb3198ce4d03b2", - "zh:f6d2414fec3fcaefc80cbe8e49647221dbbcfd2fe1b0f7619bd68d06c93c30f4", - "zh:fb659b5a21ba0ad9ec1c7484f167c51c752abea84dd27e726cc3567e7006e99e", - ] -} - -provider "registry.terraform.io/scott-the-programmer/minikube" { - version = "0.6.0" - constraints = "0.6.0" - hashes = [ - "h1:b2DJdavTUmUbOLsHrw+A9Q/yfn4ZAUjvcGL8vi9wWbk=", - "zh:07384be2c110a8727f8a42abb387c5bb715e984ce5394e947a628ac62d9a6288", - "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:2aa27ced99cf412f48b6f0893542133b2d35107d3863b883025ee5ed316728dd", - "zh:354893a90285a9f8fe59bb14ee91df6eefb9bf83efafedef48b6965d1a454213", - "zh:700d1b78f4bab6591e4e418c989bc4c2e73d3ab403929961a227f133f00fa070", - "zh:9f58563aa5847f2f65ac2f0a6a5e1b38beb9a1ae3bd58a580c3d8eeb411fa11a", - "zh:ac097e1f714aa14c255a62caf8e5022c95765e75a161ca562ccedf52db95dd79", - "zh:c0a75a6886c647a67ae37c9abcb98cd55728435da8142b0711e6f1c6323440a0", - "zh:c7d0bbc8c4aa6cd962214fe1cb24126830f1b836bf49af776a06b06410bdc767", - "zh:ce1a20714dc4a7ef3775e64bd1ab420b92ed59ff782a1fc1e5d9315df32c858e", - "zh:d35cc2226d41a30522331fde97e5dd22bf1fc9cb55773fcfe6e6cdba6687aea3", - ] -} diff --git a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/.terraform.lock.hcl b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/.terraform.lock.hcl index 5233c61be..48e91fd19 100644 --- a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/.terraform.lock.hcl +++ b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/.terraform.lock.hcl @@ -45,7 +45,7 @@ provider "registry.terraform.io/hashicorp/external" { provider "registry.terraform.io/hashicorp/helm" { version = "3.1.1" - constraints = ">= 3.0.2" + constraints = ">= 2.0.0, >= 3.0.2" hashes = [ "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=", "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", @@ -63,9 +63,29 @@ provider "registry.terraform.io/hashicorp/helm" { ] } +provider "registry.terraform.io/hashicorp/http" { + version = "3.5.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:8bUoPwS4hahOvzCBj6b04ObLVFXCEmEN8T/5eOHmWOM=", + "zh:047c5b4920751b13425efe0d011b3a23a3be97d02d9c0e3c60985521c9c456b7", + "zh:157866f700470207561f6d032d344916b82268ecd0cf8174fb11c0674c8d0736", + "zh:1973eb9383b0d83dd4fd5e662f0f16de837d072b64a6b7cd703410d730499476", + "zh:212f833a4e6d020840672f6f88273d62a564f44acb0c857b5961cdb3bbc14c90", + "zh:2c8034bc039fffaa1d4965ca02a8c6d57301e5fa9fff4773e684b46e3f78e76a", + "zh:5df353fc5b2dd31577def9cc1a4ebf0c9a9c2699d223c6b02087a3089c74a1c6", + "zh:672083810d4185076c81b16ad13d1224b9e6ea7f4850951d2ab8d30fa6e41f08", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b4200f18abdbe39904b03537e1a78f21ebafe60f1c861a44387d314fda69da6", + "zh:843feacacd86baed820f81a6c9f7bd32cf302db3d7a0f39e87976ebc7a7cc2ee", + "zh:a9ea5096ab91aab260b22e4251c05f08dad2ed77e43e5e4fadcdfd87f2c78926", + "zh:d02b288922811739059e90184c7f76d45d07d3a77cc48d0b15fd3db14e928623", + ] +} + provider "registry.terraform.io/hashicorp/kubernetes" { version = "3.0.1" - constraints = ">= 2.38.0" + constraints = ">= 2.0.0, >= 2.38.0" hashes = [ "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=", "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281", diff --git a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/main.tf b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/main.tf index e51a5fe9f..d207e9d51 100644 --- a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/main.tf +++ b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/main.tf @@ -97,25 +97,35 @@ locals { hostname = "${local.effective_host}.nip.io" } -module "helm" { - source = "../../../modules/helm" - - depends_on = [module.host, helm_release.haproxy-ingress-controller] - - install_ingress_controller = false - ingress_controller_type = local.ingress_controller_type - cert_manager_issuer_email = var.cert_manager_issuer_email - cert_manager_cluster_issuer = "theia-cloud-selfsigned-issuer" - cert_manager_common_name = local.hostname - hostname = local.hostname - keycloak_admin_password = var.keycloak_admin_password - postgresql_enabled = true - postgres_postgres_password = "admin" - postgres_password = "admin" - postgresql_storageClass = "manual" - postgresql_volumePermissions = true - service_type = "ClusterIP" - cloudProvider = "MINIKUBE" +module "cluster_prerequisites" { + source = "../../../modules/cluster-prerequisites" + + depends_on = [kubernetes_persistent_volume_v1.minikube, helm_release.haproxy-ingress-controller] + + hostname = local.hostname + keycloak_admin_password = var.keycloak_admin_password + postgres_password = "admin" + install_cert_manager = true + install_selfsigned_issuer = true + cert_manager_issuer_email = var.cert_manager_issuer_email + ingress_controller_type = data.terraform_remote_state.cluster.outputs.ingress_controller_type + ingress_class_name = data.terraform_remote_state.cluster.outputs.ingress_controller_type + ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" + ingress_cert_manager_common_name = local.hostname + postgres_storage_class = "manual" + postgres_volume_permissions = true + cloud_provider = "MINIKUBE" +} + +module "theia-cloud" { + source = "../../../modules/theia-cloud" + + depends_on = [module.host, module.cluster_prerequisites, helm_release.haproxy-ingress-controller] + + ingress_controller_type = local.ingress_controller_type + cert_manager_issuer_email = var.cert_manager_issuer_email + hostname = local.hostname + cloud_provider = "MINIKUBE" } provider "keycloak" { @@ -131,9 +141,8 @@ provider "keycloak" { module "keycloak" { source = "../../../modules/keycloak" - depends_on = [module.helm] + depends_on = [module.cluster_prerequisites] - hostname = local.hostname keycloak_test_user_foo_password = "foo" keycloak_test_user_bar_password = "bar" valid_redirect_uri = "https://${local.hostname}/*" diff --git a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/outputs.tf b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/outputs.tf index ddc6ccd0a..d5128ba1d 100644 --- a/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/outputs.tf +++ b/terraform/configurations/minikube_getting_started/1_theiacloud-and-dependencies/outputs.tf @@ -5,5 +5,5 @@ output "try_now" { output "keycloak" { description = "Keycloak Admin URL." - value = "https://${local.hostname}/keycloak/" + value = "${module.cluster_prerequisites.keycloak_url}/" } diff --git a/terraform/modules/cluster-prerequisites/.terraform.lock.hcl b/terraform/modules/cluster-prerequisites/.terraform.lock.hcl new file mode 100644 index 000000000..90bec6736 --- /dev/null +++ b/terraform/modules/cluster-prerequisites/.terraform.lock.hcl @@ -0,0 +1,85 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = ">= 1.19.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "3.1.1" + constraints = ">= 2.0.0" + hashes = [ + "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=", + "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", + "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a", + "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29", + "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104", + "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990", + "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34", + "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8", + "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1", + "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b", + "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903", + "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/http" { + version = "3.5.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:8bUoPwS4hahOvzCBj6b04ObLVFXCEmEN8T/5eOHmWOM=", + "zh:047c5b4920751b13425efe0d011b3a23a3be97d02d9c0e3c60985521c9c456b7", + "zh:157866f700470207561f6d032d344916b82268ecd0cf8174fb11c0674c8d0736", + "zh:1973eb9383b0d83dd4fd5e662f0f16de837d072b64a6b7cd703410d730499476", + "zh:212f833a4e6d020840672f6f88273d62a564f44acb0c857b5961cdb3bbc14c90", + "zh:2c8034bc039fffaa1d4965ca02a8c6d57301e5fa9fff4773e684b46e3f78e76a", + "zh:5df353fc5b2dd31577def9cc1a4ebf0c9a9c2699d223c6b02087a3089c74a1c6", + "zh:672083810d4185076c81b16ad13d1224b9e6ea7f4850951d2ab8d30fa6e41f08", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b4200f18abdbe39904b03537e1a78f21ebafe60f1c861a44387d314fda69da6", + "zh:843feacacd86baed820f81a6c9f7bd32cf302db3d7a0f39e87976ebc7a7cc2ee", + "zh:a9ea5096ab91aab260b22e4251c05f08dad2ed77e43e5e4fadcdfd87f2c78926", + "zh:d02b288922811739059e90184c7f76d45d07d3a77cc48d0b15fd3db14e928623", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "3.0.1" + constraints = ">= 2.0.0" + hashes = [ + "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=", + "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281", + "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba", + "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7", + "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6", + "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4", + "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249", + "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090", + "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97", + "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8", + "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119", + "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/modules/helm/LICENSE b/terraform/modules/cluster-prerequisites/LICENSE similarity index 100% rename from terraform/modules/helm/LICENSE rename to terraform/modules/cluster-prerequisites/LICENSE diff --git a/terraform/modules/cluster-prerequisites/README.md b/terraform/modules/cluster-prerequisites/README.md new file mode 100644 index 000000000..42ae18f2d --- /dev/null +++ b/terraform/modules/cluster-prerequisites/README.md @@ -0,0 +1,291 @@ +# Cluster Prerequisites Setup Module + +This Terraform module sets up various prerequisites of Theia Cloud in a running cluster. +The module offers various customization options via variables including skipping some of the prerequisites (e.g. Keycloak) if they are already installed another way. + +## Features + +- Installs Keycloak Operator without Operator Lifecycle Manager (OLM) +- Configurable Keycloak operator version (default: v26.4.5) +- Deploys Keycloak with configurable resources and replicas +- Optional integrated PostgreSQL database deployment +- Kubernetes Ingress support with TLS +- **Optional cert-manager installation** (can be disabled if already installed) +- Cert-manager integration for automatic certificate generation +- Optional self-signed ClusterIssuer for local development +- Support for Minikube and generic Kubernetes clusters +- Configurable HTTP relative path (e.g., `/keycloak/`) + +## Prerequisites + +The following components must be installed in your Kubernetes cluster before using this module: + +1. **nginx-ingress-controller** (if using ingress): For routing traffic to Keycloak +2. **Persistent Volume provisioner**: For PostgreSQL data persistence (if using integrated database) + +Note: cert-manager can be installed automatically by this module (default) or you can disable it if already present in your cluster. + +## Usage + +### Minikube Example (with cert-manager installation) + +```hcl +module "cluster-prerequisites" { + source = "../../modules/cluster-prerequisites" + + hostname = "192.168.49.2.nip.io" + keycloak_admin_password = "admin" + postgres_password = "admin" + + # Cert-manager installation + install_cert_manager = true + install_selfsigned_issuer = true + + # Minikube-specific configuration + postgres_storage_class = "manual" + postgres_volume_permissions = true + ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" + cloud_provider = "MINIKUBE" +} +``` + +### GKE Example (with Let's Encrypt) + +```hcl +module "cluster-prerequisites" { + source = "../../modules/cluster-prerequisites" + + hostname = "keycloak.example.com" + keycloak_admin_password = var.keycloak_admin_password + postgres_password = var.postgres_password + + # Cert-manager installation + install_cert_manager = true + cert_manager_issuer_email = "admin@example.com" + + # GKE-specific configuration + postgres_storage_class = "standard-rwo" + ingress_cert_manager_cluster_issuer = "letsencrypt-prod" + + # Production resources + keycloak_replicas = 2 + keycloak_resource_requests_cpu = "1" + keycloak_resource_requests_memory = "2Gi" + keycloak_resource_limits_cpu = "2" + keycloak_resource_limits_memory = "4Gi" +} +``` + +### Using Existing cert-manager Installation + +```hcl +module "cluster-prerequisites" { + source = "../../modules/cluster-prerequisites" + + hostname = "keycloak.example.com" + keycloak_admin_password = var.keycloak_admin_password + postgres_password = var.postgres_password + + # Use existing cert-manager + install_cert_manager = false + ingress_cert_manager_cluster_issuer = "my-existing-issuer" + + postgres_storage_class = "standard" +} +``` + +### Using External PostgreSQL Database + +```hcl +module "cluster-prerequisites" { + source = "../../modules/cluster-prerequisites" + + hostname = "keycloak.example.com" + keycloak_admin_password = var.keycloak_admin_password + + # Disable integrated PostgreSQL + postgres_enabled = false + + # Note: You'll need to manually configure external database + # connection in the Keycloak CR or use environment variables +} +``` + +## Input Variables + +### Required Variables + +| Name | Type | Description | +| ------------------------- | -------- | ------------------------------------------------------------------ | +| `hostname` | `string` | Hostname for Keycloak ingress | +| `keycloak_admin_password` | `string` | Keycloak admin password (sensitive) | +| `postgres_password` | `string` | PostgreSQL password (sensitive, required if postgres_enabled=true) | + +### Keycloak Configuration + +| Name | Type | Default | Description | +| ----------------------------------- | -------- | -------------- | ---------------------------------------------------------------------- | +| `keycloak_admin_username` | `string` | `"admin"` | Keycloak admin username | +| `keycloak_namespace` | `string` | `"keycloak"` | Kubernetes namespace for Keycloak | +| `keycloak_version` | `string` | `"26.4.5"` | Keycloak operator version (tag from keycloak-k8s-resources repository) | +| `keycloak_http_relative_path` | `string` | `"/keycloak/"` | HTTP relative path for Keycloak | +| `keycloak_replicas` | `number` | `1` | Number of Keycloak replicas | +| `keycloak_resource_requests_cpu` | `string` | `"500m"` | CPU resource requests | +| `keycloak_resource_requests_memory` | `string` | `"1Gi"` | Memory resource requests | +| `keycloak_resource_limits_cpu` | `string` | `"1"` | CPU resource limits | +| `keycloak_resource_limits_memory` | `string` | `"2Gi"` | Memory resource limits | + +### PostgreSQL Configuration + +| Name | Type | Default | Description | +| ----------------------------- | -------- | --------------- | -------------------------------------------------- | +| `postgres_enabled` | `bool` | `true` | Whether to deploy PostgreSQL database | +| `postgres_database` | `string` | `"keycloak"` | PostgreSQL database name | +| `postgres_username` | `string` | `"keycloak"` | PostgreSQL username | +| `postgres_storage_class` | `string` | `""` | Storage class for PostgreSQL PVC (empty = default) | +| `postgres_storage_size` | `string` | `"10Gi"` | Storage size for PostgreSQL PVC | +| `postgres_volume_permissions` | `bool` | `false` | Enable init container for volume permissions | +| `postgres_image` | `string` | `"postgres:17"` | PostgreSQL Docker image | + +### Ingress Configuration + +| Name | Type | Default | Description | +| ------------------------------------- | ------------- | --------- | -------------------------------------------- | +| `ingress_enabled` | `bool` | `true` | Whether to create Kubernetes Ingress | +| `ingress_class_name` | `string` | `"nginx"` | Ingress class name | +| `ingress_tls_enabled` | `bool` | `true` | Whether to enable TLS for ingress | +| `ingress_cert_manager_cluster_issuer` | `string` | `""` | Cert-manager cluster issuer for TLS | +| `ingress_cert_manager_common_name` | `string` | `""` | The common name for the certificate | +| `ingress_annotations` | `map(string)` | `{}` | Additional annotations for ingress | +| `ingress_tls_secret_name` | `string` | `""` | Name of TLS secret (auto-generated if empty) | + +### Cert-Manager Configuration + +| Name | Type | Default | Description | +| --------------------------- | -------- | ---------------- | -------------------------------------------------------------- | +| `install_cert_manager` | `bool` | `true` | Whether to install cert-manager | +| `cert_manager_version` | `string` | `"v1.17.4"` | Version of cert-manager to install | +| `cert_manager_namespace` | `string` | `"cert-manager"` | Namespace for cert-manager installation | +| `install_selfsigned_issuer` | `bool` | `false` | Whether to install self-signed ClusterIssuer for Keycloak | +| `cert_manager_issuer_email` | `string` | `""` | Email address for certificates (required for letsencrypt-prod) | + +### Other Configuration + +| Name | Type | Default | Description | +| ---------------- | -------- | ------- | ---------------------------------------- | +| `cloud_provider` | `string` | `"K8S"` | Cloud provider type (MINIKUBE, GKE, K8S) | + +## Outputs + +| Name | Description | +| ----------------------- | ---------------------------------------------------- | +| `namespace` | Keycloak namespace | +| `keycloak_url` | Full URL to access Keycloak (without trailing slash) | +| `admin_username` | Keycloak admin username | +| `postgres_service_name` | PostgreSQL service name (if deployed) | +| `keycloak_service_name` | Keycloak service name | +| `tls_secret_name` | TLS certificate secret name (if TLS enabled) | + +## Migration from Bitnami Helm Chart + +This module replaces the deprecated Bitnami Helm chart with the official Keycloak Operator. Key differences: + +### What Changed + +1. **Installation Method**: Uses Keycloak Operator instead of Helm chart +2. **Image Source**: Uses official Keycloak images instead of Bitnami images +3. **CRD-based**: Keycloak instance is defined as a Custom Resource +4. **Database**: PostgreSQL is deployed separately (not as a sub-chart) + +### Migration Steps + +1. **Backup Data**: Export realms and data from existing Keycloak instance +2. **Update Module Reference**: Change from `helm` module to `cluster-prerequisites` module +3. **Update Variables**: Some variable names have changed (see mapping below) +4. **Apply Changes**: Run `terraform apply` to deploy new Keycloak +5. **Restore Data**: Import realms and data into new instance + +### Variable Mapping + +| Old (Bitnami) | New (Operator) | +| ------------------------------ | ----------------------------- | +| `postgresql_storageClass` | `postgres_storage_class` | +| `postgresql_volumePermissions` | `postgres_volume_permissions` | +| `postgresql_enabled` | `postgres_enabled` | +| `auth.adminPassword` | `keycloak_admin_password` | +| `httpRelativePath` | `keycloak_http_relative_path` | + +## Troubleshooting + +### Keycloak Pod Not Starting + +Check the operator logs: + +```bash +kubectl logs -n keycloak -l app=keycloak-operator +``` + +Check Keycloak resource status: + +```bash +kubectl get keycloak -n keycloak keycloak -o yaml +``` + +### Database Connection Issues + +Verify PostgreSQL is running: + +```bash +kubectl get pods -n keycloak -l app=postgres +kubectl logs -n keycloak -l app=postgres +``` + +Check database credentials: + +```bash +kubectl get secret -n keycloak postgres-credentials -o yaml +``` + +### TLS Certificate Not Generated + +Check cert-manager: + +```bash +kubectl get certificate -n keycloak +kubectl describe certificate -n keycloak +``` + +Verify cluster issuer exists: + +```bash +kubectl get clusterissuer +``` + +### Ingress Not Working + +Check ingress status: + +```bash +kubectl get ingress -n keycloak +kubectl describe ingress -n keycloak keycloak +``` + +Verify ingress controller is running: + +```bash +kubectl get pods -n ingress-nginx +``` + +### Volume Permission Errors + +If PostgreSQL fails with permission errors, enable volume permissions: + +```hcl +postgres_volume_permissions = true +``` + +## Additional Resources + +- [Keycloak Operator Documentation](https://www.keycloak.org/operator/installation) +- [Keycloak on Kubernetes Guide](https://www.keycloak.org/operator/basic-deployment) +- [Keycloak K8s Resources Repository](https://github.com/keycloak/keycloak-k8s-resources) diff --git a/terraform/modules/cluster-prerequisites/main.tf b/terraform/modules/cluster-prerequisites/main.tf new file mode 100644 index 000000000..22f75f284 --- /dev/null +++ b/terraform/modules/cluster-prerequisites/main.tf @@ -0,0 +1,562 @@ +resource "helm_release" "cert_manager" { + count = var.install_cert_manager ? 1 : 0 + name = "cert-manager" + repository = "https://charts.jetstack.io" + chart = "cert-manager" + version = var.cert_manager_version + namespace = var.cert_manager_namespace + create_namespace = true + + set = [ + { + name = "installCRDs" + value = "true" + } + ] +} + +resource "helm_release" "ingress_nginx" { + count = var.install_ingress_controller && var.ingress_controller_type == "nginx" ? 1 : 0 + name = "nginx-ingress-controller" + repository = "https://kubernetes.github.io/ingress-nginx" + chart = "ingress-nginx" + version = var.ingress_controller_version + namespace = var.ingress_controller_namespace + create_namespace = true + + set = [ + { + name = "fullnameOverride" + value = "ingress-nginx" + }, + { + name = "controller.service.loadBalancerIP" + value = var.load_balancer_ip + }, + { + name = "controller.allowSnippetAnnotations" + value = true + }, + # Below two are added for backward compatibility with 1.1.1 which used Prefix pathType at some places. After 1.2.0 we should check if we may remove them again + { + name = "controller.admissionWebhooks.enabled" + value = false + }, + { + name = "controller.config.enable-snippet" + value = "true" + } + ] +} + +resource "helm_release" "haproxy-ingress-controller" { + count = var.install_ingress_controller && var.ingress_controller_type == "haproxy" ? 1 : 0 + name = "haproxy-ingress" + repository = "https://haproxy-ingress.github.io/charts" + chart = "haproxy-ingress" + version = "0.15.1" + namespace = "ingress-haproxy" + create_namespace = true + + set = [ + { + name = "controller.ingressClassResource.enabled" + value = true + }, + { + name = "controller.service.loadBalancerIP" + value = var.load_balancer_ip + } + ] +} + +resource "kubectl_manifest" "keycloak_selfsigned_issuer" { + count = var.install_selfsigned_issuer ? 1 : 0 + depends_on = [helm_release.cert_manager, helm_release.ingress_nginx] + + yaml_body = yamlencode({ + apiVersion = "cert-manager.io/v1" + kind = "ClusterIssuer" + metadata = { + name = "keycloak-selfsigned-issuer" + } + spec = { + selfSigned = {} + } + }) +} + +resource "kubernetes_namespace_v1" "keycloak" { + metadata { + name = var.keycloak_namespace + } + + depends_on = [helm_release.cert_manager] +} + +data "http" "keycloak_crd" { + url = "https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${var.keycloak_version}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml" +} + +resource "kubectl_manifest" "keycloak_crd" { + yaml_body = data.http.keycloak_crd.response_body + depends_on = [ + kubernetes_namespace_v1.keycloak + ] +} + +data "http" "keycloak_realm_import_crd" { + url = "https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${var.keycloak_version}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml" +} + +resource "kubectl_manifest" "keycloak_realm_import_crd" { + yaml_body = data.http.keycloak_realm_import_crd.response_body + depends_on = [ + kubernetes_namespace_v1.keycloak + ] +} + +locals { + keycloak_ns = kubernetes_namespace_v1.keycloak.metadata[0].name + + # local_exec_quotes is a helper function to deal with different handling of + # quotes between linux and windows. On linux, it will output "'". On windows, + # it will output "". + local_exec_quotes = startswith(abspath(path.module), "/") ? "'" : "" + jsonpatch = jsonencode([{ + "op" = "add", + "path" = "/spec/template/spec/containers/0/args/-", + "value" = "--default-ssl-certificate=keycloak/${var.hostname}-tls" + }]) +} + +resource "terraform_data" "keycloak_operator" { + input = { + namespace = var.keycloak_namespace + version = var.keycloak_version + } + + provisioner "local-exec" { + command = <<-EOT + kubectl apply -n ${var.keycloak_namespace} -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${var.keycloak_version}/kubernetes/kubernetes.yml + kubectl patch clusterrolebinding keycloak-operator-clusterrole-binding --type='json' -p='[{"op": "replace", "path": "/subjects/0/namespace", "value":"${var.keycloak_namespace}"}]' + EOT + } + + provisioner "local-exec" { + when = destroy + command = <<-EOT + kubectl delete -n ${self.input.namespace} -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${self.input.version}/kubernetes/kubernetes.yml --ignore-not-found=true || true + EOT + } + + depends_on = [ + kubernetes_namespace_v1.keycloak, + kubectl_manifest.keycloak_crd, + kubectl_manifest.keycloak_realm_import_crd + ] +} + +resource "kubernetes_secret_v1" "postgres" { + count = var.postgres_enabled ? 1 : 0 + + metadata { + name = "postgres-credentials" + namespace = local.keycloak_ns + } + + data = { + username = var.postgres_username + password = var.postgres_password + database = var.postgres_database + } + + type = "Opaque" +} + +resource "kubernetes_persistent_volume_claim_v1" "postgres" { + count = var.postgres_enabled ? 1 : 0 + + metadata { + name = "postgres-pvc" + namespace = local.keycloak_ns + } + + spec { + access_modes = ["ReadWriteOnce"] + resources { + requests = { + storage = var.postgres_storage_size + } + } + storage_class_name = var.postgres_storage_class != "" ? var.postgres_storage_class : null + } + + # Don't wait for the PVC to be bound - with WaitForFirstConsumer storage classes + # (like GKE's standard-rwo), the PVC won't bind until a pod is scheduled to use it + wait_until_bound = false +} + +resource "kubernetes_deployment_v1" "postgres" { + count = var.postgres_enabled ? 1 : 0 + + metadata { + name = "postgres" + namespace = local.keycloak_ns + labels = { + app = "postgres" + } + } + + spec { + replicas = 1 + + selector { + match_labels = { + app = "postgres" + } + } + + template { + metadata { + labels = { + app = "postgres" + } + } + + spec { + dynamic "init_container" { + for_each = var.postgres_volume_permissions ? [1] : [] + content { + name = "volume-permissions" + image = "busybox:latest" + command = [ + "sh", + "-c", + "chown -R 999:999 /var/lib/postgresql/data" + ] + volume_mount { + name = "postgres-storage" + mount_path = "/var/lib/postgresql/data" + } + } + } + + container { + name = "postgres" + image = var.postgres_image + + env { + name = "POSTGRES_USER" + value_from { + secret_key_ref { + name = kubernetes_secret_v1.postgres[0].metadata[0].name + key = "username" + } + } + } + + env { + name = "POSTGRES_PASSWORD" + value_from { + secret_key_ref { + name = kubernetes_secret_v1.postgres[0].metadata[0].name + key = "password" + } + } + } + + env { + name = "POSTGRES_DB" + value_from { + secret_key_ref { + name = kubernetes_secret_v1.postgres[0].metadata[0].name + key = "database" + } + } + } + + # Use a subdirectory for PGDATA to avoid issues with lost+found directory + # on freshly formatted volumes (common on cloud providers like GKE) + env { + name = "PGDATA" + value = "/var/lib/postgresql/data/pgdata" + } + + port { + container_port = 5432 + name = "postgres" + } + + volume_mount { + name = "postgres-storage" + mount_path = "/var/lib/postgresql/data" + } + + resources { + requests = { + cpu = "250m" + memory = "512Mi" + } + limits = { + cpu = "500m" + memory = "1Gi" + } + } + } + + volume { + name = "postgres-storage" + persistent_volume_claim { + claim_name = kubernetes_persistent_volume_claim_v1.postgres[0].metadata[0].name + } + } + } + } + } + + depends_on = [ + kubernetes_persistent_volume_claim_v1.postgres + ] +} + +resource "kubernetes_service_v1" "postgres" { + count = var.postgres_enabled ? 1 : 0 + + metadata { + name = "postgres" + namespace = local.keycloak_ns + } + + spec { + selector = { + app = "postgres" + } + + port { + port = 5432 + target_port = 5432 + protocol = "TCP" + } + + type = "ClusterIP" + } +} + + +locals { + tls_secret_name = var.ingress_tls_secret_name != "" ? var.ingress_tls_secret_name : "${var.hostname}-tls" + + keycloak_protocol = var.ingress_tls_enabled ? "https://" : "http://" + + ingress_controller_annotations = var.ingress_controller_type == "nginx" ? { + "nginx.ingress.kubernetes.io/proxy-buffer-size" = "128k" + "nginx.ingress.kubernetes.io/proxy-busy-buffers-size" = "128k" + } : var.ingress_controller_type == "haproxy" ? { + "haproxy-ingress.github.io/proxy-body-size" = "128k" + "haproxy-ingress.github.io/timeout-http-request" = "30s" + } : {} + + ingress_tls_annotations = var.ingress_tls_enabled ? { + "cert-manager.io/cluster-issuer" = var.ingress_cert_manager_cluster_issuer + "cert-manager.io/common-name" = var.ingress_cert_manager_common_name != "" ? var.ingress_cert_manager_common_name : var.hostname + "acme.cert-manager.io/http01-edit-in-place" = "true" + "acme.cert-manager.io/http01-ingress-path-type" = "ImplementationSpecific" + } : {} + + keycloak_spec_base = { + instances = var.keycloak_replicas + http = { + httpEnabled = true + httpPort = 8080 + } + ingress = { + enabled = false + } + hostname = { + # hostname v2 including protocol and path + hostname = "${local.keycloak_protocol}${var.hostname}${var.keycloak_http_relative_path}" + strict = true + } + # Use "unsupported" pod template to set admin credentials via environment variables. + # Despite the name "unsupported", this is officially supported by the Keycloak Operator, + # see https://www.keycloak.org/operator/advanced-configuration#_pod_template + # For the admin credentials see https://www.keycloak.org/server/configuration#_creating_the_initial_admin_user + unsupported = { + podTemplate = { + spec = { + containers = [ + { + name = "keycloak" + env = [ + { + name = "KC_BOOTSTRAP_ADMIN_USERNAME" + value = var.keycloak_admin_username + }, + { + name = "KC_BOOTSTRAP_ADMIN_PASSWORD" + value = var.keycloak_admin_password + } + ] + } + ] + } + } + } + + additionalOptions = [ + # Use X-Forwarded-* headers from the ingress controller (works for both nginx and haproxy). + { + name = "proxy-headers" + value = "xforwarded" + }, + { + name = "http-relative-path" + value = var.keycloak_http_relative_path + } + ] + resources = { + requests = { + cpu = var.keycloak_resource_requests_cpu + memory = var.keycloak_resource_requests_memory + } + limits = { + cpu = var.keycloak_resource_limits_cpu + memory = var.keycloak_resource_limits_memory + } + } + } + + keycloak_spec = merge( + local.keycloak_spec_base, + var.postgres_enabled ? { + db = { + vendor = "postgres" + host = kubernetes_service_v1.postgres[0].metadata[0].name + port = 5432 + database = var.postgres_database + usernameSecret = { + name = kubernetes_secret_v1.postgres[0].metadata[0].name + key = "username" + } + passwordSecret = { + name = kubernetes_secret_v1.postgres[0].metadata[0].name + key = "password" + } + } + } : { db = null } + ) +} + +resource "kubectl_manifest" "keycloak_instance" { + yaml_body = yamlencode({ + apiVersion = "k8s.keycloak.org/v2alpha1" + kind = "Keycloak" + metadata = { + name = "keycloak" + namespace = local.keycloak_ns + } + spec = local.keycloak_spec + }) + + depends_on = [ + terraform_data.keycloak_operator, + kubernetes_service_v1.postgres + ] +} + +resource "kubernetes_ingress_v1" "keycloak" { + count = var.ingress_enabled ? 1 : 0 + + metadata { + name = "keycloak" + namespace = local.keycloak_ns + annotations = merge( + local.ingress_controller_annotations, + local.ingress_tls_annotations, + var.ingress_annotations + ) + } + + spec { + ingress_class_name = var.ingress_class_name + + dynamic "tls" { + for_each = var.ingress_tls_enabled ? [1] : [] + content { + hosts = [var.hostname] + secret_name = local.tls_secret_name + } + } + + rule { + host = var.hostname + + http { + path { + path = var.keycloak_http_relative_path + path_type = "ImplementationSpecific" + + backend { + service { + name = "keycloak-service" + port { + number = 8080 + } + } + } + } + } + } + } + + depends_on = [ + kubernetes_namespace_v1.keycloak, + helm_release.ingress_nginx, + helm_release.haproxy-ingress-controller + ] +} + +resource "terraform_data" "wait_for_keycloak_instance" { + provisioner "local-exec" { + command = <<-EOT + echo "Waiting for Keycloak resource to report ready..." + kubectl wait keycloak/keycloak -n ${local.keycloak_ns} --for=condition=Ready --timeout=3m + echo "Waiting for Keycloak pods to be ready..." + kubectl wait pods -n ${local.keycloak_ns} -l app=keycloak --for=condition=Ready --timeout=3m + echo "Waiting for Keycloak service endpoint..." + kubectl wait --for=jsonpath='{.subsets[0].addresses[0].ip}' endpoints/keycloak-service -n ${local.keycloak_ns} --timeout=2m + echo "Keycloak is ready!" + echo "Waiting additional 5 for Keycloak authentication to be fully initialized..." + sleep 5 + EOT + } + + depends_on = [ + kubectl_manifest.keycloak_instance + ] +} + +resource "terraform_data" "wait_for_certificate" { + count = var.ingress_enabled && var.ingress_tls_enabled ? 1 : 0 + + provisioner "local-exec" { + command = "kubectl wait certificate -n ${local.keycloak_ns} ${local.tls_secret_name} --for=condition=Ready --timeout=3m" + } + + depends_on = [ + kubernetes_ingress_v1.keycloak + ] +} + +resource "terraform_data" "patch_ingress_controller" { + count = var.ingress_enabled && var.ingress_tls_enabled && var.ingress_controller_type == "nginx" ? 1 : 0 + + provisioner "local-exec" { + command = "kubectl patch deploy ingress-nginx-controller --type=${local.local_exec_quotes}json${local.local_exec_quotes} -n ingress-nginx -p ${local.local_exec_quotes}${local.jsonpatch}${local.local_exec_quotes} && kubectl -n ingress-nginx wait --for condition=available deploy/ingress-nginx-controller --timeout=90s" + } + + depends_on = [ + terraform_data.wait_for_certificate + ] +} diff --git a/terraform/modules/cluster-prerequisites/outputs.tf b/terraform/modules/cluster-prerequisites/outputs.tf new file mode 100644 index 000000000..01cdea35b --- /dev/null +++ b/terraform/modules/cluster-prerequisites/outputs.tf @@ -0,0 +1,38 @@ +output "namespace" { + description = "Keycloak namespace" + value = kubernetes_namespace_v1.keycloak.metadata[0].name + depends_on = [terraform_data.wait_for_keycloak_instance] +} + +output "keycloak_url" { + description = "Full URL to access Keycloak (without trailing slash)" + // Trim trailing slash if present to ensure consistent format + //and avoid issues with downstream usage of keycloak provider. + value = trimsuffix( + var.ingress_enabled + ? "https://${var.hostname}${var.keycloak_http_relative_path}" + : "http://${var.hostname}:8080${var.keycloak_http_relative_path}", + "/" + ) + depends_on = [terraform_data.wait_for_keycloak_instance] +} + +output "admin_username" { + description = "Keycloak admin username" + value = var.keycloak_admin_username +} + +output "postgres_service_name" { + description = "PostgreSQL service name" + value = var.postgres_enabled ? kubernetes_service_v1.postgres[0].metadata[0].name : null +} + +output "keycloak_service_name" { + description = "Keycloak service name (created by operator)" + value = "keycloak-service" +} + +output "tls_secret_name" { + description = "TLS certificate secret name" + value = var.ingress_tls_enabled ? local.tls_secret_name : null +} diff --git a/terraform/modules/cluster-prerequisites/variables.tf b/terraform/modules/cluster-prerequisites/variables.tf new file mode 100644 index 000000000..b234b6bb4 --- /dev/null +++ b/terraform/modules/cluster-prerequisites/variables.tf @@ -0,0 +1,232 @@ +variable "hostname" { + description = "The hostname for the deployment" + type = string +} + +variable "keycloak_admin_username" { + description = "Keycloak admin username" + type = string + default = "admin" +} + +variable "keycloak_admin_password" { + description = "Keycloak admin password" + type = string + sensitive = true +} + +variable "postgres_enabled" { + description = "Whether to deploy PostgreSQL database" + type = bool + default = true +} + +variable "postgres_database" { + description = "PostgreSQL database name" + type = string + default = "keycloak" +} + +variable "postgres_username" { + description = "PostgreSQL username" + type = string + default = "keycloak" +} + +variable "postgres_password" { + description = "PostgreSQL password" + type = string + sensitive = true +} + +variable "postgres_storage_class" { + description = "Storage class for PostgreSQL PVC" + type = string + default = "" +} + +variable "postgres_storage_size" { + description = "Storage size for PostgreSQL PVC" + type = string + default = "10Gi" +} + +variable "postgres_volume_permissions" { + description = "Enable init container that changes the owner and group of the persistent volume" + type = bool + default = false +} + +variable "postgres_image" { + description = "PostgreSQL Docker image. See Keycloak database compatibility at https://www.keycloak.org/server/db#_supported_databases" + type = string + default = "postgres:17" +} + +variable "keycloak_namespace" { + description = "Kubernetes namespace for Keycloak" + type = string + default = "keycloak" +} + +variable "keycloak_version" { + description = "Keycloak operator version (tag from keycloak-k8s-resources repository)" + type = string + default = "26.4.5" +} + +variable "keycloak_http_relative_path" { + description = "HTTP relative path for Keycloak" + type = string + default = "/keycloak/" +} + +variable "keycloak_replicas" { + description = "Number of Keycloak replicas" + type = number + default = 1 +} + +variable "keycloak_resource_requests_cpu" { + description = "CPU resource requests for Keycloak" + type = string + default = "500m" +} + +variable "keycloak_resource_requests_memory" { + description = "Memory resource requests for Keycloak" + type = string + default = "1Gi" +} + +variable "keycloak_resource_limits_cpu" { + description = "CPU resource limits for Keycloak" + type = string + default = "1" +} + +variable "keycloak_resource_limits_memory" { + description = "Memory resource limits for Keycloak" + type = string + default = "2Gi" +} + +variable "ingress_controller_type" { + description = "Type of ingress controller to use (nginx or haproxy)" + type = string + default = "nginx" + + validation { + condition = contains(["nginx", "haproxy"], var.ingress_controller_type) + error_message = "Valid values are 'nginx' or 'haproxy'." + } +} + +variable "ingress_enabled" { + description = "Whether to create Kubernetes Ingress" + type = bool + default = true +} + +variable "ingress_class_name" { + description = "Ingress class name" + type = string + default = "nginx" +} + +variable "ingress_tls_enabled" { + description = "Whether to enable TLS for ingress" + type = bool + default = true +} + +variable "ingress_cert_manager_cluster_issuer" { + description = "Cert-manager cluster issuer for TLS certificate" + type = string + + validation { + condition = length(regexall("^(letsencrypt-prod|theia-cloud-selfsigned-issuer|keycloak-selfsigned-issuer)$", var.ingress_cert_manager_cluster_issuer)) > 0 + error_message = "ERROR: Valid values are \"letsencrypt-prod\", \"theia-cloud-selfsigned-issuer\", and \"keycloak-selfsigned-issuer\"!" + } +} + +variable "ingress_cert_manager_common_name" { + description = "The common name for the certificate" + default = "" +} + +variable "ingress_annotations" { + description = "Additional annotations for ingress" + type = map(string) + default = {} +} + +variable "ingress_tls_secret_name" { + description = "Name of TLS secret (auto-generated if not specified)" + type = string + default = "" +} + +variable "cloud_provider" { + description = "Cloud provider type" + type = string + default = "K8S" + validation { + condition = contains(["MINIKUBE", "K8S"], var.cloud_provider) + error_message = "Valid values are: MINIKUBE, K8S" + } +} + +variable "install_cert_manager" { + description = "Whether to install cert-manager" + type = bool + default = true +} + +variable "cert_manager_version" { + description = "Version of cert-manager to install" + type = string + default = "v1.17.4" +} + +variable "cert_manager_namespace" { + description = "Namespace for cert-manager installation" + type = string + default = "cert-manager" +} + +variable "install_selfsigned_issuer" { + description = "Whether to install an additional self-signed ClusterIssuer for Keycloak" + type = bool + default = false +} + +variable "cert_manager_issuer_email" { + description = "Email address used to create certificates (required for letsencrypt-prod issuer)" + type = string + default = "" +} + +variable "install_ingress_controller" { + description = "Whether to install the ingress controller" + type = bool + default = false +} + +variable "ingress_controller_version" { + description = "Version of ingress controller to install" + type = string + default = "4.13.0" +} + +variable "ingress_controller_namespace" { + description = "Namespace for ingress controller installation" + type = string + default = "ingress-nginx" +} + +variable "load_balancer_ip" { + description = "External IP for the ingress controller service" + type = string + default = "" +} diff --git a/terraform/modules/cluster-prerequisites/versions.tf b/terraform/modules/cluster-prerequisites/versions.tf new file mode 100644 index 000000000..c9dad80bf --- /dev/null +++ b/terraform/modules/cluster-prerequisites/versions.tf @@ -0,0 +1,21 @@ +terraform { + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.0.0" + } + kubectl = { + source = "gavinbunney/kubectl" + version = ">= 1.19.0" + } + http = { + source = "hashicorp/http" + version = ">= 3.0.0" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.0.0" + } + } + required_version = ">= 1.12.2" +} diff --git a/terraform/modules/helm/.terraform.lock.hcl b/terraform/modules/helm/.terraform.lock.hcl deleted file mode 100644 index 395bee93c..000000000 --- a/terraform/modules/helm/.terraform.lock.hcl +++ /dev/null @@ -1,45 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = ">= 1.19.0" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", - "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", - "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", - "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", - "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", - "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", - "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", - "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", - "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", - "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", - "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", - "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", - "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", - ] -} - -provider "registry.terraform.io/hashicorp/helm" { - version = "3.0.2" - constraints = ">= 3.0.2" - hashes = [ - "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=", - "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0", - "zh:3b4c436a41e4fbae5f152852a9bd5c97db4460af384e26977477a40adf036690", - "zh:617a372f5bb2288f3faf5fd4c878a68bf08541cf418a3dbb8a19bc41ad4a0bf2", - "zh:84de431479548c96cb61c495278e320f361e80ab4f8835a5425ece24a9b6d310", - "zh:8b4cf5f81d10214e5e1857d96cff60a382a22b9caded7f5d7a92e5537fc166c1", - "zh:baeb26a00ffbcf3d507cdd940b2a2887eee723af5d3319a53eec69048d5e341e", - "zh:ca05a8814e9bf5fbffcd642df3a8d9fae9549776c7057ceae6d6f56471bae80f", - "zh:ca4bf3f94dedb5c5b1a73568f2dad7daf0ef3f85e688bc8bc2d0e915ec148366", - "zh:d331f2129fd3165c4bda875c84a65555b22eb007801522b9e017d065ac69b67e", - "zh:e583b2b478dde67da28e605ab4ef6521c2e390299b471d7d8ef05a0b608dcdad", - "zh:f238b86611647c108c073d265f8891a2738d3158c247468ae0ff5b1a3ac4122a", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/terraform/modules/helm/README.md b/terraform/modules/helm/README.md deleted file mode 100644 index 670efc881..000000000 --- a/terraform/modules/helm/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Helm Installation - -This module may be used to install Theia Cloud and all dependencies in a cluster via Helm. - -We expect users to be familiar with Helm and that `kubectl` points to the cluster which Theia Cloud is going to be installed in. - -The module will install the Cert Manager, the Nginx Ingress Controller (optional when installed already), the Theia Cloud Base Chart (cluster wide resources), and Keycloak.\ -After Keycloak was installed we will patch the Nginx Ingress Controller to use the certificate generated during the Keycloak installation as the default certificate.\ -Finally we will install Theia Cloud. diff --git a/terraform/modules/helm/clusterissuer-selfsigned.yaml b/terraform/modules/helm/clusterissuer-selfsigned.yaml deleted file mode 100644 index b3a81958f..000000000 --- a/terraform/modules/helm/clusterissuer-selfsigned.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: keycloak-selfsigned-issuer -spec: - selfSigned: {} diff --git a/terraform/modules/helm/keycloak.yaml b/terraform/modules/helm/keycloak.yaml deleted file mode 100644 index c20cfc846..000000000 --- a/terraform/modules/helm/keycloak.yaml +++ /dev/null @@ -1,40 +0,0 @@ -fullnameOverride: "keycloak" -httpRelativePath: "/keycloak/" - -auth: - adminUser: admin - -image: - # Configure using repository bitnamilegacy because bitnami has removed the bitnami repository in favor of a paid service - repository: bitnamilegacy/keycloak - -postgresql: - # Configure using repository bitnamilegacy because bitnami has removed the bitnami repository in favor of a paid service - image: - repository: bitnamilegacy/postgresql - volumePermissions: - image: - repository: bitnamilegacy/os-shell - metrics: - image: - repository: bitnamilegacy/bitnami-exporter - -ingress: - enabled: true - ingressClassName: "${ingress-class}" - path: "/keycloak/" - pathType: "ImplementationSpecific" - annotations: - acme.cert-manager.io/http01-edit-in-place: "true" - acme.cert-manager.io/http01-ingress-path-type: "ImplementationSpecific" -%{ if ingress-class == "nginx" ~} - nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" - nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "128k" -%{ endif ~} -%{ if ingress-class == "haproxy" ~} - haproxy-ingress.github.io/proxy-body-size: "128k" - haproxy-ingress.github.io/timeout-http-request: "30s" -%{ endif ~} - cert-manager.io/cluster-issuer: ${cluster-issuer} - cert-manager.io/common-name: ${common-name} - tls: true diff --git a/terraform/modules/helm/main.tf b/terraform/modules/helm/main.tf deleted file mode 100644 index 1efeb3349..000000000 --- a/terraform/modules/helm/main.tf +++ /dev/null @@ -1,314 +0,0 @@ -variable "install_ingress_controller" { - description = "Whether to install the nginx ingress controller" -} - -variable "ingress_controller_type" { - description = "Type of ingress controller to use (nginx or haproxy)" - type = string - default = "nginx" - - validation { - condition = contains(["nginx", "haproxy"], var.ingress_controller_type) - error_message = "Valid values are 'nginx' or 'haproxy'." - } -} - -variable "install_theia_cloud_base" { - description = "Whether to install theia cloud base" - default = true -} - -variable "install_theia_cloud_crds" { - description = "Whether to install theia cloud crds" - default = true -} - -variable "install_theia_cloud" { - description = "Whether to install theia cloud" - default = true -} - -variable "install_selfsigned_issuer" { - description = "Whether to install an additional self signed issuer" - default = false -} - -variable "cert_manager_issuer_email" { - description = "EMail address used to create certificates." -} - -variable "cert_manager_cluster_issuer" { - type = string - - validation { - condition = length(regexall("^(letsencrypt-prod|theia-cloud-selfsigned-issuer|keycloak-selfsigned-issuer)$", var.cert_manager_cluster_issuer)) > 0 - error_message = "ERROR: Valid values are \"letsencrypt-prod\", \"theia-cloud-selfsigned-issuer\", and \"keycloak-selfsigned-issuer\"!" - } -} - -variable "cert_manager_common_name" { - description = "The common name for the certificate" - default = "" -} - -variable "hostname" { - description = "The hostname for all installed services" -} - -variable "service_type" { - description = "Kubernetes service type" - default = "LoadBalancer" - -} - -variable "postgresql_storageClass" { - description = "StorageClass for Persistent Volume(s)" - default = "" -} - -variable "postgresql_volumePermissions" { - description = "Enable init container that changes the owner and group of the persistent volume" - default = false -} - -variable "keycloak_admin_password" { - description = "Keycloak Admin Password" - sensitive = true -} - -variable "postgresql_enabled" { - description = "Whether to enable postgreswl" - default = true -} - -variable "postgres_postgres_password" { - description = "Keycloak Postgres DB Postgres (Admin) Password" - sensitive = true -} - -variable "postgres_password" { - description = "Keycloak Postgres DB Password" - sensitive = true -} - -variable "loadBalancerIP" { - description = "External IP for the nginx ingress controller" - default = "" -} - -variable "cloudProvider" { - description = "The cloud provider to use" - default = "K8S" -} - -resource "helm_release" "cert-manager" { - name = "cert-manager" - repository = "https://charts.jetstack.io" - chart = "cert-manager" - version = "v1.17.4" - namespace = "cert-manager" - create_namespace = true - - set = [ - { - name = "installCRDs" - value = "true" - } - ] -} - -resource "helm_release" "nginx-ingress-controller" { - count = var.install_ingress_controller && var.ingress_controller_type == "nginx" ? 1 : 0 - name = "nginx-ingress-controller" - repository = "https://kubernetes.github.io/ingress-nginx" - chart = "ingress-nginx" - version = "4.13.0" - namespace = "ingress-nginx" - create_namespace = true - - set = [ - { - name = "fullnameOverride" - value = "ingress-nginx" - }, - { - name = "controller.service.loadBalancerIP" - value = var.loadBalancerIP - }, - { - name = "controller.allowSnippetAnnotations" - value = true - }, - # Below two are added for backward compatibility with 1.1.1 which used Prefix pythType at some places. After 1.2.0 we should check if we may remove them again - { - name = "controller.admissionWebhooks.enabled" - value = false - }, - { - name = "controller.config.enable-snippet" - value = "true" - } - ] -} - -resource "helm_release" "haproxy-ingress-controller" { - count = var.install_ingress_controller && var.ingress_controller_type == "haproxy" ? 1 : 0 - name = "haproxy-ingress" - repository = "https://haproxy-ingress.github.io/charts" - chart = "haproxy-ingress" - version = "0.15.1" - namespace = "ingress-haproxy" - create_namespace = true - - set = [ - { - name = "controller.ingressClassResource.enabled" - value = true - }, - { - name = "controller.service.loadBalancerIP" - value = var.loadBalancerIP - } - ] -} - -resource "helm_release" "theia-cloud-base" { - count = var.install_theia_cloud_base ? 1 : 0 - depends_on = [helm_release.cert-manager, helm_release.nginx-ingress-controller, helm_release.haproxy-ingress-controller] # we need to install cert issuers - name = "theia-cloud-base" - repository = "https://eclipse-theia.github.io/theia-cloud-helm" - chart = "theia-cloud-base" - version = "1.2.0" - namespace = "theia-cloud" - create_namespace = true - - set = [ - { - name = "issuer.email" - value = var.cert_manager_issuer_email - } - ] -} - -resource "helm_release" "theia-cloud-crds" { - count = var.install_theia_cloud_crds ? 1 : 0 - depends_on = [helm_release.theia-cloud-base] - name = "theia-cloud-crds" - repository = "https://eclipse-theia.github.io/theia-cloud-helm" - chart = "theia-cloud-crds" - version = "1.2.0" - namespace = "theia-cloud" - create_namespace = true -} - -resource "kubectl_manifest" "selfsigned_issuer" { - count = var.install_selfsigned_issuer ? 1 : 0 - depends_on = [helm_release.cert-manager, helm_release.nginx-ingress-controller, helm_release.haproxy-ingress-controller] # we need to install cert issuers - yaml_body = file("${path.module}/clusterissuer-selfsigned.yaml") -} - -locals { - # local_exec_quotes is a helper function to deal with different handling of - # quotes between linux and windows. On linux, it will output "'". On windows, - # it will output "". - local_exec_quotes = startswith(abspath(path.module), "/") ? "'" : "" - jsonpatch = jsonencode([{ - "op" = "add", - "path" = "/spec/template/spec/containers/0/args/-", - "value" = "--default-ssl-certificate=keycloak/${var.hostname}-tls" - }]) -} - -resource "helm_release" "keycloak" { - depends_on = [helm_release.theia-cloud-base, kubectl_manifest.selfsigned_issuer, helm_release.nginx-ingress-controller, helm_release.haproxy-ingress-controller] # we need an existing issuer - name = "keycloak" - repository = "https://charts.bitnami.com/bitnami" - chart = "keycloak" - version = "15.1.8" - namespace = "keycloak" - create_namespace = true - - values = [ - "${templatefile("${path.module}/keycloak.yaml", { cluster-issuer = var.cert_manager_cluster_issuer, common-name = var.cert_manager_common_name, ingress-class = var.ingress_controller_type == "haproxy" ? "haproxy" : "nginx" })}" - ] - - set = [ - { - name = "postgresql.enabled" - value = var.postgresql_enabled - }, - { - name = "ingress.hostname" - value = var.hostname - }, - { - name = "global.storageClass" - value = var.postgresql_storageClass - }, - { - name = "service.type" - value = var.service_type - }, - { - name = "postgresql.volumePermissions.enabled" - value = var.postgresql_volumePermissions - } - ] - set_sensitive = [ - { - name = "auth.adminPassword" - value = var.keycloak_admin_password - }, - { - name = "postgresql.auth.postgresPassword" - value = var.postgres_postgres_password - }, - { - name = "postgresql.auth.password" - value = var.postgres_password - } - ] - - # We expect that kubectl context was configured by a previous module. - # After keycloak was set up with tls enabled, we use the created tls secret as the default ssl-secret of the ingress-controller. - # Below command connects to the cluster in the local environment and patches the ingress-controller accordingly. - # Theia Cloud is then installed with path based hosts reusing the same certificate. - # Sleep 5 seconds at the end as there might be a brief delay between the ingress controller reporting available and it actually being ready to serve traffic - provisioner "local-exec" { - command = var.ingress_controller_type == "nginx" ? "kubectl patch deploy ingress-nginx-controller --type=${local.local_exec_quotes}json${local.local_exec_quotes} -n ingress-nginx -p ${local.local_exec_quotes}${local.jsonpatch}${local.local_exec_quotes} && kubectl -n ingress-nginx wait --for condition=available deploy/ingress-nginx-controller --timeout=90s && kubectl wait certificate -n keycloak ${var.hostname}-tls --for condition=Ready --timeout=90s && sleep 5" : "kubectl patch deploy haproxy-ingress --type=${local.local_exec_quotes}json${local.local_exec_quotes} -n ingress-haproxy -p ${local.local_exec_quotes}${local.jsonpatch}${local.local_exec_quotes} && kubectl -n ingress-haproxy wait --for condition=available deploy/haproxy-ingress --timeout=90s && kubectl wait certificate -n keycloak ${var.hostname}-tls --for condition=Ready --timeout=90s && sleep 5" - } -} - -resource "helm_release" "theia-cloud" { - count = var.install_theia_cloud ? 1 : 0 - depends_on = [helm_release.keycloak, helm_release.theia-cloud-crds] # wait for keycloak to make the default cert available - name = "theia-cloud" - repository = "https://eclipse-theia.github.io/theia-cloud-helm" - chart = "theia-cloud" - version = "1.2.0" - namespace = "theia-cloud" - create_namespace = true - - values = [ - "${file("${path.module}/theia-cloud.yaml")}" - ] - - set = [ - { - name = "hosts.configuration.baseHost" - value = var.hostname - }, - { - name = "keycloak.authUrl" - value = "https://${var.hostname}/keycloak/" - }, - { - name = "operator.cloudProvider" - value = var.cloudProvider - }, - { - name = "ingress.controller" - value = var.ingress_controller_type - } - ] -} diff --git a/terraform/modules/keycloak/main.tf b/terraform/modules/keycloak/main.tf index e3f4bf2bd..a35725233 100644 --- a/terraform/modules/keycloak/main.tf +++ b/terraform/modules/keycloak/main.tf @@ -1,7 +1,3 @@ -variable "hostname" { - description = "Hostname for the keycloak instance" -} - variable "keycloak_test_user_foo_password" { description = "Keycloak Foo Test User Password" sensitive = true @@ -73,6 +69,8 @@ resource "keycloak_user" "test-user-foo" { enabled = true email = "foo@theia-cloud.io" email_verified = true + first_name = "Foo" + last_name = "User" initial_password { value = var.keycloak_test_user_foo_password temporary = false @@ -85,6 +83,8 @@ resource "keycloak_user" "test-user-bar" { enabled = true email = "bar@theia-cloud.io" email_verified = true + first_name = "Bar" + last_name = "User" initial_password { value = var.keycloak_test_user_bar_password temporary = false diff --git a/terraform/modules/theia-cloud/.terraform.lock.hcl b/terraform/modules/theia-cloud/.terraform.lock.hcl new file mode 100644 index 000000000..6c3aabe8d --- /dev/null +++ b/terraform/modules/theia-cloud/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/helm" { + version = "3.0.2" + constraints = ">= 3.0.2" + hashes = [ + "h1:+tHGl509bhyUrvvj9GQTBsdK+ImHJnRuo6ppDZPavqY=", + "zh:2778de76c7dfb2e85c75fe6de3c11172a25551ed499bfb9e9f940a5be81167b0", + "zh:3b4c436a41e4fbae5f152852a9bd5c97db4460af384e26977477a40adf036690", + "zh:617a372f5bb2288f3faf5fd4c878a68bf08541cf418a3dbb8a19bc41ad4a0bf2", + "zh:84de431479548c96cb61c495278e320f361e80ab4f8835a5425ece24a9b6d310", + "zh:8b4cf5f81d10214e5e1857d96cff60a382a22b9caded7f5d7a92e5537fc166c1", + "zh:baeb26a00ffbcf3d507cdd940b2a2887eee723af5d3319a53eec69048d5e341e", + "zh:ca05a8814e9bf5fbffcd642df3a8d9fae9549776c7057ceae6d6f56471bae80f", + "zh:ca4bf3f94dedb5c5b1a73568f2dad7daf0ef3f85e688bc8bc2d0e915ec148366", + "zh:d331f2129fd3165c4bda875c84a65555b22eb007801522b9e017d065ac69b67e", + "zh:e583b2b478dde67da28e605ab4ef6521c2e390299b471d7d8ef05a0b608dcdad", + "zh:f238b86611647c108c073d265f8891a2738d3158c247468ae0ff5b1a3ac4122a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/modules/theia-cloud/LICENSE b/terraform/modules/theia-cloud/LICENSE new file mode 100644 index 000000000..e48e09634 --- /dev/null +++ b/terraform/modules/theia-cloud/LICENSE @@ -0,0 +1,277 @@ +Eclipse Public License - v 2.0 + + THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE + PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION + OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. + +1. DEFINITIONS + +"Contribution" means: + + a) in the case of the initial Contributor, the initial content + Distributed under this Agreement, and + + b) in the case of each subsequent Contributor: + i) changes to the Program, and + ii) additions to the Program; + where such changes and/or additions to the Program originate from + and are Distributed by that particular Contributor. A Contribution + "originates" from a Contributor if it was added to the Program by + such Contributor itself or anyone acting on such Contributor's behalf. + Contributions do not include changes or additions to the Program that + are not Modified Works. + +"Contributor" means any person or entity that Distributes the Program. + +"Licensed Patents" mean patent claims licensable by a Contributor which +are necessarily infringed by the use or sale of its Contribution alone +or when combined with the Program. + +"Program" means the Contributions Distributed in accordance with this +Agreement. + +"Recipient" means anyone who receives the Program under this Agreement +or any Secondary License (as applicable), including Contributors. + +"Derivative Works" shall mean any work, whether in Source Code or other +form, that is based on (or derived from) the Program and for which the +editorial revisions, annotations, elaborations, or other modifications +represent, as a whole, an original work of authorship. + +"Modified Works" shall mean any work in Source Code or other form that +results from an addition to, deletion from, or modification of the +contents of the Program, including, for purposes of clarity any new file +in Source Code form that contains any contents of the Program. Modified +Works shall not include works that contain only declarations, +interfaces, types, classes, structures, or files of the Program solely +in each case in order to link to, bind by name, or subclass the Program +or Modified Works thereof. + +"Distribute" means the acts of a) distributing or b) making available +in any manner that enables the transfer of a copy. + +"Source Code" means the form of a Program preferred for making +modifications, including but not limited to software source code, +documentation source, and configuration files. + +"Secondary License" means either the GNU General Public License, +Version 2.0, or any later versions of that license, including any +exceptions or additional permissions as identified by the initial +Contributor. + +2. GRANT OF RIGHTS + + a) Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free copyright + license to reproduce, prepare Derivative Works of, publicly display, + publicly perform, Distribute and sublicense the Contribution of such + Contributor, if any, and such Derivative Works. + + b) Subject to the terms of this Agreement, each Contributor hereby + grants Recipient a non-exclusive, worldwide, royalty-free patent + license under Licensed Patents to make, use, sell, offer to sell, + import and otherwise transfer the Contribution of such Contributor, + if any, in Source Code or other form. This patent license shall + apply to the combination of the Contribution and the Program if, at + the time the Contribution is added by the Contributor, such addition + of the Contribution causes such combination to be covered by the + Licensed Patents. The patent license shall not apply to any other + combinations which include the Contribution. No hardware per se is + licensed hereunder. + + c) Recipient understands that although each Contributor grants the + licenses to its Contributions set forth herein, no assurances are + provided by any Contributor that the Program does not infringe the + patent or other intellectual property rights of any other entity. + Each Contributor disclaims any liability to Recipient for claims + brought by any other entity based on infringement of intellectual + property rights or otherwise. As a condition to exercising the + rights and licenses granted hereunder, each Recipient hereby + assumes sole responsibility to secure any other intellectual + property rights needed, if any. For example, if a third party + patent license is required to allow Recipient to Distribute the + Program, it is Recipient's responsibility to acquire that license + before distributing the Program. + + d) Each Contributor represents that to its knowledge it has + sufficient copyright rights in its Contribution, if any, to grant + the copyright license set forth in this Agreement. + + e) Notwithstanding the terms of any Secondary License, no + Contributor makes additional grants to any Recipient (other than + those set forth in this Agreement) as a result of such Recipient's + receipt of the Program under the terms of a Secondary License + (if permitted under the terms of Section 3). + +3. REQUIREMENTS + +3.1 If a Contributor Distributes the Program in any form, then: + + a) the Program must also be made available as Source Code, in + accordance with section 3.2, and the Contributor must accompany + the Program with a statement that the Source Code for the Program + is available under this Agreement, and informs Recipients how to + obtain it in a reasonable manner on or through a medium customarily + used for software exchange; and + + b) the Contributor may Distribute the Program under a license + different than this Agreement, provided that such license: + i) effectively disclaims on behalf of all other Contributors all + warranties and conditions, express and implied, including + warranties or conditions of title and non-infringement, and + implied warranties or conditions of merchantability and fitness + for a particular purpose; + + ii) effectively excludes on behalf of all other Contributors all + liability for damages, including direct, indirect, special, + incidental and consequential damages, such as lost profits; + + iii) does not attempt to limit or alter the recipients' rights + in the Source Code under section 3.2; and + + iv) requires any subsequent distribution of the Program by any + party to be under a license that satisfies the requirements + of this section 3. + +3.2 When the Program is Distributed as Source Code: + + a) it must be made available under this Agreement, or if the + Program (i) is combined with other material in a separate file or + files made available under a Secondary License, and (ii) the initial + Contributor attached to the Source Code the notice described in + Exhibit A of this Agreement, then the Program may be made available + under the terms of such Secondary Licenses, and + + b) a copy of this Agreement must be included with each copy of + the Program. + +3.3 Contributors may not remove or alter any copyright, patent, +trademark, attribution notices, disclaimers of warranty, or limitations +of liability ("notices") contained within the Program from any copy of +the Program which they Distribute, provided that Contributors may add +their own appropriate notices. + +4. COMMERCIAL DISTRIBUTION + +Commercial distributors of software may accept certain responsibilities +with respect to end users, business partners and the like. While this +license is intended to facilitate the commercial use of the Program, +the Contributor who includes the Program in a commercial product +offering should do so in a manner which does not create potential +liability for other Contributors. Therefore, if a Contributor includes +the Program in a commercial product offering, such Contributor +("Commercial Contributor") hereby agrees to defend and indemnify every +other Contributor ("Indemnified Contributor") against any losses, +damages and costs (collectively "Losses") arising from claims, lawsuits +and other legal actions brought by a third party against the Indemnified +Contributor to the extent caused by the acts or omissions of such +Commercial Contributor in connection with its distribution of the Program +in a commercial product offering. The obligations in this section do not +apply to any claims or Losses relating to any actual or alleged +intellectual property infringement. In order to qualify, an Indemnified +Contributor must: a) promptly notify the Commercial Contributor in +writing of such claim, and b) allow the Commercial Contributor to control, +and cooperate with the Commercial Contributor in, the defense and any +related settlement negotiations. The Indemnified Contributor may +participate in any such claim at its own expense. + +For example, a Contributor might include the Program in a commercial +product offering, Product X. That Contributor is then a Commercial +Contributor. If that Commercial Contributor then makes performance +claims, or offers warranties related to Product X, those performance +claims and warranties are such Commercial Contributor's responsibility +alone. Under this section, the Commercial Contributor would have to +defend claims against the other Contributors related to those performance +claims and warranties, and if a court requires any other Contributor to +pay any damages as a result, the Commercial Contributor must pay +those damages. + +5. NO WARRANTY + +EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT +PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS" +BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR +IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF +TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR +PURPOSE. Each Recipient is solely responsible for determining the +appropriateness of using and distributing the Program and assumes all +risks associated with its exercise of rights under this Agreement, +including but not limited to the risks and costs of program errors, +compliance with applicable laws, damage to or loss of data, programs +or equipment, and unavailability or interruption of operations. + +6. DISCLAIMER OF LIABILITY + +EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT +PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS +SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST +PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE +EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + +7. GENERAL + +If any provision of this Agreement is invalid or unenforceable under +applicable law, it shall not affect the validity or enforceability of +the remainder of the terms of this Agreement, and without further +action by the parties hereto, such provision shall be reformed to the +minimum extent necessary to make such provision valid and enforceable. + +If Recipient institutes patent litigation against any entity +(including a cross-claim or counterclaim in a lawsuit) alleging that the +Program itself (excluding combinations of the Program with other software +or hardware) infringes such Recipient's patent(s), then such Recipient's +rights granted under Section 2(b) shall terminate as of the date such +litigation is filed. + +All Recipient's rights under this Agreement shall terminate if it +fails to comply with any of the material terms or conditions of this +Agreement and does not cure such failure in a reasonable period of +time after becoming aware of such noncompliance. If all Recipient's +rights under this Agreement terminate, Recipient agrees to cease use +and distribution of the Program as soon as reasonably practicable. +However, Recipient's obligations under this Agreement and any licenses +granted by Recipient relating to the Program shall continue and survive. + +Everyone is permitted to copy and distribute copies of this Agreement, +but in order to avoid inconsistency the Agreement is copyrighted and +may only be modified in the following manner. The Agreement Steward +reserves the right to publish new versions (including revisions) of +this Agreement from time to time. No one other than the Agreement +Steward has the right to modify this Agreement. The Eclipse Foundation +is the initial Agreement Steward. The Eclipse Foundation may assign the +responsibility to serve as the Agreement Steward to a suitable separate +entity. Each new version of the Agreement will be given a distinguishing +version number. The Program (including Contributions) may always be +Distributed subject to the version of the Agreement under which it was +received. In addition, after a new version of the Agreement is published, +Contributor may elect to Distribute the Program (including its +Contributions) under the new version. + +Except as expressly stated in Sections 2(a) and 2(b) above, Recipient +receives no rights or licenses to the intellectual property of any +Contributor under this Agreement, whether expressly, by implication, +estoppel or otherwise. All rights in the Program not expressly granted +under this Agreement are reserved. Nothing in this Agreement is intended +to be enforceable by any entity that is not a Contributor or Recipient. +No third-party beneficiary rights are created under this Agreement. + +Exhibit A - Form of Secondary Licenses Notice + +"This Source Code may also be made available under the following +Secondary Licenses when the conditions for such availability set forth +in the Eclipse Public License, v. 2.0 are satisfied: {name license(s), +version(s), and exceptions or additional permissions here}." + + Simply including a copy of this Agreement, including this Exhibit A + is not sufficient to license the Source Code under Secondary Licenses. + + If it is not possible or desirable to put the notice in a particular + file, then You may include the notice in a location (such as a LICENSE + file in a relevant directory) where a recipient would be likely to + look for such a notice. + + You may add additional accurate notices of copyright ownership. diff --git a/terraform/modules/theia-cloud/README.md b/terraform/modules/theia-cloud/README.md new file mode 100644 index 000000000..00590e43e --- /dev/null +++ b/terraform/modules/theia-cloud/README.md @@ -0,0 +1,46 @@ +# Theia Cloud Installation Module + +This module installs Theia Cloud components in a Kubernetes cluster via Helm. + +## Prerequisites + +Before using this module, ensure the following are already installed in your cluster: + +- **Cert Manager** (v1.17.4 or compatible) - Required for certificate management +- **Nginx Ingress Controller** (v4.13.0 or compatible) - Required for ingress routing +- **Keycloak** (v26.4.5 or compatible) - Required for authentication + +## What This Module Installs + +This module will install: + +1. **theia-cloud-base** - Cluster-wide resources including cert issuers +2. **theia-cloud-crds** - Custom resource definitions for Theia Cloud +3. **theia-cloud** - The Theia Cloud operators, service, and landing page + +## Usage + +We expect users to be familiar with Helm and that `kubectl` points to the cluster where Theia Cloud will be installed. + +### Basic Example + +```terraform +module "theia_cloud" { + source = "./modules/theia-cloud" + + hostname = "theia.example.com" + cert_manager_issuer_email = "admin@example.com" + cloudProvider = "K8S" +} +``` + +## Variables + +- `theia_cloud_version` (optional, default: `"1.2.0"`) - The helm chart version to use for all installed charts +- `install_theia_cloud_base` (optional, default: `true`) - Whether to install theia-cloud-base chart +- `install_theia_cloud_crds` (optional, default: `true`) - Whether to install theia-cloud-crds chart +- `install_theia_cloud` (optional, default: `true`) - Whether to install theia-cloud chart +- `hostname` (required) - The hostname for Theia Cloud services +- `keycloak_url` (optional) - The base URL of the Keycloak instance used for authentication. If not provided, it will be constructed from the 'hostname' variable assuming keycloak is hosted at relative path /keycloak/. +- `cert_manager_issuer_email` (required) - Email address used for certificate management +- `cloud_provider` (optional, default: `"K8S"`) - The cloud provider (e.g., "K8S", "MINIKUBE") diff --git a/terraform/modules/theia-cloud/main.tf b/terraform/modules/theia-cloud/main.tf new file mode 100644 index 000000000..64da7ecc7 --- /dev/null +++ b/terraform/modules/theia-cloud/main.tf @@ -0,0 +1,71 @@ +locals { + theia_cloud_helm_repository = "https://eclipse-theia.github.io/theia-cloud-helm" + theia_cloud_namespace = "theia-cloud" + + # base_keycloak: use provided URL or build from hostname + base_keycloak = var.keycloak_url != "" ? var.keycloak_url : "https://${var.hostname}/keycloak" + # normalized_keycloak_url: ensure a single trailing slash as required by the Theia Cloud Helm chart. + normalized_keycloak_url = endswith(local.base_keycloak, "/") ? local.base_keycloak : "${local.base_keycloak}/" +} + +resource "helm_release" "theia-cloud-base" { + count = var.install_theia_cloud_base ? 1 : 0 + name = "theia-cloud-base" + repository = local.theia_cloud_helm_repository + chart = "theia-cloud-base" + version = var.theia_cloud_version + namespace = local.theia_cloud_namespace + create_namespace = true + + set = [ + { + name = "issuer.email" + value = var.cert_manager_issuer_email + } + ] +} + +resource "helm_release" "theia-cloud-crds" { + count = var.install_theia_cloud_crds ? 1 : 0 + depends_on = [helm_release.theia-cloud-base] + name = "theia-cloud-crds" + repository = local.theia_cloud_helm_repository + chart = "theia-cloud-crds" + version = var.theia_cloud_version + namespace = local.theia_cloud_namespace + create_namespace = true +} + +resource "helm_release" "theia-cloud" { + count = var.install_theia_cloud ? 1 : 0 + depends_on = [helm_release.theia-cloud-crds] + name = "theia-cloud" + repository = local.theia_cloud_helm_repository + chart = "theia-cloud" + version = var.theia_cloud_version + namespace = local.theia_cloud_namespace + create_namespace = true + + values = [ + "${file("${path.module}/theia-cloud.yaml")}" + ] + + set = [ + { + name = "hosts.configuration.baseHost" + value = var.hostname + }, + { + name = "keycloak.authUrl" + value = local.normalized_keycloak_url + }, + { + name = "operator.cloudProvider" + value = var.cloud_provider + }, + { + name = "ingress.controller" + value = var.ingress_controller_type + } + ] +} diff --git a/terraform/modules/helm/theia-cloud.yaml b/terraform/modules/theia-cloud/theia-cloud.yaml similarity index 100% rename from terraform/modules/helm/theia-cloud.yaml rename to terraform/modules/theia-cloud/theia-cloud.yaml diff --git a/terraform/modules/theia-cloud/variables.tf b/terraform/modules/theia-cloud/variables.tf new file mode 100644 index 000000000..b4c6727f8 --- /dev/null +++ b/terraform/modules/theia-cloud/variables.tf @@ -0,0 +1,56 @@ +variable "theia_cloud_version" { + description = "The version of theia cloud to install. Used for all installed charts." + type = string + default = "1.2.0" +} + +variable "install_theia_cloud_base" { + description = "Whether to install theia cloud base" + default = true +} + +variable "install_theia_cloud_crds" { + description = "Whether to install theia cloud crds" + default = true +} + +variable "install_theia_cloud" { + description = "Whether to install theia cloud" + default = true +} + +variable "hostname" { + description = "The hostname for the deployment" +} + +variable "ingress_controller_type" { + description = "Type of ingress controller to use (nginx or haproxy)" + type = string + default = "nginx" + + validation { + condition = contains(["nginx", "haproxy"], var.ingress_controller_type) + error_message = "Valid values are 'nginx' or 'haproxy'." + } +} + +variable "keycloak_url" { + description = "The base URL of the Keycloak instance used for authentication. If not provided, it will be constructed from the 'hostname' variable assuming keycloak is hosted at relative path /keycloak/." + default = "" +} + +variable "cloud_provider" { + description = "Cloud provider type" + type = string + default = "K8S" + validation { + condition = contains(["MINIKUBE", "K8S"], var.cloud_provider) + error_message = "Valid values are: MINIKUBE, K8S" + } +} + +variable "cert_manager_issuer_email" { + description = "Email address used to create certificates." + type = string + default = "" +} diff --git a/terraform/modules/helm/versions.tf b/terraform/modules/theia-cloud/versions.tf similarity index 63% rename from terraform/modules/helm/versions.tf rename to terraform/modules/theia-cloud/versions.tf index 66c3a9854..2cc802279 100644 --- a/terraform/modules/helm/versions.tf +++ b/terraform/modules/theia-cloud/versions.tf @@ -4,10 +4,6 @@ terraform { source = "hashicorp/helm" version = ">= 3.0.2" } - kubectl = { - source = "gavinbunney/kubectl" - version = ">= 1.19.0" - } } required_version = ">= 1.12.2" diff --git a/terraform/terraform.md b/terraform/terraform.md index e862deac6..a7bc81fa1 100644 --- a/terraform/terraform.md +++ b/terraform/terraform.md @@ -16,7 +16,7 @@ If you are unfamiliar with Terraform, you may want to have a look at their tutor The `modules` directory contains our reusable terraform modules for creating clusters, installing dependencies via helm, and configuring keycloak. The modules will be used by the actual terraform configurations available in the `configurations` directory. -If you can't use Terraform, the `./modules/helm/main.tf` contains the information which helm charts are installed from which helm repository and you may extract the passed values. For an initial Keycloak realm configuration, you may check the values in `./modules/keycloak/main.tf`. +If you can't use Terraform, `./modules/cluster-prerequisites/main.tf` and `./modules/theia-cloud/main.tf` contain the information which helm charts are installed from which helm repository and you may extract the passed values. For an initial Keycloak realm configuration, you may check the values in `./modules/keycloak/main.tf`. ## Theia Cloud Getting Started diff --git a/terraform/test-configurations/1_dependencies/.terraform.lock.hcl b/terraform/test-configurations/1_dependencies/.terraform.lock.hcl index 5233c61be..48e91fd19 100644 --- a/terraform/test-configurations/1_dependencies/.terraform.lock.hcl +++ b/terraform/test-configurations/1_dependencies/.terraform.lock.hcl @@ -45,7 +45,7 @@ provider "registry.terraform.io/hashicorp/external" { provider "registry.terraform.io/hashicorp/helm" { version = "3.1.1" - constraints = ">= 3.0.2" + constraints = ">= 2.0.0, >= 3.0.2" hashes = [ "h1:5b2ojWKT0noujHiweCds37ZreRFRQLNaErdJLusJN88=", "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275", @@ -63,9 +63,29 @@ provider "registry.terraform.io/hashicorp/helm" { ] } +provider "registry.terraform.io/hashicorp/http" { + version = "3.5.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:8bUoPwS4hahOvzCBj6b04ObLVFXCEmEN8T/5eOHmWOM=", + "zh:047c5b4920751b13425efe0d011b3a23a3be97d02d9c0e3c60985521c9c456b7", + "zh:157866f700470207561f6d032d344916b82268ecd0cf8174fb11c0674c8d0736", + "zh:1973eb9383b0d83dd4fd5e662f0f16de837d072b64a6b7cd703410d730499476", + "zh:212f833a4e6d020840672f6f88273d62a564f44acb0c857b5961cdb3bbc14c90", + "zh:2c8034bc039fffaa1d4965ca02a8c6d57301e5fa9fff4773e684b46e3f78e76a", + "zh:5df353fc5b2dd31577def9cc1a4ebf0c9a9c2699d223c6b02087a3089c74a1c6", + "zh:672083810d4185076c81b16ad13d1224b9e6ea7f4850951d2ab8d30fa6e41f08", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b4200f18abdbe39904b03537e1a78f21ebafe60f1c861a44387d314fda69da6", + "zh:843feacacd86baed820f81a6c9f7bd32cf302db3d7a0f39e87976ebc7a7cc2ee", + "zh:a9ea5096ab91aab260b22e4251c05f08dad2ed77e43e5e4fadcdfd87f2c78926", + "zh:d02b288922811739059e90184c7f76d45d07d3a77cc48d0b15fd3db14e928623", + ] +} + provider "registry.terraform.io/hashicorp/kubernetes" { version = "3.0.1" - constraints = ">= 2.38.0" + constraints = ">= 2.0.0, >= 2.38.0" hashes = [ "h1:vyHdH0p6bf9xp1NPePObAJkXTJb/I09FQQmmevTzZe0=", "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281", diff --git a/terraform/test-configurations/1_dependencies/dependencies.tf b/terraform/test-configurations/1_dependencies/dependencies.tf index ac1af66af..89bf9b039 100644 --- a/terraform/test-configurations/1_dependencies/dependencies.tf +++ b/terraform/test-configurations/1_dependencies/dependencies.tf @@ -97,36 +97,31 @@ locals { hostname = "${local.effective_host}.nip.io" } -module "helm" { - source = "../../modules/helm" - - depends_on = [module.host, helm_release.haproxy-ingress-controller] - - install_ingress_controller = false - ingress_controller_type = data.terraform_remote_state.minikube.outputs.ingress_controller_type - cert_manager_issuer_email = var.cert_manager_issuer_email - cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" - cert_manager_common_name = local.hostname - hostname = local.hostname - keycloak_admin_password = var.keycloak_admin_password - postgresql_enabled = true - postgres_postgres_password = "admin" - postgres_password = "admin" - postgresql_storageClass = "manual" - postgresql_volumePermissions = true - service_type = "ClusterIP" - cloudProvider = "MINIKUBE" - install_selfsigned_issuer = true - install_theia_cloud_base = false - install_theia_cloud_crds = false - install_theia_cloud = false +module "cluster_prerequisites" { + source = "../../modules/cluster-prerequisites" + + depends_on = [kubernetes_persistent_volume_v1.minikube, helm_release.haproxy-ingress-controller] + + hostname = local.hostname + keycloak_admin_password = var.keycloak_admin_password + postgres_password = "admin" + install_cert_manager = true + install_selfsigned_issuer = true + cert_manager_issuer_email = var.cert_manager_issuer_email + ingress_controller_type = data.terraform_remote_state.minikube.outputs.ingress_controller_type + ingress_class_name = data.terraform_remote_state.minikube.outputs.ingress_controller_type + ingress_cert_manager_cluster_issuer = "keycloak-selfsigned-issuer" + ingress_cert_manager_common_name = local.hostname + postgres_storage_class = "manual" + postgres_volume_permissions = true + cloud_provider = "MINIKUBE" } provider "keycloak" { client_id = "admin-cli" username = "admin" password = var.keycloak_admin_password - url = "https://${local.hostname}/keycloak" + url = module.cluster_prerequisites.keycloak_url tls_insecure_skip_verify = true # only for minikube self signed initial_login = false client_timeout = 60 @@ -135,9 +130,8 @@ provider "keycloak" { module "keycloak" { source = "../../modules/keycloak" - depends_on = [module.helm] + depends_on = [module.cluster_prerequisites] - hostname = local.hostname keycloak_test_user_foo_password = "foo" keycloak_test_user_bar_password = "bar" valid_redirect_uri = "*" diff --git a/terraform/test-configurations/1_dependencies/outputs.tf b/terraform/test-configurations/1_dependencies/outputs.tf index f1c2e9c8a..7bfb55cf4 100644 --- a/terraform/test-configurations/1_dependencies/outputs.tf +++ b/terraform/test-configurations/1_dependencies/outputs.tf @@ -28,7 +28,7 @@ output "hostname" { output "keycloak" { description = "Keycloak" - value = "${local.hostname}/keycloak" + value = module.cluster_prerequisites.keycloak_url } output "ingress_controller_type" { diff --git a/terraform/test-configurations/3-01_try-now/theia_cloud.tf b/terraform/test-configurations/3-01_try-now/theia_cloud.tf index e1a20cb0d..78f22f286 100644 --- a/terraform/test-configurations/3-01_try-now/theia_cloud.tf +++ b/terraform/test-configurations/3-01_try-now/theia_cloud.tf @@ -70,7 +70,7 @@ resource "helm_release" "theia-cloud" { name = "ingress.controller" value = data.terraform_remote_state.minikube.outputs.ingress_controller_type } - ] + ] } resource "kubectl_manifest" "cdt-cloud-demo" { diff --git a/terraform/test-configurations/3-03_try-now_paths/theia_cloud.tf b/terraform/test-configurations/3-03_try-now_paths/theia_cloud.tf index 942b659a3..be0e7a1c8 100644 --- a/terraform/test-configurations/3-03_try-now_paths/theia_cloud.tf +++ b/terraform/test-configurations/3-03_try-now_paths/theia_cloud.tf @@ -79,7 +79,7 @@ resource "helm_release" "theia-cloud" { name = "ingress.controller" value = data.terraform_remote_state.minikube.outputs.ingress_controller_type } - ] + ] } resource "kubectl_manifest" "cdt-cloud-demo" { diff --git a/terraform/test-configurations/3-04_try-now_paths_eager-start/theia_cloud.tf b/terraform/test-configurations/3-04_try-now_paths_eager-start/theia_cloud.tf index 79339d056..d9400fcb5 100644 --- a/terraform/test-configurations/3-04_try-now_paths_eager-start/theia_cloud.tf +++ b/terraform/test-configurations/3-04_try-now_paths_eager-start/theia_cloud.tf @@ -88,7 +88,7 @@ resource "helm_release" "theia-cloud" { name = "ingress.controller" value = data.terraform_remote_state.minikube.outputs.ingress_controller_type } - ] + ] } resource "kubectl_manifest" "cdt-cloud-demo" {