terrakube icon indicating copy to clipboard operation
terrakube copied to clipboard
verified publisher icon AzBuilder

Support single domain prefix based routing for components access + Backend storage assumerole authentication + jdbc connection url override flag

Open kspradheep opened this issue 2 years ago • 8 comments

Feature description 💡

  1. Trying to setup all components (UI/API/Dex/Registry) ingresses using same domain (terrakube.mycompany.com) and prefix-based routing. UI ingress path: terrakube.mycompany.com/ui API ingress path: terrakube.mycompany.com/api Dex ingress path: terrakube.mycompany.com/dex Registry ingress path: terrakube.mycompany.com/reg However, the ingresses are not working. Does terrakube support prefix-based routing?

  2. Created postgressql cluster using Zalando postgres operator (https://github.com/zalando/postgres-operator/blob/master/manifests/complete-postgres-manifest.yaml) Terrakube postgressql connection fails with no encryption if connected to external postgres database Caused by: liquibase.exception.DatabaseException: org.postgresql.util.PSQLException: FATAL: pg_hba.conf rejects connection for host "10.xxx.xxx.xx", user "terrakube", database "terrakube", no encryption How to pass or override jdbc connection url?

  3. Is it possible to configure IAM role instead of access key and secret key for AWS S3 storage if runs in EKS kubernetes cluster? storage: defaultStorage: false aws: accessKey: "" secretKey: "" bucketName: "" region: "" https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

Anything else?

No response

kspradheep avatar Jul 19 '23 16:07 kspradheep

Hello @kspradheep

For your first question:

You wont be able to use "prefix-based routing" there is one restriction when you are using the terraform CLI.

Terraform CLI require the "/.well-known/terraform.json" endpoint in the "root path" when using the "terraform login" command

For example API is exposing "/.well-known/terraform.json"

image

The registry is also exposing "/.well-known/terraform.json" image

So both components require to be in "the root path"

There is no issue with the DEX, you could deploy it using the official DEX helm chart using the path that you require and we you deploy the terrakube helm chart just disable the DEX component. You could check this issue.

dex:
  enabled: false
  config:
    issuer: https://yourcustomissuer.com

ingress:
  dex:
     enabled: false

For the UI if I remembered correctly we have compile it to use the root path not sure if it will work with some specific "path".

I hope this information can help you.

alfespa17 avatar Jul 19 '23 16:07 alfespa17

For your second question.

This class has the POSTGRESQL connection, may be it will require some additional parameter.

https://github.com/AzBuilder/terrakube/blob/main/api/src/main/java/org/terrakube/api/plugin/datasource/DataSourceAutoConfiguration.java#L37

These are parameters that we use to connect to the database are passed as environment variables here https://github.com/AzBuilder/terrakube/blob/main/api/src/main/resources/application.properties#L39

https://github.com/AzBuilder/terrakube/blob/main/api/src/main/java/org/terrakube/api/plugin/datasource/DataSourceConfigurationProperties.java

And the helm chart is passing those parameters in the following way. https://github.com/AzBuilder/terrakube-helm-chart/blob/main/charts/terrakube/templates/secrets-api.yaml#L73

I think maybe it will require some additional parameters for your Zalando Cluster but I am not sure

alfespa17 avatar Jul 19 '23 16:07 alfespa17

For you third question.

To connect to the S3 storage we are using the following code: https://github.com/AzBuilder/terrakube/blob/main/api/src/main/java/org/terrakube/api/plugin/storage/configuration/StorageTypeAutoConfiguration.java#L63

https://github.com/AzBuilder/terrakube/blob/main/registry/src/main/java/org/terrakube/registry/plugin/storage/configuration/StorageAutoConfiguration.java#L68

https://github.com/AzBuilder/terrakube/blob/main/executor/src/main/java/org/terrakube/executor/plugin/tfoutput/configuration/TerraformOutputAutoConfiguration.java#L65

https://github.com/AzBuilder/terrakube/blob/main/executor/src/main/java/org/terrakube/executor/plugin/tfstate/configuration/TerraformStateAutoConfiguration.java#L74

I guess those classes could require some changes to use IAM role with a service account but I am not familiar with AWS.

If you would like to help with some PR to add that feature all help is welcome :)

I hope this can help you.

alfespa17 avatar Jul 19 '23 16:07 alfespa17

Hello @kspradheep

For your first question:

You wont be able to use "prefix-based routing" there is one restriction when you are using the terraform CLI.

Terraform CLI require the "/.well-known/terraform.json" endpoint in the "root path" when using the "terraform login" command

For example this is the endpoing for the API.

image

The same happens with the registry. image

There is no issue with the DEX, you could deploy it using the official DEX helm chart using the path that you require and we you deploy the terrakube helm chart just disable the DEX component. You could check this issue.

dex:
  enabled: false
  config:
    issuer: https://yourcustomissuer.com

ingress:
  dex:
     enabled: false

For the UI if I remembered correctly we have compile it to use the root path not sure if it will work with some specific "path".

I hope this information can help you.

For your second question.

This class has the POSTGRESQL connection, may be it will require some additional parameter.

https://github.com/AzBuilder/terrakube/blob/main/api/src/main/java/org/terrakube/api/plugin/datasource/DataSourceAutoConfiguration.java#L37

These are parameters that we use to connect to the database are passed as environment variables here https://github.com/AzBuilder/terrakube/blob/main/api/src/main/resources/application.properties#L39

https://github.com/AzBuilder/terrakube/blob/main/api/src/main/java/org/terrakube/api/plugin/datasource/DataSourceConfigurationProperties.java

And the helm chart is passing those parameters in the following way. https://github.com/AzBuilder/terrakube-helm-chart/blob/main/charts/terrakube/templates/secrets-api.yaml#L73

I think maybe it will require some additional parameters for your Zalando Cluster but I am not sure

Hello @alfespa17,

Thanks for the reply.

  1. Okay, will try to use different hostname for each component.
  2. I think this is the problem https://github.com/AzBuilder/terrakube/blob/main/api/src/main/java/org/terrakube/api/plugin/datasource/DataSourceAutoConfiguration.java#L43 Not sure why SSL had to be disabled but would be nice if this option also parametrized?
  3. Okay, will look into that.

kspradheep avatar Jul 19 '23 17:07 kspradheep

Hello @kspradheep

That could be another parameter but I am not sure if that will be the only require change so it can connect to your Zalandro cluster. do you have some code example? or maybe you could fork the project and create a custom docker image to test the API component

There is a script that you could check to build a custom image with that parameter to "true"

Check here

alfespa17 avatar Jul 19 '23 17:07 alfespa17

Hello @alfespa17

I have reviewed the Zalando postgres cluster and it has hostnossl all all all reject in pg_hba.conf file.

After adding an entry like this, fixed the connectivity error. hostnossl terrakube terrakube all trust

ref: https://www.postgresql.org/docs/8.0/client-authentication.html

So, ssl parameter also essential especially when run in production where data security is crucial.

kspradheep avatar Jul 20 '23 07:07 kspradheep

I will add the parameter for next version at least for now you have a work around

alfespa17 avatar Jul 20 '23 14:07 alfespa17

SSL parameter was added in the following PR and will require the environment variable DatasourceSslMode to change the default value that is "disable"

https://github.com/AzBuilder/terrakube/pull/459

alfespa17 avatar Jul 28 '23 20:07 alfespa17