homedepot / spingo Goto Github PK

upgrades take too long. We should just bump the version in spingo when we want to take the time to upgrade instead of having to manually pin the version every time we rerun the spinnaker directory terraform

All files and folders in spingo should follow a convention - it has been chosen to be kebab-case.

A github action should be created that checked all files and folder names recursively, failing if any file or folder is not kebab-case.

at some point code that looks roughly like this needs to be deployed to get nginx load balancing in front of the x509

echo "Creating Gate x509 API Service for deployment named sandbox-us-central1"
cat <<SVC_EOF | kubectl --kubeconfig="/spinnaker/.kube/sandbox-us-central1.config" apply -f -
apiVersion: v1
kind: Service
metadata:
  labels:
    app: spin
    cluster: spin-gate
  name: spin-gate-spin-api
  namespace: spinnaker
spec:
  ports:
  - name: x509
    port: 8085
    protocol: TCP
    targetPort: 8085
  selector:
    app: spin
    cluster: spin-gate
  type: ClusterIP
SVC_EOF

echo "Creating Gate x509 API Ingress for deployment named sandbox-us-central1"
cat <<ING_EOF | kubectl --kubeconfig="/spinnaker/.kube/sandbox-us-central1.config" apply -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  labels:
    app: spin
    cluster: spin-gate
  name: spin-gate-spin-api
  namespace: spinnaker
spec:
  rules:
  - host: spin-api.spinnaker.example.com
    http:
      paths:
      - backend:
          serviceName: spin-gate-spin-api
          servicePort: 8085
        path: /
  tls:
  - hosts:
    - spin-api.spinnaker.example.com
ING_EOF

thanks to @dmrogers7 for finding the code that will do it.

according to the terraform template docs, the terraform module is old hat and we should use the built in templatefile instead.

It should be fairly simple to make the change.

v2 is depricated.

The vault injector has a namespace selector on the label sidecar-injector=enabled. The spinnaker namespace in the main and agent clusters should be labeled with this to allow the vault injector to work in these namespaces.

Is your feature request related to a problem? Please describe.
This repo should have automated CI for commits. As it is mostly terraform-based, a terraform validate should be part of the automation

Describe the solution you'd like
Create a script that will:

• temporarily create necessary .auto.tfvars files in each of the terraform top-level directories (certbot, dns, halyard. spinnaker)
• temporarily create necessary override.tf files in each of the terraform top-level directories (certbot, dns, halyard. spinnaker)
• for each of the terraform directories, run terraform init followed by terraform validate

Currently, if there is infrastructure created by terraform, future invocations of terraform will require:

• leveraging existing various local tfvars files and overrides.tf file(s) which as .gitignored
• re-creation of the various local tfvars files and overrides.tf file(s) via the 01-create-terraform-service-account.sh script

Describe the solution you'd like

• backup & restoration of the various local tfvars files and overrides.tf file(s) from some external source (maybe a vault instance or a bucket)

upon attempting to access a new spingo installation, I am plagued with needing to prepend https:// to all of my urls. This is taxing on both the mind and the body.

I would find it quite helpful if within the load balancers, there was a request upgrader that told connecting clients to upgrade to https.

people discuss a situation similar to what I would like here