gitpod-io
diff --git a/‎.werft/eks-installer-tests.yaml
Lines changed: 85 additions & 0 deletions b/‎.werft/eks-installer-tests.yaml
Lines changed: 85 additions & 0 deletions
diff --git a/‎.werft/installer-tests.ts
Lines changed: 36 additions & 11 deletions b/‎.werft/installer-tests.ts
Lines changed: 36 additions & 11 deletions
diff --git a/‎install/infra/terraform/aks/output.tf
Lines changed: 26 additions & 8 deletions b/‎install/infra/terraform/aks/output.tf
Lines changed: 26 additions & 8 deletions
diff --git a/‎install/infra/terraform/eks/database.tf
Lines changed: 40 additions & 0 deletions b/‎install/infra/terraform/eks/database.tf
Lines changed: 40 additions & 0 deletions
diff --git a/‎install/infra/terraform/eks/dns.tf
Lines changed: 114 additions & 0 deletions b/‎install/infra/terraform/eks/dns.tf
Lines changed: 114 additions & 0 deletions
@@ -0,0 +1,85 @@
+# debug using `werft run github -f -s .werft/installer-tests.ts -j .werft/eks-installer-tests.yaml -a debug=true`
+pod:
+  serviceAccount: werft
+  affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: dev/workload
+          operator: In
+          values:
+          - "builds"
+  securityContext:
+    runAsUser: 0
+  volumes:
+  - name: sh-playground-sa-perm
+    secret:
+      secretName: sh-playground-sa-perm
+  - name: sh-playground-dns-perm
+    secret:
+      secretName: sh-playground-dns-perm
+  - name: sh-aks-perm
+    secret:
+      secretName: aks-credentials
+  containers:
+  - name: nightly-test
+    image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:cw-werft-cred.0
+    workingDir: /workspace
+    imagePullPolicy: Always
+    volumeMounts:
+    - name: sh-playground-sa-perm
+      mountPath: /mnt/secrets/sh-playground-sa-perm
+    - name: sh-playground-dns-perm # this sa is used for the DNS management
+      mountPath: /mnt/secrets/sh-playground-dns-perm
+    env:
+    - name: AWS_ACCESS_KEY_ID
+      valueFrom:
+        secretKeyRef:
+          name: aws-credentials
+          key: aws-access-key
+    - name: AWS_SECRET_ACCESS_KEY
+      valueFrom:
+        secretKeyRef:
+          name: aws-credentials
+          key: aws-secret-key
+    - name: AWS_REGION
+      valueFrom:
+        secretKeyRef:
+          name: aws-credentials
+          key: aws-region
+    - name: WERFT_HOST
+      value: "werft.werft.svc.cluster.local:7777"
+    - name: GOOGLE_APPLICATION_CREDENTIALS
+      value: "/mnt/secrets/sh-playground-sa-perm/sh-sa.json"
+    - name: WERFT_K8S_NAMESPACE
+      value: "werft"
+    - name: WERFT_K8S_LABEL
+      value: "component=werft"
+    - name: TF_VAR_sa_creds
+      value: "/mnt/secrets/sh-playground-sa-perm/sh-sa.json"
+    - name: TF_VAR_dns_sa_creds
+      value: "/mnt/secrets/sh-playground-dns-perm/sh-dns-sa.json"
+    - name: NODENAME
+      valueFrom:
+        fieldRef:
+          fieldPath: spec.nodeName
+    command:
+      - bash
+      - -c
+      - |
+        sleep 1
+        set -Eeuo pipefail
+
+        sudo chown -R gitpod:gitpod /workspace
+        sudo apt update && apt install gettext-base
+
+        export TF_VAR_TEST_ID="$(echo $RANDOM | md5sum | head -c 5; echo)"
+
+        (cd .werft && yarn install && mv node_modules ..) | werft log slice prep
+        printf '{{ toJson . }}' > context.json
+
+        npx ts-node .werft/installer-tests.ts "STANDARD_EKS_TEST"
+# The bit below makes this a cron job
+# plugins:
+#   cron: "15 3 * * *"
@@ -92,8 +92,8 @@ const TEST_CONFIGURATIONS: { [name: string]: TestConfig } = {
         PHASES: [
             "STANDARD_AKS_CLUSTER",
             "CERT_MANAGER",
-            "AZURE_ISSUER",
-            "AZURE_EXTERNALDNS",
+            "CLUSTER_ISSUER",
+            "EXTERNALDNS",
             "ADD_NS_RECORD",
             "GENERATE_KOTS_CONFIG",
             "INSTALL_GITPOD",
@@ -103,6 +103,23 @@ const TEST_CONFIGURATIONS: { [name: string]: TestConfig } = {
             "DESTROY",
         ],
     },
+    STANDARD_EKS_TEST: {
+        CLOUD: "aws",
+        DESCRIPTION: "Create an EKS cluster",
+        PHASES: [
+            "STANDARD_EKS_CLUSTER",
+            "CERT_MANAGER",
+            "EXTERNALDNS",
+            "CLUSTER_ISSUER",
+            "ADD_NS_RECORD",
+            "GENERATE_KOTS_CONFIG",
+            "RESULTS",
+            "INSTALL_GITPOD",
+            "CHECK_INSTALLATION",
+            // "RUN_INTEGRATION_TESTS",
+            "DESTROY",
+        ],
+    },
 };
 
 const config: TestConfig = TEST_CONFIGURATIONS[testConfig];
@@ -128,6 +145,11 @@ const INFRA_PHASES: { [name: string]: InfraConfig } = {
         makeTarget: "aks-standard-cluster",
         description: "Creating an aks cluster(azure)",
     },
+    STANDARD_EKS_CLUSTER: {
+        phase: "create-std-eks-cluster",
+        makeTarget: "eks-standard-cluster",
+        description: "Creating a EKS cluster with 1 nodepool each for workspace and server",
+    },
     CERT_MANAGER: {
         phase: "setup-cert-manager",
         makeTarget: "cert-manager",
@@ -146,18 +168,18 @@ const INFRA_PHASES: { [name: string]: InfraConfig } = {
         )} db=${randomize("db", cloud)}`,
         description: `Generate KOTS Config file`,
     },
-    AZURE_ISSUER: {
-        phase: "setup-azure-cluster-issuer",
+    CLUSTER_ISSUER: {
+        phase: `setup-azure-cluster-issuer cloud=${cloud}`,
         makeTarget: "azure-issuer",
         description: "Deploys ClusterIssuer for azure",
     },
-    AZURE_EXTERNALDNS: {
-        phase: "azure-external-dns",
-        makeTarget: "azure-external-dns",
-        description: "Deploys external-dns with azure provider",
+    EXTERNALDNS: {
+        phase: "external-dns",
+        makeTarget: `external-dns cloud=${cloud}`,
+        description: `Deploys external-dns with ${cloud} provider`,
     },
     ADD_NS_RECORD: {
-        phase: "add-ns-record",
+        phase: `add-ns-record cloud=${cloud}`,
         makeTarget: "add-ns-record",
         description: "Adds NS record for subdomain under gitpod-self-hosted.com",
     },
@@ -189,7 +211,7 @@ const INFRA_PHASES: { [name: string]: InfraConfig } = {
     },
     DESTROY: {
         phase: "destroy",
-        makeTarget: "cleanup",
+        makeTarget: `cleanup cloud=${cloud}`,
         description: "Destroy the created infrastucture",
     },
     RESULTS: {
@@ -254,7 +276,10 @@ function cleanup() {
     const phase = "destroy-infrastructure";
     werft.phase(phase, "Destroying all the created resources");
 
-    const response = exec(`make -C ${makefilePath} cleanup`, { slice: "run-terrafrom-destroy", dontCheckRc: true });
+    const response = exec(`make -C ${makefilePath} cleanup cloud=${cloud}`, {
+        slice: "run-terrafrom-destroy",
+        dontCheckRc: true,
+    });
 
     // if the destroy command fail, we check if any resources are pending to be removed
     // if nothing is yet to be cleaned, we return with success
 
@@ -36,14 +36,32 @@ output "external_dns_secrets" {
 }
 
 output "external_dns_settings" {
-  value = {
-    provider                            = "azure"
-    "azure.resourceGroup"               = azurerm_resource_group.gitpod.name
-    "azure.subscriptionId"              = data.azurerm_client_config.current.subscription_id
-    "azure.tenantId"                    = data.azurerm_client_config.current.tenant_id
-    "azure.useManagedIdentityExtension" = true
-    "azure.userAssignedIdentityID"      = azurerm_kubernetes_cluster.k8s.kubelet_identity.0.client_id
-  }
+  value = [
+    {
+      "name": "provider",
+      "value": "azure"
+    },
+    {
+      "name": "azure.resourceGroup",
+      "value": azurerm_resource_group.gitpod.name,
+    },
+    {
+      "name": "azure.subscriptionId",
+      "value": data.azurerm_client_config.current.subscription_id,
+    },
+    {
+      "name": "azure.tenantId",
+      "value": data.azurerm_client_config.current.tenant_id,
+    },
+    {
+      "name": "azure.useManagedIdentityExtension",
+      "value": true
+    },
+    {
+      "name": "azure.userAssignedIdentityID",
+      "value": azurerm_kubernetes_cluster.k8s.kubelet_identity.0.client_id
+    },
+  ]
 }
 
 output "k8s_connection" {
 
@@ -0,0 +1,40 @@
+resource "aws_db_subnet_group" "gitpod_subnets" {
+  name       = "db-sg-${var.cluster_name}"
+  subnet_ids = [module.vpc.public_subnets[2], module.vpc.public_subnets[3]]
+}
+
+resource "aws_security_group" "rdssg" {
+  name = "dh-sg-${var.cluster_name}"
+  vpc_id = module.vpc.vpc_id
+
+  ingress {
+    from_port = 0
+    to_port = 3306
+    protocol = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_db_instance" "gitpod" {
+  allocated_storage    = 10
+  max_allocated_storage = 100
+  engine               = "mysql"
+  engine_version       = "5.7"
+  instance_class       = "db.t3.micro"
+  vpc_security_group_ids = [ aws_security_group.rdssg.id ]
+  identifier           = "db-${var.cluster_name}"
+  name                 = "gitpod"
+  username             = "gitpod"
+  password             = "gitpod-qwat"
+  parameter_group_name = "default.mysql5.7"
+  db_subnet_group_name = aws_db_subnet_group.gitpod_subnets.name
+  skip_final_snapshot  = true
+  publicly_accessible  = true
+}
@@ -0,0 +1,114 @@
+resource "aws_route53_zone" "gitpod" {
+  force_destroy = true
+  name = var.domain_name
+
+  tags = {
+    Environment = "test"
+  }
+}
+
+# This creates an SSL certificate
+resource "aws_acm_certificate" "gitpod" {
+  domain_name       = var.domain_name
+  subject_alternative_names = ["*.ws.${var.domain_name}", "ws.${var.domain_name}", "*.${var.domain_name}"]
+  validation_method = "DNS"
+}
+
+# This is a DNS record for the ACM certificate validation to prove we own the domain
+#
+# This example, we make an assumption that the certificate is for a single domain name so can just use the first value of the
+# domain_validation_options.  It allows the terraform to apply without having to be targeted.
+# This is somewhat less complex than the example at https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation
+# - that above example, won't apply without targeting
+
+resource "aws_route53_record" "cert_validation" {
+  allow_overwrite = true
+  name = tolist(aws_acm_certificate.gitpod.domain_validation_options)[0].resource_record_name
+  type = tolist(aws_acm_certificate.gitpod.domain_validation_options)[0].resource_record_type
+  zone_id = "${resource.aws_route53_zone.gitpod.zone_id}"
+  records = [tolist(aws_acm_certificate.gitpod.domain_validation_options)[0].resource_record_value]
+  ttl = 60
+}
+
+resource "aws_route53_record" "cert_validation_1" {
+  allow_overwrite = true
+  name = tolist(aws_acm_certificate.gitpod.domain_validation_options)[1].resource_record_name
+  type = tolist(aws_acm_certificate.gitpod.domain_validation_options)[1].resource_record_type
+  zone_id = "${resource.aws_route53_zone.gitpod.zone_id}"
+  records = [tolist(aws_acm_certificate.gitpod.domain_validation_options)[1].resource_record_value]
+  ttl = 60
+}
+
+resource "aws_route53_record" "cert_validation_2" {
+  allow_overwrite = true
+  name = tolist(aws_acm_certificate.gitpod.domain_validation_options)[2].resource_record_name
+  type = tolist(aws_acm_certificate.gitpod.domain_validation_options)[2].resource_record_type
+  zone_id = "${resource.aws_route53_zone.gitpod.zone_id}"
+  records = [tolist(aws_acm_certificate.gitpod.domain_validation_options)[2].resource_record_value]
+  ttl = 60
+}
+
+resource "aws_route53_record" "cert_validation_3" {
+  allow_overwrite = true
+  name = tolist(aws_acm_certificate.gitpod.domain_validation_options)[3].resource_record_name
+  type = tolist(aws_acm_certificate.gitpod.domain_validation_options)[3].resource_record_type
+  zone_id = "${resource.aws_route53_zone.gitpod.zone_id}"
+  records = [tolist(aws_acm_certificate.gitpod.domain_validation_options)[3].resource_record_value]
+  ttl = 6
+}
+
+resource "aws_iam_policy" "gitpod" {
+  name = "role-${var.cluster_name}"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+        {
+            Effect = "Allow",
+            Action = [
+                "route53:ChangeResourceRecordSets"
+            ],
+            Resource = [
+                "arn:aws:route53:::hostedzone/*"
+            ]
+        },
+        {
+            Effect = "Allow",
+            Action = [
+                "route53:GetChange",
+            ],
+            Resource = [
+                "arn:aws:route53:::change/*"
+            ]
+        },
+        {
+            Effect = "Allow",
+            Action = [
+                "route53:ListHostedZones",
+                "route53:ListResourceRecordSets"
+            ],
+            Resource = [ "*" ]
+        }
+    ],
+  })
+}
+
+resource "aws_iam_user_policy_attachment" "test-attach" {
+  user       = aws_iam_user.edns.name
+  policy_arn = aws_iam_policy.gitpod.arn
+}
+
+resource "aws_iam_user" "edns" {
+  name = "${var.cluster_name}-external-dns"
+  force_destroy = true
+
+  tags = {
+    env = "test"
+  }
+}
+
+resource "aws_iam_access_key" "edns" {
+  user = aws_iam_user.edns.name
+}