many fixes (#187)

* removing empty deployment from db creation

we could move this back to deployable backend if we see the need
this causes an error while spinning up user-auth db because project
namespace is not created

* fix reference to undeclared variables

* allow notification secrets to partially exist

* fixup! allow notification secrets to partially exist

* fix user-auth domain name ended up with extra dot

* fix user-auth db-endpoint failure due to ext-svc

* fixup! fix user-auth db-endpoint failure due to ext-svc

* fixup! fixup! fix user-auth db-endpoint failure due to ext-svc

* elasticsearch seems to only allow https

Author: davidcheung

templates/kubernetes/terraform/environments/prod/main.tf

@@ -20,7 +20,9 @@ locals {
   region       = "<% index .Params `region` %>"
   account_id   = "<% index .Params `accountId` %>"
   domain_name  = "<% index .Params `productionHostRoot` %>"
+  environment  = "prod"
   file_uploads = <% if eq (index .Params `fileUploads`) "yes" %>true<% else %>false<% end %>
+  random_seed  = "<% index .Params `randomSeed` %>"
 }
 
 provider "aws" {
@@ -37,7 +39,7 @@ module "kubernetes" {
   project             = local.project
   region              = local.region
   allowed_account_ids = [local.account_id]
-  random_seed         = "<% index .Params `randomSeed` %>"
+  random_seed         = local.random_seed
   cf_signing_enabled  = local.file_uploads
 
   # Authenticate with the EKS cluster via the cluster id
@@ -79,9 +81,9 @@ module "kubernetes" {
     {
       name = local.project
       auth_namespace                = "user-auth"
-      frontend_service_domain       = "<% index .Params `productionFrontendSubdomain` %>.${local.domain_name}"
-      backend_service_domain        = "<% index .Params `productionBackendSubdomain` %>.${local.domain_name}"
-      whitelisted_return_urls       = ["https://<% index .Params `productionFrontendSubdomain` %>.${local.domain_name}"]
+      frontend_service_domain       = "<% index .Params `productionFrontendSubdomain` %>${local.domain_name}"
+      backend_service_domain        = "<% index .Params `productionBackendSubdomain` %>${local.domain_name}"
+      whitelisted_return_urls       = ["https://<% index .Params `productionFrontendSubdomain` %>${local.domain_name}"]
       jwks_secret_name              = "${local.project}-${local.environment}-oathkeeper-jwks-${local.random_seed}"
       # This domain or address must be verified by the mail provider (Sendgrid, SES, etc.)
       user_auth_mail_from_address   = "noreply@${local.domain_name}"
@@ -93,6 +95,8 @@ module "kubernetes" {
     ## If you need to add another user-auth instance you will have to create another set of these resources
   ]<% end %>
   notification_service_enabled          = <%if eq (index .Params `notificationServiceEnabled`) "yes" %>true<% else %>false<% end %>
+  notification_service_sendgrid_enabled = <%if ne (index .Params `sendgridApiKey`) "" %>true<% else %>false<% end %>
+  notification_service_slack_enabled    = <%if ne (index .Params `notificationServiceSlackApiKey`) "" %>true<% else %>false<% end %>
   notification_service_highly_available = true
 
   cache_store =  "<% index .Params `cacheStore` %>"

templates/kubernetes/terraform/environments/stage/main.tf

@@ -20,7 +20,9 @@ locals {
   region       = "<% index .Params `region` %>"
   account_id   = "<% index .Params `accountId` %>"
   domain_name  = "<% index .Params `stagingHostRoot` %>"
+  environment  = "stage"
   file_uploads = <% if eq (index .Params `fileUploads`) "yes" %>true<% else %>false<% end %>
+  random_seed  = "<% index .Params `randomSeed` %>"
 }
 
 provider "aws" {
@@ -36,7 +38,7 @@ module "kubernetes" {
   project             = local.project
   region              = local.region
   allowed_account_ids = [local.account_id]
-  random_seed         = "<% index .Params `randomSeed` %>"
+  random_seed         = local.random_seed
   cf_signing_enabled  = local.file_uploads
 
   # Authenticate with the EKS cluster via the cluster id
@@ -78,9 +80,9 @@ module "kubernetes" {
     {
       name = local.project
       auth_namespace                = "user-auth"
-      frontend_service_domain       = "<% index .Params `stagingFrontendSubdomain` %>.${local.domain_name}"
-      backend_service_domain        = "<% index .Params `stagingBackendSubdomain` %>.${local.domain_name}"
-      whitelisted_return_urls       = ["https://<% index .Params `stagingFrontendSubdomain` %>.${local.domain_name}"]
+      frontend_service_domain       = "<% index .Params `stagingFrontendSubdomain` %>${local.domain_name}"
+      backend_service_domain        = "<% index .Params `stagingBackendSubdomain` %>${local.domain_name}"
+      whitelisted_return_urls       = ["https://<% index .Params `stagingFrontendSubdomain` %>${local.domain_name}"]
       jwks_secret_name              = "${local.project}-${local.environment}-oathkeeper-jwks-${local.random_seed}"
       # This domain or address must be verified by the mail provider (Sendgrid, SES, etc.)
       user_auth_mail_from_address   = "noreply@${local.domain_name}"
@@ -92,6 +94,8 @@ module "kubernetes" {
     ## If you need to add another user-auth instance you will have to create another set of these resources
   ]<% end %>
   notification_service_enabled          = <%if eq (index .Params `notificationServiceEnabled`) "yes" %>true<% else %>false<% end %>
+  notification_service_sendgrid_enabled = <%if ne (index .Params `sendgridApiKey`) "" %>true<% else %>false<% end %>
+  notification_service_slack_enabled    = <%if ne (index .Params `notificationServiceSlackApiKey`) "" %>true<% else %>false<% end %>
   notification_service_highly_available = false
 
   cache_store = "<% index .Params `cacheStore` %>"

templates/kubernetes/terraform/modules/kubernetes/notification_service.tf

@@ -5,20 +5,20 @@ locals {
 }
 
 data "aws_secretsmanager_secret" "sendgrid_api_key" {
-  count = var.notification_service_enabled ? 1 : 0
+  count = var.notification_service_enabled && var.notification_service_sendgrid_enabled ? 1 : 0
   name  = local.sendgrid_api_key_secret_name
 }
 data "aws_secretsmanager_secret_version" "sendgrid_api_key" {
-  count     = var.notification_service_enabled ? 1 : 0
+  count = var.notification_service_enabled && var.notification_service_sendgrid_enabled ? 1 : 0
   secret_id = data.aws_secretsmanager_secret.sendgrid_api_key[0].id
 }
 
 data "aws_secretsmanager_secret" "slack_api_key" {
-  count = var.notification_service_enabled ? 1 : 0
+  count = var.notification_service_enabled && var.notification_service_slack_enabled ? 1 : 0
   name  = local.slack_api_key_secret_name
 }
 data "aws_secretsmanager_secret_version" "slack_api_key" {
-  count     = var.notification_service_enabled ? 1 : 0
+  count     = var.notification_service_enabled && var.notification_service_slack_enabled ? 1 : 0
   secret_id = data.aws_secretsmanager_secret.slack_api_key[0].id
 }
 
@@ -65,11 +65,11 @@ resource "helm_release" "notification_service" {
   # These will become secrets provided as env vars
   set_sensitive {
     name  = "application.sendgridApiKey"
-    value = data.aws_secretsmanager_secret_version.sendgrid_api_key[0].secret_string
+    value = var.notification_service_enabled && var.notification_service_sendgrid_enabled ? data.aws_secretsmanager_secret_version.sendgrid_api_key[0].secret_string : ""
   }
 
   set_sensitive {
     name  = "application.slackApiKey"
-    value = data.aws_secretsmanager_secret_version.slack_api_key[0].secret_string
+    value = var.notification_service_enabled && var.notification_service_slack_enabled ? data.aws_secretsmanager_secret_version.slack_api_key[0].secret_string : ""
   }
 }

templates/kubernetes/terraform/modules/kubernetes/variables.tf

@@ -107,6 +107,18 @@ variable "notification_service_enabled" {
   default     = false
 }
 
+variable "notification_service_slack_enabled" {
+  description = "If enabled, will inject slack_api_key env-vars from secret manager to notification service"
+  type        = bool
+  default     = false
+}
+
+variable "notification_service_sendgrid_enabled" {
+  description = "If enabled, will inject sendgrid_api_key env-vars from secret manager to notification service"
+  type        = bool
+  default     = false
+}
+
 variable "notification_service_highly_available" {
   description = "If enabled, will make sure a minimum of 2 pods are running and use a horizontal pod autoscaler to make scale the number of pods based on CPU. Recommended for Production."
   type        = bool

templates/scripts/create-db-user.sh

@@ -34,7 +34,8 @@ echo "Some environment variables (REGION, SEED, PROJECT_NAME, ENVIRONMENT, NAMES
 DOCKER_IMAGE_TAG=commitdev/zero-k8s-utilities:0.0.3
 
 # database info preparation
-DB_ENDPOINT=database.${PROJECT_NAME}
+# this script will run both before and after make-apply-k8s, therefore the database service is not always available
+DB_ENDPOINT=$(aws rds describe-db-instances --region=$REGION  --db-instance-identifier "${PROJECT_NAME}-${ENVIRONMENT}" --query "DBInstances[0].Endpoint.Address" | jq -r '.')
 DB_NAME_LIST=$(echo ${DATABASE_NAME} | tr -dc 'A-Za-z0-9 ') # used by job
 DB_NAME=$(echo ${DB_NAME_LIST} | cut -d" " -f1) # used by db-pod
 DB_TYPE=${DATABASE_TYPE}

templates/scripts/db-ops/job-create-db-mysql.yml.tpl

@@ -60,47 +60,3 @@ spec:
             secretName: db-create-users
       restartPolicy: Never
   backoffLimit: 1
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: db-pod
-  namespace: $PROJECT_NAME
-spec:
-# this is purposely left at 0 so it can be enabled for troubleshooting purposes
-  replicas: 0
-  selector:
-    matchLabels:
-      app: db-pod
-  template:
-    metadata:
-      labels:
-        app: db-pod
-    spec:
-      automountServiceAccountToken: false
-      containers:
-      - command:
-        - sh
-        args:
-        - "-c"
-        # long running task so the pod doesn't exit with 0
-        - tail -f /dev/null
-        image: $DOCKER_IMAGE_TAG
-        imagePullPolicy: Always
-        name: db-pod
-        env:
-        - name: DB_ENDPOINT
-          value: $DB_ENDPOINT
-        - name: DB_NAME
-          value: $DB_NAME
-        - name: DB_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: $SECRET_NAME
-              key: DATABASE_USERNAME
-        - name: DB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: $SECRET_NAME
-              key: DATABASE_PASSWORD

templates/scripts/db-ops/job-create-db-postgres.yml.tpl

@@ -62,47 +62,3 @@ spec:
             secretName: db-create-users
       restartPolicy: Never
   backoffLimit: 1
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: db-pod
-  namespace: $PROJECT_NAME
-spec:
-# this is purposely left at 0 so it can be enabled for troubleshooting purposes
-  replicas: 0
-  selector:
-    matchLabels:
-      app: db-pod
-  template:
-    metadata:
-      labels:
-        app: db-pod
-    spec:
-      automountServiceAccountToken: false
-      containers:
-      - command:
-        - sh
-        args:
-        - "-c"
-        # long running task so the pod doesn't exit with 0
-        - tail -f /dev/null
-        image: $DOCKER_IMAGE_TAG
-        imagePullPolicy: Always
-        name: db-pod
-        env:
-        - name: DB_ENDPOINT
-          value: $DB_ENDPOINT
-        - name: DB_NAME
-          value: $DB_NAME
-        - name: DB_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: $SECRET_NAME
-              key: DATABASE_USERNAME
-        - name: DB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: $SECRET_NAME
-              key: DATABASE_PASSWORD

templates/scripts/files/elasticsearch-setup.sh

@@ -6,19 +6,19 @@ set -e
 echo "Executing Elasticsearch queries to configure the ${ENVIRONMENT} environment"
 
 # Create the index pattern
-curl -X POST "http://${ES_ENDPOINT}/_plugin/kibana/api/saved_objects/index-pattern" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' \
+curl -X POST "https://${ES_ENDPOINT}/_plugin/kibana/api/saved_objects/index-pattern" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' \
     -d'{"attributes":{"title":"fluentd-*","timeFieldName":"@timestamp","fields":"[]"}}'
 
 if [ "${ENVIRONMENT}" = "stage" ]; then
     # Create the policy
-    curl -X PUT "http://${ES_ENDPOINT}/_opendistro/_ism/policies/hot_cold_delete_workflow?pretty" -H 'Content-Type: application/json' -d@/elasticsearch-index-policy-stage.json
+    curl -X PUT "https://${ES_ENDPOINT}/_opendistro/_ism/policies/hot_cold_delete_workflow?pretty" -H 'Content-Type: application/json' -d@/elasticsearch-index-policy-stage.json
     # Make indices use the policy
-    curl -X PUT "http://${ES_ENDPOINT}/_template/fluentd_template?pretty" -H 'Content-Type: application/json' \
+    curl -X PUT "https://${ES_ENDPOINT}/_template/fluentd_template?pretty" -H 'Content-Type: application/json' \
     -d'{ "index_patterns": ["fluentd-*"], "settings": { "number_of_shards": 2, "number_of_replicas": 1, "opendistro.index_state_management.policy_id": "hot_cold_delete_workflow" }}'
 else
     # Create the policy
-    curl -X PUT "http://${ES_ENDPOINT}/_opendistro/_ism/policies/hot_warm_cold_delete_workflow?pretty" -H 'Content-Type: application/json' -d@/elasticsearch-index-policy-prod.json
+    curl -X PUT "https://${ES_ENDPOINT}/_opendistro/_ism/policies/hot_warm_cold_delete_workflow?pretty" -H 'Content-Type: application/json' -d@/elasticsearch-index-policy-prod.json
     # Make indices use the policy
-    curl -X PUT "http://${ES_ENDPOINT}/_template/fluentd_template?pretty" -H 'Content-Type: application/json' \
+    curl -X PUT "https://${ES_ENDPOINT}/_template/fluentd_template?pretty" -H 'Content-Type: application/json' \
     -d'{ "index_patterns": ["fluentd-*"], "settings": { "number_of_shards": 2, "number_of_replicas": 2, "opendistro.index_state_management.policy_id": "hot_warm_cold_delete_workflow" }}'
 fi