Merge pull request #17 from datafold/gerard-eng-1027-deploy-google-with-changes-in-helm-charts

fix: Several azure fixes

Author: gtoonstra

README.md

@@ -110,20 +110,6 @@ k9s
 
 ### Initializing the application
 
-The deployment is created and the initjob should have created the databases and done the 
-initialization of the site settings.
-
-If that didn't complete successfully, try to restart the job. 
-
-Once the deployment is complete and the initjob succeeded, we can set the install to that for false in config.yaml:
-
-```
-initjob:
-  install: false
-```
-
-Alternatively, here are the manual steps to achieve the same:
-
 Establish a shell into the `<deployment>-dfshell` container. 
 It is likely that the scheduler and server containers are crashing in a loop.
 

examples/deployment/application/config.yaml

@@ -1,16 +1,63 @@
 global:
+  cloudProvider: "azure"
   datadog:
-    env: prod
+    env: test
     install: true
   operator:
     allowRollback: true
-    releaseChannel: stable
+    releaseChannel: foo
     backupCronSchedule: 0 1 * * *
     maintenanceWindow: ""
 postgres:
   install: false
 nginx:
   ingress:
     deploy: true
-initjob:
+datadog:
+  configuration:
+    apm: false
+    monitorPostgres: true
+    npm:
+      enabled: true
+      dnsstats: true
+config:
+  portalCertData: '-----BEGIN CERTIFICATE-----\nMIIF0DCCBLigAwIBAgIQAVQqsCg8OcOVGz9sD29ewTANBgkqhkiG9w0BAQsFADA8\nMQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g\nUlNBIDIwNDggTTAzMB4XDTI0MTIxNjAwMDAwMFoXDTI2MDExNDIzNTk1OVowHTEb\nMBkGA1UEAxMScG9ydGFsLmRhdGFmb2xkLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOC\nAQ8AMIIBCgKCAQEA49uvagYKuBZsXEmq+aPpBwWyw/j8Ke/oO/b1RPqtWjNuZfpd\n4MrjpT9oi1Aq9J29HCN2i7PSZHznaovCm362fEDWqLdfPoVMxicF1Q5qRDe7vvWo\nNZcA0PJckD7RRWB9yInGMxH8IoxbkJ+7qUdOGIreIs6u5c3EVa04wLTjrdiJSAQv\n5UG/qMRkw4YVcx82E6rDwiaft+iONLQwDhs2oPGF/HtteJ57e6Krpy2AymRuq1Oh\nJFPe5Ng2UIEN2ny7kb4uB4SC/Ia9EKvZllXJFKeJwRPWIKwofRCCbzUNHCyWka/J\nhr8Y/W8Q2RzE/spORH97X2uZ4D+3dMg/tH/r9wIDAQABo4IC6zCCAucwHwYDVR0j\nBBgwFoAUVdkYX9IczAHhWLS+q9lVQgHXLgIwHQYDVR0OBBYEFN8sZRehNoz13gJY\nP/kvtJobCGttMB0GA1UdEQQWMBSCEnBvcnRhbC5kYXRhZm9sZC5pbzATBgNVHSAE\nDDAKMAgGBmeBDAECATAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH\nAwEGCCsGAQUFBwMCMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwucjJtMDMu\nYW1hem9udHJ1c3QuY29tL3IybTAzLmNybDB1BggrBgEFBQcBAQRpMGcwLQYIKwYB\nBQUHMAGGIWh0dHA6Ly9vY3NwLnIybTAzLmFtYXpvbnRydXN0LmNvbTA2BggrBgEF\nBQcwAoYqaHR0cDovL2NydC5yMm0wMy5hbWF6b250cnVzdC5jb20vcjJtMDMuY2Vy\nMAwGA1UdEwEB/wQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB1AA5XlLzz\nrqk+MxssmQez95Dfm8I9cTIl3SGpJaxhxU4hAAABk8+aBkEAAAQDAEYwRAIgJ6Wz\nfFRMIaaKc9GLH1v/BP3JNosLoJtUj5qu7zOLThwCIEwR38uEvcFFix91UnTLs4U1\nUhYLn4SVligtuT9TDsCHAHcAZBHEbKQS7KeJHKICLgC8q08oB9QeNSer6v7VA8l9\nzfAAAAGTz5oGcQAABAMASDBGAiEAs/RTBqGcneECjfiUp4pjEixPo1QnmIMMK86c\n1PwD308CIQDXwFzCQEn+iTpJpSNOP1cXt88oxpuHSXaBIy3YVHXtDAB2AEmcm2ne\nHXzs/DbezYdkprhbrwqHgBnRVVL76esp3fjDAAABk8+aBogAAAQDAEcwRQIgb7vI\nAmTCYkx1kmafnndESNO+YkvPNKzrSpxXhJebVL4CIQCgNffwKFEODQSerrN0h7pf\nwNdL4U66YT4FBCu9OCT43DANBgkqhkiG9w0BAQsFAAOCAQEAHpWxAKJRIoNodVeb\ndhJ3pX3cESS4AjjJaKUR94pJPi0KRoJAFsveR+0fOicCyBsn30hfNl+07P7VEUU0\nP4KZquITE0WmTGoQvFPcrTrqMV5MX8uh0oS6UaBFlZmSBWvO4pX3+D5xJI3RWxrl\nICM49BwHFSWIy51zeiFtiohQ8t8IcQhPCScM+UYqoIOp7DxcLetNY6DDi6nU4UO6\nfy3DakMrCY3XFYuI2LFDGphoyif1HHzmtVysR+E6YBRadoeLikRgg3VNGM2il0GO\n0WO36x7DxrfnPeSRmIprJXXQD8f3ePLMcUzrdyVDdTgyDqKQ8F2UK70v61EdyVHP\nOqkgMw==\n-----END CERTIFICATE-----\n'
+worker:
+  resources:
+    limits:
+      memory: 8000Mi
+    requests:
+      memory: 8000Mi
+worker-catalog:
+  resources:
+    limits:
+      memory: 19000Mi
+    requests:
+      memory: 19000Mi
+worker-monitor:
   install: true
+  replicaCount: 1
+  worker:
+    queues: "alerts"
+    count: 10
+    memory: "2000000"
+  resources:
+    limits:
+      memory: 6Gi
+    requests:
+      memory: 6Gi
+worker-portal:
+  install: true
+storage-worker:
+  install: true
+  replicaCount: 1
+  worker:
+    tasks_ack_late: "true"
+  terminationGracePeriodSeconds: "18000"
+  resources:
+    limits:
+      memory: 5Gi
+    requests:
+      memory: 5Gi
+  storage:
+    dataSize: 100Gi

examples/deployment/application/versions.tf

@@ -12,7 +12,7 @@ terraform {
 }
 
 locals {
-  operator_version = "1.1.4"
-  helm_version     = "0.6.40"
+  operator_version = "1.2.8"
+  helm_version     = "0.6.83"
   crd_version      = "0.1.1"
 }

examples/deployment/infra/config.tf

@@ -4,18 +4,17 @@ resource "local_file" "infra_config" {
     "${path.module}/../templates/infra_settings.tpl",
     {
       aws_target_group_arn           = "",
-      clickhouse_access_key          = "",
-      clickhouse_secret_key          = "",
-      clickhouse_backup_sa           = "",
+      gcp_backup_account             = "",
       clickhouse_data_size           = local.clickhouse_data_size,
-      clickhouse_data_volume_id      = "",
+      clickhouse_data_volume_id      = module.azure[0].clickhouse_data_volume_id,
       clickhouse_gcs_bucket          = "",
       clickhouse_logs_size           = local.clickhouse_logs_size,
-      clickhouse_log_volume_id       = "",
+      clickhouse_log_volume_id       = module.azure[0].clickhouse_logs_volume_id,
       clickhouse_s3_bucket           = "",
       clickhouse_s3_region           = "",
+      clickhouse_s3_backup_role      = "",
+      clickhouse_azblob_client_id    = try(module.azure[0].service_account_configs[local.clickhouse_backup_sa].azure_identity.client_id, "")
       clickhouse_azblob_account_name = module.azure[0].azure_blob_account_name,
-      clickhouse_azblob_account_key  = module.azure[0].azure_blob_account_key,
       clickhouse_azblob_container    = module.azure[0].azure_blob_container,
       cloud_provider                 = module.azure[0].cloud_provider,
       cluster_name                   = module.azure[0].cluster_name,
@@ -29,9 +28,35 @@ resource "local_file" "infra_config" {
       postgres_server                = module.azure[0].postgres_host,
       postgres_user                  = module.azure[0].postgres_username,
       redis_data_size                = local.redis_data_size,
-      redis_data_volume_id           = "",
+      redis_data_volume_id           = module.azure[0].redis_data_volume_id,
       server_name                    = module.azure[0].domain_name,
       vpc_cidr                       = module.azure[0].vpc_cidr,
+
+      # service accounts vars
+      dfshell_role_arn                        = try(module.azure[0].dfshell_role_arn, "")
+      dfshell_service_account_name            = try(module.azure[0].dfshell_service_account_name, "datafold-dfshell")
+      worker_portal_role_arn                  = try(module.azure[0].worker_portal_role_arn, "")
+      worker_portal_service_account_name      = try(module.azure[0].worker_portal_service_account_name, "datafold-worker-portal")
+      operator_role_arn                       = try(module.azure[0].operator_role_arn, "")
+      operator_service_account_name           = try(module.azure[0].operator_service_account_name, "datafold-operator")
+      server_role_arn                         = try(module.azure[0].server_role_arn, "")
+      server_service_account_name             = try(module.azure[0].server_service_account_name, "datafold-server")
+      scheduler_role_arn                      = try(module.azure[0].scheduler_role_arn, "")
+      scheduler_service_account_name          = try(module.azure[0].scheduler_service_account_name, "datafold-scheduler")
+      worker_role_arn                         = try(module.azure[0].worker_role_arn, "")
+      worker_service_account_name             = try(module.azure[0].worker_service_account_name, "datafold-worker")
+      worker_catalog_role_arn                 = try(module.azure[0].worker_catalog_role_arn, "")
+      worker_catalog_service_account_name     = try(module.azure[0].worker_catalog_service_account_name, "datafold-worker-catalog")
+      worker_interactive_role_arn             = try(module.azure[0].worker_interactive_role_arn, "")
+      worker_interactive_service_account_name = try(module.azure[0].worker_interactive_service_account_name, "datafold-worker-interactive")
+      worker_singletons_role_arn              = try(module.azure[0].worker_singletons_role_arn, "")
+      worker_singletons_service_account_name  = try(module.azure[0].worker_singletons_service_account_name, "datafold-worker-singletons")
+      worker_lineage_role_arn                 = try(module.azure[0].worker_lineage_role_arn, "")
+      worker_lineage_service_account_name     = try(module.azure[0].worker_lineage_service_account_name, "datafold-worker-lineage")
+      worker_monitor_role_arn                 = try(module.azure[0].worker_monitor_role_arn, "")
+      worker_monitor_service_account_name     = try(module.azure[0].worker_monitor_service_account_name, "datafold-worker-monitor")
+      storage_worker_role_arn                 = try(module.azure[0].storage_worker_role_arn, "")
+      storage_worker_service_account_name     = try(module.azure[0].storage_worker_service_account_name, "datafold-storage-worker")
     }
   )
 

examples/deployment/infra/main.tf

@@ -7,8 +7,12 @@
 # ┣━┫┏━┛┃ ┃┣┳┛┣╸
 # ╹ ╹┗━╸┗━┛╹┗╸┗━╸
 
+locals {
+  storage_account_name = replace("${local.deployment_name}-storage", "-", "")
+}
+
 module "azure" {
-  source  = "datafold/datafold/aws"
+  source  = "datafold/datafold/azure"
   version = "1.0.0"
 
   providers = {
@@ -34,4 +38,30 @@ module "azure" {
 
   # Nodes
   node_pool_vm_size = "Standard_E8s_v3"
+
+  service_accounts = {
+    "${local.clickhouse_backup_sa}" = {
+      namespace             = local.deployment_name
+      create_azure_identity = true
+      identity_name         = local.clickhouse_backup_sa
+      role_assignments = [
+        {
+          role  = "Storage Blob Data Contributor"
+          scope = "/subscriptions/${local.azure_subscription_id}/resourceGroups/${local.resource_group_name}/providers/Microsoft.Storage/storageAccounts/${local.storage_account_name}"
+        }
+      ]
+    },
+  }
+
+  # Certificate note
+  # Example:
+  # [profile acme]
+  # role_arn = arn:aws:iam::1234567890:role/ACMERoute53CertificateChallenger
+  # source_profile = default
+  # region = us-west-2
+
+  acme_provider = "route53"
+  acme_config = {
+    AWS_PROFILE = "acme"
+  }
 }

examples/deployment/infra/versions.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "~>3.17"
+      version = "~>4.35.0"
     }
 
     tls = {

examples/deployment/locals.tf

@@ -13,6 +13,7 @@ locals {
   redis_data_size       = "10"
   postgres_port         = "5432"
   ssl_cert_name         = "ssl"
+  clickhouse_backup_sa  = "datafold-clickhouse"
 
   # Common tags to be assigned to all resources
   common_tags = {

examples/deployment/templates/cloud-init.txt

@@ -0,0 +1 @@
+ssh_authorized_keys: [ssh-rsa AAAA.... youruser@email.com, ssh-rsa AAAA... otheruser@email.com]

examples/deployment/templates/infra_settings.tpl

@@ -3,18 +3,16 @@ clickhouse:
     gcs_bucket: ${clickhouse_gcs_bucket}
     s3_bucket: ${clickhouse_s3_bucket}
     s3_region: ${clickhouse_s3_region}
+    s3_backup_role: ${clickhouse_s3_backup_role}
+    gcp_backup_account: ${gcp_backup_account}
+    azblob_backup_client_id: ${clickhouse_azblob_client_id}
     azblob_account_name: ${clickhouse_azblob_account_name}
     azblob_container: ${clickhouse_azblob_container}
   storage:
     dataSize: ${clickhouse_data_size}
     dataVolumeId: ${clickhouse_data_volume_id}
     logSize: ${clickhouse_logs_size}
     logVolumeId: ${clickhouse_log_volume_id}
-  secrets:
-    access_key: ${clickhouse_access_key}
-    secret_key: ${clickhouse_secret_key}
-    clickhouse_backup_sa: ${clickhouse_backup_sa}
-    azblob_account_key: ${clickhouse_azblob_account_key}
 
 redis:
   storage:
@@ -47,3 +45,73 @@ secrets:
     password: ${postgres_password}
     port: ${postgres_port}
     user: ${postgres_user}
+
+dfshell:
+  serviceAccount:
+    name: ${dfshell_service_account_name}
+    roleArn: ${dfshell_role_arn}
+
+worker-portal:
+  serviceAccount:
+    name: ${worker_portal_service_account_name}
+    roleArn: ${worker_portal_role_arn}
+
+operator:
+  serviceAccount:
+    name: ${operator_service_account_name}
+    roleArn: ${operator_role_arn}
+
+server:
+  serviceAccount:
+    name: ${server_service_account_name}
+    roleArn: ${server_role_arn}
+
+scheduler:
+  serviceAccount:
+    name: ${scheduler_service_account_name}
+    roleArn: ${scheduler_role_arn}
+
+worker:
+  serviceAccount:
+    name: ${worker_service_account_name}
+    roleArn: ${worker_role_arn}
+
+worker2:
+  serviceAccount:
+    name: ${worker_service_account_name}
+    roleArn: ${worker_role_arn}
+
+worker3:
+  serviceAccount:
+    name: ${worker_service_account_name}
+    roleArn: ${worker_role_arn}
+
+worker-catalog:
+  serviceAccount:
+    name: ${worker_catalog_service_account_name}
+    roleArn: ${worker_catalog_role_arn}
+
+worker-interactive:
+  serviceAccount:
+    name: ${worker_interactive_service_account_name}
+    roleArn: ${worker_interactive_role_arn}
+
+worker-singletons:
+  serviceAccount:
+    name: ${worker_singletons_service_account_name}
+    roleArn: ${worker_singletons_role_arn}
+
+worker-lineage:
+  serviceAccount:
+    name: ${worker_lineage_service_account_name}
+    roleArn: ${worker_lineage_role_arn}
+
+worker-monitor:
+  serviceAccount:
+    name: ${worker_monitor_service_account_name}
+    roleArn: ${worker_monitor_role_arn}
+
+storage-worker:
+  serviceAccount:
+    name: ${storage_worker_service_account_name}
+    roleArn: ${storage_worker_role_arn}