WIP: Create GCP Bucket and signed url

** Create an ignition shim and use this for metadata. ** Add proxy information to the shim.
openshift · Feb 22, 2024 · e05d961 · e05d961
1 parent 76eb223
commit e05d961
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 56 deletions.
diff --git a/data/data/gcp/bootstrap/main.tf b/data/data/gcp/bootstrap/main.tf
@@ -11,50 +11,50 @@ provider "google" {
   region      = var.gcp_region
 }
 
-resource "google_storage_bucket" "ignition" {
-  name                        = "${var.cluster_id}-bootstrap-ignition"
-  location                    = var.gcp_region
-  uniform_bucket_level_access = true
-  labels                      = var.gcp_extra_labels
-}
-
-resource "google_storage_bucket_object" "ignition" {
-  bucket  = google_storage_bucket.ignition.name
-  name    = "bootstrap.ign"
-  content = var.ignition_bootstrap
-}
-
-resource "google_service_account" "bootstrap-node-sa" {
-  count        = var.gcp_create_bootstrap_sa ? 1 : 0
-  account_id   = "${var.cluster_id}-b"
-  display_name = "${var.cluster_id}-bootstrap-node"
-  description  = local.description
-}
-
-resource "google_service_account_key" "bootstrap" {
-  count              = var.gcp_create_bootstrap_sa ? 1 : 0
-  service_account_id = google_service_account.bootstrap-node-sa[0].name
-}
-
-resource "google_project_iam_member" "bootstrap-storage-admin" {
-  count   = var.gcp_create_bootstrap_sa ? 1 : 0
-  project = var.gcp_project_id
-  role    = "roles/storage.admin"
-  member  = "serviceAccount:${google_service_account.bootstrap-node-sa[0].email}"
-}
-
-data "google_storage_object_signed_url" "ignition_url" {
-  bucket      = google_storage_bucket.ignition.name
-  path        = "bootstrap.ign"
-  duration    = "1h"
-  credentials = var.gcp_create_bootstrap_sa ? base64decode(google_service_account_key.bootstrap[0].private_key) : null
-}
-
-data "ignition_config" "redirect" {
-  replace {
-    source = data.google_storage_object_signed_url.ignition_url.signed_url
-  }
-}
+# resource "google_storage_bucket" "ignition" {
+#   name                        = "${var.cluster_id}-bootstrap-ignition"
+#   location                    = var.gcp_region
+#   uniform_bucket_level_access = true
+#   labels                      = var.gcp_extra_labels
+# }
+
+# resource "google_storage_bucket_object" "ignition" {
+#   bucket  = google_storage_bucket.ignition.name
+#   name    = "bootstrap.ign"
+#   content = var.ignition_bootstrap
+# }
+
+# resource "google_service_account" "bootstrap-node-sa" {
+#   count        = var.gcp_create_bootstrap_sa ? 1 : 0
+#   account_id   = "${var.cluster_id}-b"
+#   display_name = "${var.cluster_id}-bootstrap-node"
+#   description  = local.description
+# }
+#
+# resource "google_service_account_key" "bootstrap" {
+#   count              = var.gcp_create_bootstrap_sa ? 1 : 0
+#   service_account_id = google_service_account.bootstrap-node-sa[0].name
+# }
+
+# resource "google_project_iam_member" "bootstrap-storage-admin" {
+#   count   = var.gcp_create_bootstrap_sa ? 1 : 0
+#   project = var.gcp_project_id
+#   role    = "roles/storage.admin"
+#   member  = "serviceAccount:${google_service_account.bootstrap-node-sa[0].email}"
+# }
+#
+# data "google_storage_object_signed_url" "ignition_url" {
+#   bucket      = google_storage_bucket.ignition.name
+#   path        = "bootstrap.ign"
+#   duration    = "1h"
+#   credentials = var.gcp_create_bootstrap_sa ? base64decode(google_service_account_key.bootstrap[0].private_key) : null
+# }
+#
+# data "ignition_config" "redirect" {
+#   replace {
+#     source = data.google_storage_object_signed_url.ignition_url.signed_url
+#   }
+# }
 
 resource "google_compute_address" "bootstrap" {
   name        = "${var.cluster_id}-bootstrap-ip"
@@ -131,7 +131,8 @@ resource "google_compute_instance" "bootstrap" {
   }
 
   metadata = {
-    user-data = data.ignition_config.redirect.rendered
+#     user-data = data.ignition_config.redirect.rendered
+    user-data = var.gcp_ignition_shim
   }
 
   tags = ["${var.cluster_id}-master", "${var.cluster_id}-bootstrap"]

diff --git a/data/data/gcp/variables-gcp.tf b/data/data/gcp/variables-gcp.tf
@@ -165,4 +165,10 @@ variable "gcp_user_provisioned_dns" {
   description = <<EOF
 When true the user has selected to configure their own dns solution, and no dns records will be created.
 EOF
+}
+
+variable "gcp_ignition_shim" {
+  type = string
+  description = "Ignition stub containing the signed url that points to the bucket containing the ignition data."
+  default = ""
 }
diff --git a/pkg/asset/cluster/tfvars/tfvars.go b/pkg/asset/cluster/tfvars/tfvars.go
@@ -42,6 +42,7 @@ import (
 	"github.com/openshift/installer/pkg/asset/manifests"
 	"github.com/openshift/installer/pkg/asset/openshiftinstall"
 	"github.com/openshift/installer/pkg/asset/rhcos"
+	"github.com/openshift/installer/pkg/infrastructure/gcp/clusterapi"
 	rhcospkg "github.com/openshift/installer/pkg/rhcos"
 	"github.com/openshift/installer/pkg/tfvars"
 	awstfvars "github.com/openshift/installer/pkg/tfvars/aws"
@@ -514,6 +515,23 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 			}
 		}
 
+		ctx, cancel := context.WithTimeout(context.TODO(), 60*time.Second)
+		defer cancel()
+
+		bootstrapIgnURL, err := clusterapi.ProvisionBootstrapStorage(ctx, installConfig, clusterID.InfraID)
+		if err != nil {
+			return fmt.Errorf("failed to provision gcp bootstrap storage resources: %w", err)
+		}
+
+		if err := clusterapi.FillBucket(ctx, clusterID.InfraID, bootstrapIgn); err != nil {
+			return fmt.Errorf("failed to fill bootstrap ignition bucket: %w", err)
+		}
+
+		shim, err := bootstrap.GenerateIgnitionShimWithCertBundleAndProxy(bootstrapIgnURL, installConfig.Config.AdditionalTrustBundle, installConfig.Config.Proxy)
+		if err != nil {
+			return fmt.Errorf("failed to create gcp ignition shim: %w", err)
+		}
+
 		archName := coreosarch.RpmArch(string(installConfig.Config.ControlPlane.Architecture))
 		st, err := rhcospkg.FetchCoreOSBuild(ctx)
 		if err != nil {
@@ -541,6 +559,7 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 				PublishStrategy:     installConfig.Config.Publish,
 				InfrastructureName:  clusterID.InfraID,
 				UserProvisionedDNS:  installConfig.Config.GCP.UserProvisionedDNS == gcp.UserProvisionedDNSEnabled,
+				IgnitionShim:        string(shim),
 			},
 		)
 		if err != nil {

diff --git a/pkg/terraform/stages/gcp/stages.go b/pkg/terraform/stages/gcp/stages.go
@@ -1,17 +1,17 @@
 package gcp
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
-	"os"
-
 	igntypes "github.com/coreos/ignition/v2/config/v3_2/types"
 	"github.com/hashicorp/terraform-exec/tfexec"
 	"github.com/pkg/errors"
 
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/ignition"
 	"github.com/openshift/installer/pkg/asset/lbconfig"
+	"github.com/openshift/installer/pkg/infrastructure/gcp/clusterapi"
 	"github.com/openshift/installer/pkg/terraform"
 	"github.com/openshift/installer/pkg/terraform/providers"
 	"github.com/openshift/installer/pkg/terraform/stages"
@@ -118,20 +118,28 @@ func extractGCPLBConfig(s stages.SplitStage, directory string, terraformDir stri
 		return "", err
 	}
 
+	clusterID, ok := tfvarData["cluster_id"]
+	if !ok {
+		return "", fmt.Errorf("failed to read cluster id from tfvars")
+	}
+	if err := clusterapi.FillBucket(context.Background(), clusterID.(string), string(ignitionOutput)); err != nil {
+		return "", fmt.Errorf("failed to fill gcp bucket with updated boostrap ignition contents: %w", err)
+	}
+
 	// Update the ignition bootstrap variable to include the lbconfig.
-	tfvarData["ignition_bootstrap"] = string(ignitionOutput)
+	//tfvarData["ignition_bootstrap"] = string(ignitionOutput)
 
 	// Convert the bootstrap data and write the data back to a file. This will overwrite the original tfvars file.
-	jsonBootstrap, err := json.Marshal(tfvarData)
-	if err != nil {
-		return "", fmt.Errorf("failed to convert bootstrap ignition to bytes: %w", err)
-	}
-	tfvarsFile.Data = jsonBootstrap
+	//jsonBootstrap, err := json.Marshal(tfvarData)
+	//if err != nil {
+	//	return "", fmt.Errorf("failed to convert bootstrap ignition to bytes: %w", err)
+	//}
+	//tfvarsFile.Data = jsonBootstrap
 
 	// update the value on disk to match
-	if err := os.WriteFile(fmt.Sprintf("%s/%s", directory, tfvarsFile.Filename), jsonBootstrap, 0o600); err != nil {
-		return "", fmt.Errorf("failed to rewrite %s: %w", tfvarsFile.Filename, err)
-	}
+	//if err := os.WriteFile(fmt.Sprintf("%s/%s", directory, tfvarsFile.Filename), jsonBootstrap, 0o600); err != nil {
+	//	return "", fmt.Errorf("failed to rewrite %s: %w", tfvarsFile.Filename, err)
+	//}
 
 	return "", nil
 }
diff --git a/pkg/tfvars/gcp/gcp.go b/pkg/tfvars/gcp/gcp.go
@@ -51,6 +51,7 @@ type config struct {
 	EnableConfidentialCompute string            `json:"gcp_master_confidential_compute,omitempty"`
 	ExtraLabels               map[string]string `json:"gcp_extra_labels,omitempty"`
 	UserProvisionedDNS        bool              `json:"gcp_user_provisioned_dns,omitempty"`
+	IgnitionShim              string            `json:"gcp_ignition_shim,omitempty"`
 }
 
 // TFVarsSources contains the parameters to be converted into Terraform variables
@@ -65,6 +66,7 @@ type TFVarsSources struct {
 	PreexistingNetwork  bool
 	InfrastructureName  string
 	UserProvisionedDNS  bool
+	IgnitionShim        string
 }
 
 // TFVars generates gcp-specific Terraform variables launching the cluster.
@@ -106,6 +108,7 @@ func TFVars(sources TFVarsSources) ([]byte, error) {
 		OnHostMaintenance:         string(masterConfig.OnHostMaintenance),
 		ExtraLabels:               labels,
 		UserProvisionedDNS:        sources.UserProvisionedDNS,
+		IgnitionShim:              sources.IgnitionShim,
 	}
 
 	if masterConfig.Disks[0].EncryptionKey != nil {