Merge branch 'release' into policy-serving

openinfradev · Nov 14, 2023 · 427d82e · 427d82e
2 parents 1b92aa7 + 3752985
commit 427d82e
Show file tree

Hide file tree

Showing 13 changed files with 399 additions and 337 deletions.
diff --git a/cloud-accounts/aws-multi-tenancy-iam-resources.yaml b/cloud-accounts/aws-multi-tenancy-iam-resources.yaml
@@ -48,11 +48,13 @@ spec:
               disable: false
               extraPolicyAttachments:
               - \"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy\"
+              - \"arn:aws:iam::aws:policy/AmazonS3FullAccess\"
             fargate:
               disable: true
           nodes:
              extraPolicyAttachments:
              - \"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy\"
+             - \"arn:aws:iam::aws:policy/AmazonS3FullAccess\"
           clusterAPIControllers:
             disabled: false
             trustStatements:

diff --git a/deploy_apps/tks-lma-federation-wftpl.yaml b/deploy_apps/tks-lma-federation-wftpl.yaml
@@ -77,7 +77,8 @@ spec:
         when: >-
             ( {{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}} == ''
             ) || (
-            {{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}} == {{workflow.parameters.cluster_id}} )
+            {{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}} == '{{workflow.parameters.cluster_id}}' )
+
 
     - - name: organization-level-update
         templateRef:
@@ -89,10 +90,10 @@ spec:
             value: '{{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}}'
           - name: member_clusters
             value: '{{workflow.parameters.cluster_id}}'
-        when: "{{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}} != '' && {{workflow.parameters.cluster_id}} != {{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}}"
+        when: ( {{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}} != '' ) && ( '{{workflow.parameters.cluster_id}}' != {{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}} )
 
-    - - name: determine-if-a-mananged-cluster
-        template: determineIfaManagedCluster
+    - - name: is-accessable-to-etcd
+        template: isAccessableEtcd
         arguments:
           parameters:
           - name: cluster_id
@@ -105,7 +106,7 @@ spec:
         arguments:
           parameters:
           - name: is_mananged_cluster
-            value: "{{steps.determine-if-a-mananged-cluster.outputs.parameters.managed_cluster}}"
+            value: "{{steps.is-accessable-to-etcd.outputs.parameters.managed_cluster}}"
 
     - - name: update-eps-for-thanos
         templateRef:
@@ -155,16 +156,15 @@ spec:
           - name: app_type
             value: GRAFANA
 
-    - - name: render-auth-oidc-grafana
+    - - name: wait-for-rendering-to-finish
         templateRef:
-          name: event-gitea-render-manifests
+          name: wait-for-rendering-to-finish
           template: main
         arguments:
           parameters:
-          - name: decapod_site_repo
-            value: "{{workflow.parameters.github_account}}/{{workflow.parameters.cluster_id}}"
-          - name: base_repo_branch
-            value: "{{ workflow.parameters.base_repo_branch }}"
+          - name: cluster_id
+            value: "{{ workflow.parameters.github_account }}/{{workflow.parameters.cluster_id}}"
+        when: "{{steps.update-auth-oidc-grafana.outputs.parameters.is_changed}} == YES"
 
     - - name: garafana-sync-wait
         templateRef:
@@ -223,7 +223,7 @@ spec:
     retryStrategy:
       limit: 2
 
-  - name: determineIfaManagedCluster
+  - name: isAccessableEtcd
     inputs:
       parameters:
         - name: cluster_id
@@ -235,27 +235,23 @@ spec:
         - '-exc'
         - |
           cp /kube/value kubeconfig_adm
-          export KUBECONFIG=kubeconfig_adm
-
-          # check whether this workload cluster is managed or not
-          kcp_count=$(kubectl get kcp -n $CLUSTER_ID $CLUSTER_ID | grep -v NAME | wc -l)
-          awsmcp_count=$(kubectl get awsmcp -n $CLUSTER_ID $CLUSTER_ID | grep -v NAME | wc -l)
+          kube_secret=$(kubectl --kubeconfig=kubeconfig_adm get secret -n ${cluster_id} ${cluster_id}-tks-kubeconfig -o jsonpath="{.data.value}" | base64 -d)
+          cat <<< "$kube_secret" > kubeconfig
 
-          if [ $kcp_count = 1 ]; then
+          # check whether this workload cluster have control-plane
+          if [ $(kubectl --kubeconfig=kubeconfig get no | grep control-plane | wc -l) -gt 0 ]; then
             echo false | tee /mnt/out/managed_cluster.txt
-          elif [ $awsmcp_count = 1 ]; then
-            echo true | tee /mnt/out/managed_cluster.txt
           else
-            echo "Wrong Cluster type!"
-            exit 1
+            echo true | tee /mnt/out/managed_cluster.txt
           fi
+
       volumeMounts:
       - name: kubeconfig-adm
         mountPath: "/kube"
       - name: out
         mountPath: /mnt/out
       env:
-      - name: CLUSTER_ID
+      - name: cluster_id
         value: "{{ inputs.parameters.cluster_id }}"
     volumes:
       - name: out
@@ -320,7 +316,7 @@ spec:
           grafana_ep_secret=${kubectl get secret -n ${cluster_id} tks-endpoint-secret -o jsonpath='{.data.grafana}'| base64 -d }
           if [ grafana_ep_secret == "" ]; then
             while [ -z $(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath="{.status.loadBalancer.ingress[*].hostname}") ]; do
-              if [ "$(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath='{.spec.type}')" != "LoadBalancer" ]; then
+              if [[ "$(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath='{.spec.type}')" != "LoadBalancer" ]]; then
                 log "FAIL" "A service for the grafana in ${cluster_id} is not configured properly.(No LoadBalancer)"
                 exit -1
               fi
@@ -421,20 +417,35 @@ spec:
           yq -i e  ".global.grafanaClientSecret=\"${keycloak_client_secret}\"" ${cluster_id}/lma/site-values.yaml
           yq -i e  ".global.consoleUrl=\"${console_url}\"" ${cluster_id}/lma/site-values.yaml
 
-          git config --global user.name "tks"
-          git config --global user.email "tks@sktelecom.com"
+          if [[ `git status --porcelain` ]]; then
+            git config --global user.name "tks"
+            git config --global user.email "tks@sktelecom.com"
 
-          log "INFO" "##### commit changes grafana domain and root_url on ${cluster_id} to ${grafana_endpoint} and ${grafana_endpoint}/grafana"
-          cmessage="changes grafana domain and root_url on ${cluster_id} to ${grafana_endpoint} and ${grafana_endpoint}/grafana"
-          git add ${cluster_id}/lma/site-values.yaml
-          git commit -m "change values on grafana.ini.server." -m "$cmessage"
-          git push
+            log "INFO" "##### commit changes grafana domain and root_url on ${cluster_id} to ${grafana_endpoint} and ${grafana_endpoint}/grafana"
+            cmessage="changes grafana domain and root_url on ${cluster_id} to ${grafana_endpoint} and ${grafana_endpoint}/grafana"
+            git add ${cluster_id}/lma/site-values.yaml
+            git commit -m "change values on grafana.ini.server." -m "$cmessage"
+            git push
+            echo "YES" > /mnt/out/changed.txt
+          fi
 
       envFrom:
         - secretRef:
             name: "git-svc-token"
         - secretRef:
             name: "tks-api-secret"
+      volumeMounts:
+      - name: out
+        mountPath: /mnt/out
+    volumes:
+    - name: out
+      emptyDir: {}
+    outputs:
+      parameters:
+      - name: is_changed
+        valueFrom:
+          path: /mnt/out/changed.txt
+          default: "NO"
 
   - name: grafana-restart
     inputs: