-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix nexus bootstrapping key server error #2811
Conversation
/test |
🤖 pr-bot 🤖 🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3377931442 (with refid (in response to this comment from @jjgriff93) |
I think this looks great and is a really low-impact way of solving the problem - but @marrobi should probably be the one to hit the approve button |
/test |
🤖 pr-bot 🤖 🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3386906730 (with refid (in response to this comment from @jjgriff93) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - can you add an issue referencing this as a case for needing to be able to handle pre steps prior to terraform having run. So using inputs, rather than outputs?
Looks like I need to close this and open a new one due to a transient error and now conflicts in the test environment >< |
/test-destroy-env |
Destroying branch test environment (RG: rg-tre0b9cc865)... (run: https://github.com/microsoft/AzureTRE/actions/runs/3387796079) |
Branch test environment destroy complete (RG: rg-tre0b9cc865) |
Destroying PR test environment (RG: rg-tred32dd48a)... (run: https://github.com/microsoft/AzureTRE/actions/runs/3387796079) |
PR test environment destroy complete (RG: rg-tred32dd48a) |
Resolves #2785
What is being addressed
Due to the introduction of template pipelines and changing the firewall rule addition/removal step to occur outside the main bundle's terraform, a race condition was introduced where the Nexus bundle was being deployed and then the firewall rules (that it relied on to connect to ubuntu key server, packages.microsoft.com and docker.com) were being applied afterwards in the pipeline. As the Nexus clouding bootstrapping starts up, this firewall step wasn't always completed in time for it to work, causing regular failures.
How is this addressed
I tried swapping the order so that the firewall pipeline step happens first, however it depends on outputs from the main bundle terraform. After experimenting with a few workarounds the cleanest solution seems to be whitelisting the key server, Microsoft packages and docker fqdns in the main shared-subnet fqdn exceptions as part of the firewall bundle, as these will be whitelisted anyway as per the nexus bundle and are core trusted repositories already whitelisted by the resource processor.