Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#130102001] Bootstrap bosh and concourse #1

Merged
merged 23 commits into from
Sep 27, 2016
Merged

Conversation

saliceti
Copy link
Contributor

What

Story: Create custom release concourse

We need a new concourse that will be used to build bosh releases. It was decided to take the opportunity and deploy this concourse with bosh instead of bosh-init. The main reasons are:

  • bosh-init can handle only 1 VM. bosh can handle complex deployments and we may need it to scale concourse
  • bosh can cache compiled artifacts
  • bosh manages the state automatically
  • reduces the size of the CF pipeline so this should improve our development time

This is now a generic concourse that we will use to build bosh releases, but eventually paas-cf may be migrated to use it for its bootstrap. We created a new repository that uses a lot of the paas-cf code so most is already known. The main changes are:

  • bosh is now created in the bootstrap pipeline instead of the CF pipeline
  • concourse is deployed with bosh instead of bosh-init
  • since concourse lite is in a different VPC than bosh, bosh is now accessed via its external IP
  • the security groups have changed slightly because we moved things around and the dependencies have changed
  • update CPI to latest (v60). This was required for the auto-assign feature introduced in v55. The pipeline point to the bosh-init container tagged for the new version.
  • changed IAM policies (See PR in aws-account-wide-terraform)

We have made other smaller changes:

  • improve naming
  • parallelise and merge pipeline jobs
  • improve management of bosh_fqdn variable
  • other minor things

How to review

DEPLOY_ENV=testabcd make dev bootstrap
  • Connect to localhost:8080 and start create pipeline
  • In the end you should be able to access concourse at: https://concourse.testabcd.dev.cloudpipeline.digital
  • Login to concourse, upload pipelines
  • Destroy the environment using the destroy pipeline
  • Destroy concourse-lite:
DEPLOY_ENV=testabcd make dev bootstrap-destroy
  • Set up the local environment with python, ruby, go and check that make test passes successfully

Create the build CI

  • Make sure the previous concourse lite is destroyed
  • Start concourse lite for CI:
DEPLOY_ENV=build make ci bootstrap
  • Connect to localhost:8080 and start create pipeline
  • In the end you should be able to access concourse at: https://concourse.build.ci.cloudpipeline.digital
  • Destroy concourse-lite:
DEPLOY_ENV=build make ci bootstrap-destroy

Who can review

Anyone but @henrytk or myself

The MIT License (MIT)
Copyright (c) 2015 Crown Copyright (Government Digital Service)
Contains global variables used in all terraform runs and across all
environments.
Contains dev and CI specific environment variables.

See https://github.com/alphagov/paas-cf/tree/master/terraform for commit
history.
Create the bucket that will receive bosh-init state, manifests, secrets,
keys, etc used in the whole pipeline.

See https://github.com/alphagov/paas-cf/tree/master/terraform for commit
history.
Create the AWS VPC, subnets and the default SSH security group.

See https://github.com/alphagov/paas-cf/tree/master/terraform for commit
history.
@keymon
Copy link
Contributor

keymon commented Sep 23, 2016

I'm in general happy with the PR, waiting to test it.

@keymon
Copy link
Contributor

keymon commented Sep 23, 2016

@saliceti can you hook this with travis?

Shall we include the make merge_pr workflow here?

@saliceti
Copy link
Contributor Author

Travis enabled, thanks.

merge_pr is used to signed merge commits in paas-cf because we validate the commits in the pipeline. Here the pipeline is triggered manually and we don't validate the commits, so I'm not sure we need merge_pr.

- |
if [ -z "$(tar -tvzf existing-bosh-CA/bosh-CA.tar.gz)" ] ; then
certstrap init --passphrase "" --common-name bosh-CA
( cd out && tar -cvzf generated-bosh-CA/bosh-CA.tar.gz bosh-CA.* )
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't work:

$ git diff
diff --git a/concourse/pipelines/create.yml b/concourse/pipelines/create.yml
index 38d5385..3df7f97 100644
--- a/concourse/pipelines/create.yml
+++ b/concourse/pipelines/create.yml
@@ -284,7 +284,7 @@ jobs:
               - |
                 if  [ -z "$(tar -tvzf existing-bosh-CA/bosh-CA.tar.gz)" ] ; then
                   certstrap init --passphrase "" --common-name bosh-CA
-                  ( cd out && tar -cvzf generated-bosh-CA/bosh-CA.tar.gz bosh-CA.* )
+                  ( cd out && tar -cvzf ../generated-bosh-CA/bosh-CA.tar.gz bosh-CA.* )
                 else
                   echo "The CA cert already exists, skipping generation..."
                   cp existing-bosh-CA/bosh-CA.tar.gz generated-bosh-CA/bosh-CA.tar.gz

@keymon
Copy link
Contributor

keymon commented Sep 26, 2016

Looks good to me, waiting for https://github.gds/government-paas/aws-account-wide-terraform/pull/58 to merge

Create the AWS configuration required to install bosh. It includes
security groups, key pairs, elastic IP and DNS, S3 bucket for blobstore
and RDS database.

See https://github.com/alphagov/paas-cf/tree/master/terraform for commit
history.
Create the configuration required to install concourse. Includes
security groups, elastic IP, ELB, git repository, ssh keys.

See https://github.com/alphagov/paas-cf/tree/master/terraform for commit
history.
Some tests run are written and ruby and require these dependencies.

See https://github.com/alphagov/paas-cf/blob/master/Gemfile for commit
history.
Common tools to generate and test bosh manifests. They are used for bosh
and concourse manifests.

See https://github.com/alphagov/paas-cf/tree/master/manifests for commit
history.
Manifest used with bosh-init to install bosh. Contains manifests that
will be merged with spruce and tests to check the validity of the
generated manifest.

See https://github.com/alphagov/paas-cf/tree/master/manifests for commit
history.
Manifest used with bosh to deploy concourse. It is merged with other
data files by spruce to produce the final manifest.
Contains test to check the validity of the final manifest.

See https://github.com/alphagov/paas-cf/tree/master/manifests for commit
history.
Required to run aws commands and run yaml liniting tests.

See https://github.com/alphagov/paas-cf/blob/master/requirements.txt for
commit history.
The scripts connect to concourse with fly. Fly is downloaded from
concourse and is run from inside the bin directory. It must be created
beforehand.

See
alphagov/paas-cf@02c331e.
Used to seed the state bucket with valid but empty files.
There is a variety of files depending of the application using them:
bosh-init, terraform, etc.

See https://github.com/alphagov/paas-cf/tree/master/concourse/init_files
for commit history.
Main pipeline to bootstrap a VPC containing running bosh and concourse.
Contains a pipeline to create the environment, and another one to
destroy it.

See https://github.com/alphagov/paas-cf/tree/master/concourse/pipelines
for commit history.
Utility scripts to configure environment variables, deploy pipelines,
extract variables, login to concourse, login to bosh, etc.

See https://github.com/alphagov/paas-cf/tree/master/concourse/scripts
for commit history.
Create a concourse lite in AWS using vagrant and automatically upload
the bootstrap pipelines.

See https://github.com/alphagov/paas-cf/tree/master/vagrant for commit
history.
Configures travis to automatically run the tests when a commit is pushed
to github.

See https://github.com/alphagov/paas-cf/blob/master/.travis.yml for
commit history.
Useful commands to manage the environment. Also used to configure
variables specific to each environment.

See https://github.com/alphagov/paas-cf/blob/master/Makefile for commit
history.
Ignore files that should not be under version control.

See https://github.com/alphagov/paas-cf/blob/master/.gitignore for
commit history.
@henrytk henrytk force-pushed the 130102001_bootstrap branch from ee7464f to 78ed9c6 Compare September 26, 2016 14:34
@henrytk
Copy link
Contributor

henrytk commented Sep 26, 2016

After discussion with @saliceti and @bleach it was decided we would rename the buckets to have a prefix of gds-paas, not paas. This will be consistent with the prefixes used for buckets used by ELBs. Policies will assert on suffix only for clarity.

I have changed the state bucket to gds-paas-ENV-bootstrap and blobstore buckets to gds-paas-ENV-bosh-blobstore. The changes have been squashed into the commits that introduced the files (concourse/scripts/pipelines.sh and terraform/bosh/blobstore.tf).

@keymon
Copy link
Contributor

keymon commented Sep 26, 2016

Just to keep record of it, I got this error while deploying in concourse-terraform the first time:

1 error(s) occurred:

* aws_elb.concourse: [WARN] Error creating ELB Listener with SSL Cert, retrying: CertificateNotFound: Server Certificate not found for the key: arn:aws:iam::595665891067:server-certificate/bector-concourse-20160926150825601060871plr
    status code: 400, request id: 32e1133a-83fb-11e6-9178-4fbcd6bf1553

Rerunning solved the issue.

I guess it takes some time to get the Server Certificate ready to be used. It is fine, as rerunning solves the issue and it is one-off.

@saliceti
Copy link
Contributor Author

We had this in the past, I hope it's not a regression in Terraform:

This is not directly related to this PR.

@keymon
Copy link
Contributor

keymon commented Sep 27, 2016

I merge this after https://github.gds/government-paas/aws-account-wide-terraform/pull/58 has been merged.

@keymon keymon merged commit 1b0d630 into master Sep 27, 2016
@keymon keymon deleted the 130102001_bootstrap branch September 27, 2016 09:16
bandesz pushed a commit that referenced this pull request May 22, 2018
Ruby 2.2 reached EOL on 2018-03-31 (#1), so we decided to migrate to the latest
stable version.
bandesz pushed a commit that referenced this pull request May 22, 2018
Ruby 2.2 reached EOL on 2018-03-31 (#1), so we decided to migrate to the latest
stable version.
bandesz pushed a commit that referenced this pull request May 22, 2018
Ruby 2.2 reached EOL on 2018-03-31 (#1), so we decided to migrate to the latest
stable version.
samcrang pushed a commit that referenced this pull request May 31, 2018
Ruby 2.2 reached EOL on 2018-03-31 (#1), so we decided to migrate to the latest
stable version.
samcrang pushed a commit that referenced this pull request May 31, 2018
Ruby 2.2 reached EOL on 2018-03-31 (#1), so we decided to migrate to the latest
stable version.
samcrang pushed a commit that referenced this pull request May 31, 2018
Ruby 2.2 reached EOL on 2018-03-31 (#1), so we decided to migrate to the latest
stable version.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants