Merge pull request #461 from mojaloop/feature/env-migrate

Feature/env migrate
mojaloop · Jan 29, 2025 · 535a2e2 · 535a2e2
2 parents e187822 + 1e99314
commit 535a2e2
Show file tree

Hide file tree

Showing 12 changed files with 30 additions and 5 deletions.
diff --git a/gitops/applications/overlays/cloud_provider/aws/rook-ceph-cluster/pvc/kustomization.yaml b/gitops/applications/overlays/cloud_provider/aws/rook-ceph-cluster/pvc/kustomization.yaml
@@ -9,4 +9,5 @@ helmCharts:
     releaseName: aws-ebs-csi-driver
     repo: https://kubernetes-sigs.github.io/aws-ebs-csi-driver
     namespace: kube-system
-    valuesFile: aws-ebs-csi-driver-values.yaml
+    valuesFile: aws-ebs-csi-driver-values.yaml
+    version: ${ARGOCD_ENV_aws_ebs_csi_driver_helm_version}
diff --git a/gitops/argo-apps/base/rook-ceph.yaml b/gitops/argo-apps/base/rook-ceph.yaml
@@ -99,3 +99,6 @@ spec:
 
           - name: cluster_domain
             value: "${ARGOCD_ENV_utils_rook_ceph_cluster_domain}"
+
+          - name: aws_ebs_csi_driver_helm_version
+            value: "${ARGOCD_ENV_utils_rook_ceph_aws_ebs_csi_driver_helm_version}"            
diff --git a/terraform/ccnew/ansible-k8s-deploy/templates/argoapps.yaml.tpl b/terraform/ccnew/ansible-k8s-deploy/templates/argoapps.yaml.tpl
@@ -23,6 +23,7 @@ argocd_override:
           volumes_provider: "${rook_ceph_volumes_provider}"
           volumes_storage_region: "${cloud_region}"
           cluster_domain: "${cluster_domain}"
+          aws_ebs_csi_driver_helm_version: "${rook_ceph_aws_ebs_csi_driver_helm_version}"
         reflector:
           helm_version: "${reflector_helm_version}"
         reloader:

diff --git a/terraform/ccnew/default-config/common-vars.yaml b/terraform/ccnew/default-config/common-vars.yaml
@@ -263,4 +263,5 @@ rook_ceph_csi_driver_replicas: "'2'"
 rook_ceph_objects_replica_count: "'3'"
 rook_ceph_osd_count: "'3'"
 rook_ceph_volume_size_per_osd: "500Gi"
-rook_ceph_volumes_provider: "pvc" # host, pvc
+rook_ceph_volumes_provider: "pvc" # host, pvc
+rook_ceph_aws_ebs_csi_driver_helm_version: "2.39.0"
diff --git a/terraform/config-params/ccnew-config/deploy-env-config/gitlab.tf b/terraform/config-params/ccnew-config/deploy-env-config/gitlab.tf
@@ -239,4 +239,4 @@ resource "gitlab_repository_file" "vault_token_update" {
   content        = base64encode("vault-token-${sha256(vault_token.env_token[each.value].client_token)}")
   author_name    = "Terraform"
   commit_message = "tf_trigger: vault_token_update"
-}
+}
diff --git a/terraform/config-params/ccnew-config/deploy-env-config/vault-transit.tf b/terraform/config-params/ccnew-config/deploy-env-config/vault-transit.tf
@@ -45,6 +45,15 @@ path "${vault_mount.transit.path}/encrypt/${vault_transit_secret_backend_key.uns
 path "${vault_mount.transit.path}/decrypt/${vault_transit_secret_backend_key.unseal_key[each.value].name}" {
   capabilities = [ "update" ]
 }
+
+path "${vault_mount.transit.path}/encrypt/unseal-key-${each.value}-migrated" {
+  capabilities = [ "update" ]
+}
+
+path "${vault_mount.transit.path}/decrypt/unseal-key-${each.value}-migrated" {
+  capabilities = [ "update" ]
+}
+
 EOT
 }
 

diff --git a/terraform/config-params/ccnew-config/env-onboard-config/ceph-bucket-secrets.tf b/terraform/config-params/ccnew-config/env-onboard-config/ceph-bucket-secrets.tf
@@ -187,4 +187,4 @@ resource "gitlab_project_variable" "ceph_percona_bucket" {
   value     = "${var.env_name}-percona"
   protected = false
   masked    = false
-}
+}
diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml
@@ -71,6 +71,7 @@ cache:
     - yq eval '.' $CONFIG_PATH/addons-vars.yaml -o=json > addons-vars.yaml
     - for var in $(jq -r 'to_entries[] | "\(.key)=\(.value)\n"' ./cluster-config.json); do export $var; done
     - for var in $(jq -r 'to_entries[] | "\(.key)=\(.value)\n"' ./addons-vars.yaml); do export $var; done
+    - if [ $migrate == "true" ]; then sh .gitlab/scripts/get-artifacts.sh; fi    
     - export ENV_VAULT_TOKEN="$(vault kv get -field=value ${KV_SECRET_PATH}/${CI_PROJECT_NAME}/env_token)"
     - export $cloud_platform_client_secret_name="$(vault kv get -field=value ${KV_SECRET_PATH}/${CI_PROJECT_NAME}/cloud_platform_client_secret)"
     - export GITLAB_CI_PAT="$(vault kv get -field=value ${KV_SECRET_PATH}/gitlab/gitlab_ci_pat)"

diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/get-artifacts.sh b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/get-artifacts.sh
@@ -0,0 +1,3 @@
+export SOURCE_GITLAB_TOKEN="$(vault kv get -field=token ${KV_SECRET_PATH}/mig-source-gitlab)"
+curl --location --output artifacts.zip --header "Authorization: Bearer $SOURCE_GITLAB_TOKEN"  $MIG_SOURCE_GITLAB/api/v4/projects/$MIG_SOURCE_PROJECT_ID/jobs/$MIG_SOURCE_JOB_ID/artifacts
+unzip -o artifacts.zip -d $TF_ROOT
diff --git a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl
@@ -93,18 +93,21 @@ locals {
     netbird_version              = get_env("NETBIRD_VERSION")
     netbird_api_host             = get_env("NETBIRD_API_HOST")
     netbird_setup_key            = get_env("NETBIRD_K8S_SETUP_KEY") 
+    migrate                      = get_env("migrate")    
     coredns_localcache_version   = local.common_vars.coredns_localcache_version      
   }
   master_hosts_var_maps  = {
     netbird_version              = get_env("NETBIRD_VERSION")
     netbird_api_host             = get_env("NETBIRD_API_HOST")
     netbird_setup_key            = get_env("NETBIRD_K8S_SETUP_KEY") 
+    migrate                      = get_env("migrate")    
     coredns_localcache_version   = local.common_vars.coredns_localcache_version  
   }
   bastion_hosts_var_maps = {
     netbird_version              = get_env("NETBIRD_VERSION")
     netbird_api_host             = get_env("NETBIRD_API_HOST")
     netbird_setup_key            = get_env("NETBIRD_GW_SETUP_KEY")
+    migrate                      = get_env("migrate")
     nexus_fqdn                   = get_env("NEXUS_FQDN")
     ceph_fqdn                    = get_env("CEPH_OBJECTSTORE_FQDN")
     vault_fqdn                   = get_env("VAULT_FQDN")

diff --git a/terraform/k8s/default-config/cluster-config.yaml b/terraform/k8s/default-config/cluster-config.yaml
@@ -55,3 +55,4 @@ gitlab_admin_rbac_group: tenant-admins
 gitlab_readonly_rbac_group: tenant-viewers
 coredns_bind_address: "169.254.20.10"
 single_nat_gateway: true
+migrate: false 
diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl
@@ -84,7 +84,7 @@ inputs = {
   letsencrypt_email                        = local.LETSENCRYPT_EMAIL
   enable_grafana_oidc                      = local.ENABLE_GRAFANA_OIDC
   kv_path                                  = local.KV_SECRET_PATH
-  transit_vault_key_name                   = local.TRANSIT_VAULT_UNSEAL_KEY_NAME
+  transit_vault_key_name                   = local.migrate ? local.mig_transit_vault_unseal_key_name : local.TRANSIT_VAULT_UNSEAL_KEY_NAME
   transit_vault_url                        = local.VAULT_SERVER_URL
   ceph_api_url                             = local.ceph_fqdn
   central_observability_endpoint           = local.central_observability_endpoint
@@ -154,10 +154,12 @@ locals {
   KV_SECRET_PATH                = get_env("KV_SECRET_PATH")
   VAULT_GITLAB_ROOT_TOKEN       = get_env("ENV_VAULT_TOKEN")
   TRANSIT_VAULT_UNSEAL_KEY_NAME = get_env("TRANSIT_VAULT_UNSEAL_KEY_NAME")
+  mig_transit_vault_unseal_key_name = "${get_env("TRANSIT_VAULT_UNSEAL_KEY_NAME")}-migrated"
   VAULT_SERVER_URL              = get_env("VAULT_SERVER_URL")
   VAULT_ADDR                    = get_env("VAULT_ADDR")
   ceph_fqdn                     = get_env("CEPH_OBJECTSTORE_FQDN")
   central_observability_endpoint = get_env("MIMIR_GW_FQDN")
+  migrate                       = get_env("migrate")
   argocd_ingress_internal_lb    = true
   grafana_ingress_internal_lb   = true
   vault_ingress_internal_lb     = true