rivet-dev · NathanFlurry · Apr 13, 2024
diff --git a/infra/tf/dns/dns.tf b/infra/tf/dns/dns.tf
@@ -46,6 +46,14 @@ locals {
 	])
 }
 
+locals {
+	main_record = var.ngrok_domain != null ? { type = "CNAME", value = var.ngrok_domain.api } : (
+		var.deploy_method_local
+			? { type = "A", value = data.terraform_remote_state.k8s_infra.outputs.traefik_external_ip }
+			: { type = "CNAME", value = data.terraform_remote_state.k8s_infra.outputs.traefik_external_ip }
+		)
+}
+
 resource "cloudflare_record" "main" {
 	for_each = {
 		for record in local.records:
@@ -55,8 +63,8 @@ resource "cloudflare_record" "main" {
 	zone_id = each.value.zone_id
 	name = each.value.name
     # Use local node's public IP if in local region
-	value = data.terraform_remote_state.k8s_infra.outputs.traefik_external_ip
-	type = var.deploy_method_local ? "A" : "CNAME"
+	value = local.main_record.value
+	type = local.main_record.type
 	# TODO: Increase the unproxied TTL once we have proper floating IP support on all providers
 	ttl = each.value.proxied ? 1 : 60  # 1 = automatic
 	proxied = each.value.proxied

diff --git a/infra/tf/dns/vars.tf b/infra/tf/dns/vars.tf
@@ -41,6 +41,14 @@ variable "extra_dns" {
 	}))
 }
 
+# MARK: Ngrok
+variable "ngrok_domain" {
+	type = object({
+	  api = string
+	})
+	nullable = true
+}
+
 # MARK: Cloudflare
 variable "cloudflare_account_id" {
 	type = string

diff --git a/infra/tf/k8s_infra/main.tf b/infra/tf/k8s_infra/main.tf
@@ -9,7 +9,7 @@ terraform {
 }
 
 locals {
-	entrypoints = var.tls_enabled ? {
+	entrypoints = var.dns_enabled ? {
 		"web" = {}
 		"websecure" = {
 			tls = {

diff --git a/infra/tf/k8s_infra/vars.tf b/infra/tf/k8s_infra/vars.tf
@@ -13,6 +13,10 @@ variable "public_ip" {
 }
 
 # MARK: DNS
+variable "dns_enabled" {
+	type = bool
+}
+
 variable "domain_main" {
 	type = string
 }
@@ -34,10 +38,6 @@ variable "dns_deprecated_subdomains" {
 	type = bool
 }
 
-variable "tls_enabled" {
-	type = bool
-}
-
 variable "minio_port" {
 	type = string
 	nullable = true

diff --git a/infra/tf/ngrok/main.tf b/infra/tf/ngrok/main.tf
@@ -0,0 +1,72 @@
+terraform {
+    required_providers {
+        ngrok = {
+            source = "ngrok/ngrok"
+            version = "0.2.0"
+        }
+        docker = {
+            source = "kreuzwerker/docker"
+            version = "3.0.2"
+        }
+    }
+}
+
+module "secrets" {
+	source = "../modules/secrets"
+
+	keys = [
+		"ngrok/api_key",
+		"ngrok/auth_token",
+	]
+}
+
+resource "ngrok_reserved_addr" "tunnel" {
+    description = "Rivet ${var.namespace} Tunnel"
+    region = var.ngrok_region
+}
+
+resource "local_file" "ngrok_config_file" {
+    filename = "/etc/rivet/ngrok.yaml"
+    content = yamlencode({
+        version = 2
+        authtoken  = module.secrets.values["ngrok/auth_token"]
+        tunnels = merge(
+            {
+                api = {
+                    proto = "http"
+                    addr = var.api_http_port
+                    domain = var.ngrok_domain.api
+                }
+                tunnel = {
+                    proto = "tcp"
+                    addr = var.tunnel_port
+                    remote_addr = ngrok_reserved_addr.tunnel.addr
+                }
+            },
+            var.minio_port != null ? {
+                minio = {
+                    proto = "http"
+                    addr = var.minio_port
+                    domain = var.ngrok_domain.minio
+                }
+            } : {}
+        )
+    })
+}
+
+resource "docker_container" "ngrok" {
+    name = "rivet-ngrok"
+    image = "ngrok/ngrok:latest"
+    restart = "unless-stopped"
+    network_mode = "host"
+    command = [
+        "start",
+        "--all",
+        "--config",
+        "/etc/ngrok.yaml"
+    ]
+    volumes {
+        container_path = "/etc/ngrok.yaml"
+        host_path = local_file.ngrok_config_file.filename
+    }
+}
diff --git a/infra/tf/ngrok/output.tf b/infra/tf/ngrok/output.tf
@@ -0,0 +1,3 @@
+output "tunnel_reserved_addr" {
+    value = ngrok_reserved_addr.tunnel.addr
+}
diff --git a/infra/tf/ngrok/providers.tf b/infra/tf/ngrok/providers.tf
@@ -0,0 +1,3 @@
+provider "ngrok" {
+    api_key = module.secrets.values["ngrok/api_key"]
+}
diff --git a/infra/tf/ngrok/vars.tf b/infra/tf/ngrok/vars.tf
@@ -0,0 +1,27 @@
+variable "namespace" {
+    type = string
+}
+
+variable "ngrok_region" {
+    type = string
+    default = "us"
+}
+
+variable "ngrok_domain" {
+    type = object({
+        api = string
+        minio = string
+    })
+}
+
+variable "api_http_port" {
+    type = number
+}
+
+variable "tunnel_port" {
+    type = number
+}
+
+variable "minio_port" {
+    type = number
+}
diff --git a/infra/tf/tls/acme.tf b/infra/tf/tls/acme.tf
@@ -1,17 +1,23 @@
 # MARK: Private key
 resource "tls_private_key" "acme_account_key" {
+	count = var.dns_enabled ? 1 : 0
+
 	algorithm = "RSA"
 }
 
 # MARK: Registration
 resource "acme_registration" "main" {
-	account_key_pem = tls_private_key.acme_account_key.private_key_pem
+	count = var.dns_enabled ? 1 : 0
+
+	account_key_pem = tls_private_key.acme_account_key[0].private_key_pem
 	email_address = "letsencrypt@rivet.gg"
 }
 
 # MARK: Certificates
 resource "acme_certificate" "rivet_gg" {
-	account_key_pem = acme_registration.main.account_key_pem
+	count = var.dns_enabled ? 1 : 0
+
+	account_key_pem = acme_registration.main[0].account_key_pem
 	common_name = var.domain_main
 	subject_alternative_names = flatten([
 		"*.${var.domain_main}",
@@ -41,7 +47,9 @@ resource "acme_certificate" "rivet_gg" {
 }
 
 resource "acme_certificate" "rivet_game" {
-	account_key_pem = acme_registration.main.account_key_pem
+	count = var.dns_enabled ? 1 : 0
+
+	account_key_pem = acme_registration.main[0].account_key_pem
 	common_name = var.domain_cdn
 	subject_alternative_names = ["*.${var.domain_cdn}"]
 
@@ -63,7 +71,9 @@ resource "acme_certificate" "rivet_game" {
 }
 
 resource "acme_certificate" "rivet_job" {
-	account_key_pem = acme_registration.main.account_key_pem
+	count = var.dns_enabled ? 1 : 0
+
+	account_key_pem = acme_registration.main[0].account_key_pem
 	common_name = var.domain_job
 	subject_alternative_names = flatten([
 		# Add dedicated subdomains for each region

diff --git a/infra/tf/tls/cloudflare.tf b/infra/tf/tls/cloudflare.tf
@@ -43,11 +43,15 @@ locals {
 # MARK: Cloudflare origin cert (rivet.gg)
 # See https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull#zone-level--cloudflare-certificate
 resource "tls_private_key" "cf_origin_rivet_gg" {
+	count = var.dns_enabled ? 1 : 0
+
 	algorithm = "RSA"
 }
 
 resource "tls_cert_request" "cf_origin_rivet_gg" {
-	private_key_pem = tls_private_key.cf_origin_rivet_gg.private_key_pem
+	count = var.dns_enabled ? 1 : 0
+
+	private_key_pem = tls_private_key.cf_origin_rivet_gg[0].private_key_pem
 
 	subject {
 		common_name  = ""
@@ -56,7 +60,9 @@ resource "tls_cert_request" "cf_origin_rivet_gg" {
 }
 
 resource "cloudflare_origin_ca_certificate" "rivet_gg" {
-	csr = tls_cert_request.cf_origin_rivet_gg.cert_request_pem
+	count = var.dns_enabled ? 1 : 0
+
+	csr = tls_cert_request.cf_origin_rivet_gg[0].cert_request_pem
 	hostnames = ["*.${var.domain_main}", "${var.domain_main}", "*.api.${var.domain_main}", "api.${var.domain_main}"]
 	request_type = "origin-rsa"
 	requested_validity = 15 * 365
@@ -65,10 +71,14 @@ resource "cloudflare_origin_ca_certificate" "rivet_gg" {
 
 # Must be created in every namespace it is used in
 resource "kubernetes_secret" "ingress_tls_cert" {
-	for_each = toset(flatten([
-		["traefik", "imagor", "rivet-service"],
-		local.has_minio ? ["minio"] : []
-	]))
+	for_each = toset(
+		var.dns_enabled
+			?  flatten([
+				["traefik", "imagor", "rivet-service"],
+				local.has_minio ? ["minio"] : []
+			])
+			: []
+	)
 
 	metadata {
 		name = "ingress-tls-cloudflare-cert"
@@ -78,13 +88,13 @@ resource "kubernetes_secret" "ingress_tls_cert" {
 	type = "kubernetes.io/tls"
 
 	data = {
-		"tls.crt" = cloudflare_origin_ca_certificate.rivet_gg.certificate
-		"tls.key" = tls_private_key.cf_origin_rivet_gg.private_key_pem
+		"tls.crt" = cloudflare_origin_ca_certificate.rivet_gg[0].certificate
+		"tls.key" = tls_private_key.cf_origin_rivet_gg[0].private_key_pem
 	}
 }
 
 resource "kubernetes_secret" "ingress_tls_ca_cert" {
-	for_each = toset(["traefik", "imagor", "rivet-service"])
+	for_each = toset(var.dns_enabled ? [ "imagor", "rivet-service"] : [])
 
 	metadata {
 		name = "ingress-tls-cloudflare-ca-cert"

diff --git a/infra/tf/tls/main.tf b/infra/tf/tls/main.tf
@@ -19,6 +19,7 @@ terraform {
 
 module "secrets" {
     source = "../modules/secrets"
+	optional = true
 
     keys = [
         "cloudflare/terraform/auth_token",

diff --git a/infra/tf/tls/outputs.tf b/infra/tf/tls/outputs.tf
@@ -1,24 +1,24 @@
 locals {
-	tls_cert_letsencrypt_rivet_gg = {
+	tls_cert_letsencrypt_rivet_gg = var.dns_enabled ? {
 		# Build full chain by concatenating the certificate with issuer.
 		#
 		# See
 		# https://registry.terraform.io/providers/vancluever/acme/latest/docs/resources/certificate#certificate_pem
-		cert_pem = "${acme_certificate.rivet_gg.certificate_pem}${acme_certificate.rivet_gg.issuer_pem}"
-		key_pem = acme_certificate.rivet_gg.private_key_pem
-	}
+		cert_pem = "${acme_certificate.rivet_gg[0].certificate_pem}${acme_certificate.rivet_gg[0].issuer_pem}"
+		key_pem = acme_certificate.rivet_gg[0].private_key_pem
+	} : null
 
-	tls_cert_letsencrypt_rivet_game = {
+	tls_cert_letsencrypt_rivet_game = var.dns_enabled ? {
 		# See above
-		cert_pem = "${acme_certificate.rivet_game.certificate_pem}${acme_certificate.rivet_game.issuer_pem}"
-		key_pem = acme_certificate.rivet_game.private_key_pem
-	}
+		cert_pem = "${acme_certificate.rivet_game[0].certificate_pem}${acme_certificate.rivet_game[0].issuer_pem}"
+		key_pem = acme_certificate.rivet_game[0].private_key_pem
+	} : null
 
-	tls_cert_letsencrypt_rivet_job = {
+	tls_cert_letsencrypt_rivet_job = var.dns_enabled ? {
 		# See above
-		cert_pem = "${acme_certificate.rivet_job.certificate_pem}${acme_certificate.rivet_job.issuer_pem}"
-		key_pem = acme_certificate.rivet_job.private_key_pem
-	}
+		cert_pem = "${acme_certificate.rivet_job[0].certificate_pem}${acme_certificate.rivet_job[0].issuer_pem}"
+		key_pem = acme_certificate.rivet_job[0].private_key_pem
+	} : null
 
 	tls_cert_locally_signed_tunnel_server = {
 		cert_pem = tls_locally_signed_cert.locally_signed_tunnel_server.cert_pem

diff --git a/infra/tf/tls/providers.tf b/infra/tf/tls/providers.tf
@@ -1,5 +1,6 @@
 provider "cloudflare" {
-	api_token = module.secrets.values["cloudflare/terraform/auth_token"]
+	# Provide placeholder token if Cloudflare enabled
+	api_token = var.dns_enabled ? module.secrets.values["cloudflare/terraform/auth_token"] : "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
 }
 
 provider "acme" {

diff --git a/infra/tf/tls/vars.tf b/infra/tf/tls/vars.tf
@@ -3,16 +3,23 @@ variable "namespace" {
 }
 
 # MARK: DNS
+variable "dns_enabled" {
+	type = bool
+}
+
 variable "domain_main" {
 	type = string
+	nullable = true
 }
 
 variable "domain_cdn" {
 	type = string
+	nullable = true
 }
 
 variable "domain_job" {
 	type = string
+	nullable = true
 }
 
 # MARK: Datacenters

diff --git a/infra/tf/vector/vars.tf b/infra/tf/vector/vars.tf
@@ -15,11 +15,6 @@ variable "clickhouse_port_https" {
 	type = string
 }
 
-# MARK: DNS
-variable "tls_enabled" {
-	type = bool
-}
-
 # MARK: Services
 variable "services" {
 	type = map(object({