From 62ce56e921fbac2eedc1ed2f6e99692c0b68f0e3 Mon Sep 17 00:00:00 2001 From: Kevin Scheunemann Date: Mon, 8 May 2023 16:16:42 -0400 Subject: [PATCH 1/4] update to use external terraform and latest gcp modules update to netbox 3.5 use upstream develop helm chart --- bootstrap.sh | 3 +- netbox-secrets/.terraform.lock.hcl | 26 +-- netbox/garden.yml | 28 +-- netbox/netbox-housekeeping-cronjob.yaml | 207 ------------------ netbox/object-types.json | 84 ------- netbox/rbac.yaml | 21 -- project.garden.yml | 4 +- .../modules/okta-application/provider.tf | 2 +- .../netbox-create-groups/object-types.json | 33 ++- 9 files changed, 53 insertions(+), 355 deletions(-) delete mode 100644 netbox/netbox-housekeeping-cronjob.yaml delete mode 100644 netbox/object-types.json delete mode 100644 netbox/rbac.yaml diff --git a/bootstrap.sh b/bootstrap.sh index 14ef9f8..918d673 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -1,7 +1,8 @@ #!/usr/bin/env bash set -e -terraform=$(garden tools terraform.terraform-1-0-5 --get-path) +#terraform=$(garden tools terraform.terraform-1-0-5 --get-path) +terraform=$(which terraform) terraform_bucket_target="google_storage_bucket.project_bucket" bucket_name="$1-state" google_project_id="$1" diff --git a/netbox-secrets/.terraform.lock.hcl b/netbox-secrets/.terraform.lock.hcl index 22ad513..0a664cf 100644 --- a/netbox-secrets/.terraform.lock.hcl +++ b/netbox-secrets/.terraform.lock.hcl @@ -2,20 +2,20 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/random" { - version = "3.4.2" + version = "3.5.1" hashes = [ - "h1:oAYPQfX2epNXhtsepDkPIlJaa703RqFiGh4KyCBECYY=", - "zh:1e61d226778aefd01c0e139c0ad709b61e9ae4b33d72301b922bd3d000b76eee", - "zh:3c3295c3d2e9c3f9d60d557ee8faf2a30bd15f59f2c38ed13f50a3220dd027d0", - "zh:6661b4953b875857c3ac99fb1006daf314acebf2d1748045d208ebc8cbc647cd", - "zh:6e1823a349ceea5e4e0c684561473f57c46f73d7c197c39904d031ce6654bfb8", + "h1:sZ7MTSD4FLekNN2wSNFGpM+5slfvpm5A/NLVZiB7CO0=", + "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", + "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", + "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", + "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", + "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8f8e6fd15e5228f1935c63d79bf3074f645ddba1350756acfc968b2a05bf85ee", - "zh:939a78da13a7932bd5429f0c77debe907bf9d6c6a26af50fd4d9f32ee16ea5a6", - "zh:995a592acbcde12f0d34ff5c3b74ec7054743315684b72b927bdc0d33e0e7c4d", - "zh:a9f8b88fe365ed9996d3386b415cabb445cf9d6e4b0e0b73f58af3aa31f1fa3d", - "zh:dda7c698cf92170665ca3ac1ccdc2177c0bec4807e69075422ae9d5c5308adbd", - "zh:eff42af6313499db0b3177a82851e0f2d2706e81cab11372d7d3673c41b15b9c", - "zh:fcd6826d4398147314620401a5908dd35c6f2ebac7e7d3a7d77078dbc7c5a0e6", + "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", + "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", + "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", + "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", + "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", + "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", ] } diff --git a/netbox/garden.yml b/netbox/garden.yml index 0fc91e3..53d53b8 100644 --- a/netbox/garden.yml +++ b/netbox/garden.yml @@ -2,9 +2,7 @@ kind: Module type: helm name: netbox -repo: https://charts.boo.tc -chart: netbox -version: 4.1.1 +repositoryUrl: https://github.com/bootc/netbox-chart#develop timeout: 1200 dependencies: - netbox-app-infra @@ -19,7 +17,7 @@ values: repository: quay.io/netboxcommunity/netbox tag: ${var.netbox_version} autoscaling: - enabled: true + enabled: false minReplicas: "${environment.name == 'prod' ? 2 : 1}" maxReplicas: 10 superuser: @@ -77,7 +75,7 @@ values: name: ${providers.kubernetes.outputs.app-namespace} worker: autoscaling: - enabled: true + enabled: false extraContainers: - name: cloud-sql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 @@ -99,14 +97,7 @@ values: releaseCheck: url: https://api.github.com/repos/netbox-community/netbox/releases housekeeping: - enabled: false - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 500m - memory: 512Mi + enabled: true extraContainers: - name: cloud-sql-proxy image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 @@ -133,14 +124,3 @@ values: cachingRedis: host: ${runtime.services.netbox-app-infra.outputs.redis_host} port: 6379 ---- -kind: Module -type: kubernetes -name: netbox-housekeeping -# helm install above fails when housekeeping is on with: admission webhook "workload-defaulter.common-webhooks.networking.gke.io" denied the request: no kind "CronJob" is registered for version "batch/v1" in scheme "pkg/runtime/scheme.go:100" -description: Netbox Housekeeping cronjob deployment - hack -dependencies: - - netbox -files: - - rbac.yaml - - netbox-housekeeping-cronjob.yaml diff --git a/netbox/netbox-housekeeping-cronjob.yaml b/netbox/netbox-housekeeping-cronjob.yaml deleted file mode 100644 index 9eb5f56..0000000 --- a/netbox/netbox-housekeeping-cronjob.yaml +++ /dev/null @@ -1,207 +0,0 @@ ---- -# Source: netbox/templates/cronjob.yaml -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: netbox-housekeeping - labels: - helm.sh/chart: netbox-4.0.1 - app.kubernetes.io/name: netbox - app.kubernetes.io/instance: netbox - app.kubernetes.io/version: "${var.netbox_version}" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: housekeeping -spec: - concurrencyPolicy: Forbid - failedJobsHistoryLimit: 5 - schedule: "0 0 * * *" - successfulJobsHistoryLimit: 5 - suspend: false - jobTemplate: - metadata: - labels: - helm.sh/chart: netbox-4.0.1 - app.kubernetes.io/name: netbox - app.kubernetes.io/instance: netbox - app.kubernetes.io/version: "${var.netbox_version}" - app.kubernetes.io/managed-by: Helm - spec: - template: - metadata: - labels: - app.kubernetes.io/name: netbox - app.kubernetes.io/instance: netbox - app.kubernetes.io/component: housekeeping - spec: - serviceAccountName: ${providers.kubernetes.outputs.app-namespace} - securityContext: - fsGroup: 1000 - runAsNonRoot: true - initContainers: - - name: kubexit - image: karlkfi/kubexit:latest - command: ['cp', '/bin/kubexit', '/kubexit/kubexit'] - securityContext: - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - mountPath: /kubexit - name: kubexit - containers: - - name: netbox-housekeeping - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - image: "quay.io/netboxcommunity/netbox:${var.netbox_version}" - command: - - /kubexit/kubexit - - /opt/netbox/venv/bin/python - - /opt/netbox/netbox/manage.py - - housekeeping - imagePullPolicy: IfNotPresent - env: - - name: KUBEXIT_NAME - value: netbox-housekeeping - - name: KUBEXIT_GRAVEYARD - value: /graveyard - - name: KUBEXIT_BIRTH_DEPS - value: cloud-sql-proxy - - name: KUBEXIT_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KUBEXIT_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - name: config - mountPath: /etc/netbox/config/configuration.py - subPath: configuration.py - readOnly: true - - name: config - mountPath: /run/config/netbox - readOnly: true - - name: secrets - mountPath: /run/secrets/netbox - readOnly: true - - name: netbox-tmp - mountPath: /tmp - - name: media - mountPath: /opt/netbox/netbox/media - subPath: "" - - mountPath: /graveyard - name: graveyard - - mountPath: /kubexit - name: kubexit - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 500m - memory: 512Mi - - command: - - /kubexit/kubexit - - /cloud_sql_proxy - - -instances=$(CONNECTION_NAME)=tcp:5432 - env: - - name: CONNECTION_NAME - valueFrom: - secretKeyRef: - key: connection_name - name: cloudsql-instance - - name: KUBEXIT_NAME - value: cloud-sql-proxy - - name: KUBEXIT_GRAVEYARD - value: /graveyard - - name: KUBEXIT_DEATH_DEPS - value: netbox-housekeeping - image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 - name: cloud-sql-proxy - resources: - requests: - cpu: 200m - memory: 256Mi - securityContext: - runAsNonRoot: true - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access - - mountPath: /graveyard - name: graveyard - - mountPath: /kubexit - name: kubexit - lifecycle: - preStop: - exec: - command: ['sleep', '10'] - volumes: - - name: graveyard - emptyDir: - medium: Memory - - name: kubexit - emptyDir: {} - - name: config - configMap: - name: netbox - - name: secrets - projected: - sources: - - secret: - name: "netbox" - items: - # Used by our configuration - - key: email_password - path: email_password - - key: napalm_password - path: napalm_password - - key: secret_key - path: secret_key - - secret: - name: "psql-netbox-user" - items: - - key: "postgresql-password" - path: db_password - - secret: - name: "netbox" - items: - - key: "redis_tasks_password" - path: redis_tasks_password - - secret: - name: "netbox" - items: - - key: "redis_cache_password" - path: redis_cache_password - - name: netbox-tmp - emptyDir: - medium: Memory - - name: media - emptyDir: {} - - name: kube-api-access - projected: - defaultMode: 420 # 0644 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - restartPolicy: OnFailure diff --git a/netbox/object-types.json b/netbox/object-types.json deleted file mode 100644 index afb2e43..0000000 --- a/netbox/object-types.json +++ /dev/null @@ -1,84 +0,0 @@ -[ - "circuits.circuit", - "circuits.circuittermination", - "circuits.circuittype", - "circuits.provider", - "circuits.providernetwork", - "dcim.cable", - "dcim.cablepath", - "dcim.consoleport", - "dcim.consoleporttemplate", - "dcim.consoleserverport", - "dcim.consoleserverporttemplate", - "dcim.device", - "dcim.devicebay", - "dcim.devicebaytemplate", - "dcim.devicerole", - "dcim.devicetype", - "dcim.frontport", - "dcim.frontporttemplate", - "dcim.interface", - "dcim.interfacetemplate", - "dcim.inventoryitem", - "dcim.location", - "dcim.manufacturer", - "dcim.platform", - "dcim.powerfeed", - "dcim.poweroutlet", - "dcim.poweroutlettemplate", - "dcim.powerpanel", - "dcim.powerport", - "dcim.powerporttemplate", - "dcim.rack", - "dcim.rackreservation", - "dcim.rackrole", - "dcim.rearport", - "dcim.rearporttemplate", - "dcim.region", - "dcim.site", - "dcim.sitegroup", - "dcim.virtualchassis", - "ipam.aggregate", - "ipam.ipaddress", - "ipam.prefix", - "ipam.rir", - "ipam.role", - "ipam.routetarget", - "ipam.vrf", - "ipam.vlangroup", - "ipam.vlan", - "ipam.service", - "ipam.iprange", - "ipam.fhrpgroup", - "ipam.fhrpgroupassignment", - "ipam.asn", - "extras.report", - "extras.script", - "extras.configcontext", - "extras.tag", - "extras.webhook", - "extras.taggeditem", - "extras.objectchange", - "extras.journalentry", - "extras.jobresult", - "extras.imageattachment", - "extras.exporttemplate", - "extras.customlink", - "extras.customfield", - "extras.configrevision", - "tenancy.tenantgroup", - "tenancy.tenant", - "tenancy.contactrole", - "tenancy.contactgroup", - "tenancy.contact", - "tenancy.contactassignment", - "users.token", - "virtualization.cluster", - "virtualization.clustergroup", - "virtualization.clustertype", - "virtualization.virtualmachine", - "virtualization.vminterface", - "wireless.wirelesslangroup", - "wireless.wirelesslan", - "wireless.wirelesslink" -] diff --git a/netbox/rbac.yaml b/netbox/rbac.yaml deleted file mode 100644 index 5e96317..0000000 --- a/netbox/rbac.yaml +++ /dev/null @@ -1,21 +0,0 @@ -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: namespace-viewer -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "watch", "list"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: namespace-viewer -subjects: -- kind: ServiceAccount - name: ${providers.kubernetes.outputs.app-namespace} - apiGroup: "" -roleRef: - kind: Role - name: namespace-viewer - apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/project.garden.yml b/project.garden.yml index 1b4d828..0acdc1b 100644 --- a/project.garden.yml +++ b/project.garden.yml @@ -26,7 +26,7 @@ providers: - name: terraform dependencies: - exec - version: 1.0.5 + version: null initRoot: "${var.terraform_root}" autoApply: true allowDestroy: false @@ -55,4 +55,4 @@ providers: environments: - prod dependencies: - - terraform \ No newline at end of file + - terraform diff --git a/terraform/modules/okta-application/provider.tf b/terraform/modules/okta-application/provider.tf index 0aea593..515586c 100644 --- a/terraform/modules/okta-application/provider.tf +++ b/terraform/modules/okta-application/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { okta = { source = "okta/okta" - version = "~> 4.0" + version = "~> 3.0" } } } diff --git a/terraform/root/netbox-create-groups/object-types.json b/terraform/root/netbox-create-groups/object-types.json index afb2e43..0742c7b 100644 --- a/terraform/root/netbox-create-groups/object-types.json +++ b/terraform/root/netbox-create-groups/object-types.json @@ -1,9 +1,17 @@ [ + "auth.group", + "auth.user", + "core.datasource", + "core.datafile", + "core.autosyncrecord", + "core.managedfile", + "core.job", "circuits.circuit", "circuits.circuittermination", "circuits.circuittype", "circuits.provider", "circuits.providernetwork", + "circuits.provideraccount", "dcim.cable", "dcim.cablepath", "dcim.consoleport", @@ -38,6 +46,14 @@ "dcim.site", "dcim.sitegroup", "dcim.virtualchassis", + "dcim.moduletype", + "dcim.modulebay", + "dcim.module", + "dcim.modulebaytemplate", + "dcim.inventoryitemrole", + "dcim.inventoryitemtemplate", + "dcim.cabletermination", + "dcim.virtualdevicecontext", "ipam.aggregate", "ipam.ipaddress", "ipam.prefix", @@ -52,6 +68,10 @@ "ipam.fhrpgroup", "ipam.fhrpgroupassignment", "ipam.asn", + "ipam.servicetemplate", + "ipam.l2vpn", + "ipam.l2vpntermination", + "ipam.asnrange", "extras.report", "extras.script", "extras.configcontext", @@ -60,12 +80,19 @@ "extras.taggeditem", "extras.objectchange", "extras.journalentry", - "extras.jobresult", "extras.imageattachment", "extras.exporttemplate", "extras.customlink", "extras.customfield", "extras.configrevision", + "extras.savedfilter", + "extras.cachedvalue", + "extras.branch", + "extras.stagedchange", + "extras.configtemplate", + "extras.dashboard", + "extras.reportmodule", + "extras.scriptmodule", "tenancy.tenantgroup", "tenancy.tenant", "tenancy.contactrole", @@ -73,6 +100,7 @@ "tenancy.contact", "tenancy.contactassignment", "users.token", + "users.objectpermission", "virtualization.cluster", "virtualization.clustergroup", "virtualization.clustertype", @@ -80,5 +108,6 @@ "virtualization.vminterface", "wireless.wirelesslangroup", "wireless.wirelesslan", - "wireless.wirelesslink" + "wireless.wirelesslink", + "django_rq.queue" ] From 184978981df4cd24e69afcf687d23dd171c12745 Mon Sep 17 00:00:00 2001 From: Kevin Scheunemann Date: Mon, 1 Jan 2024 14:12:50 -0500 Subject: [PATCH 2/4] update dependencies to a clean deployment --- netbox/garden.yml | 24 +++++++++----------- terraform/modules/app-infra/bucket.tf | 2 +- terraform/modules/gke-autopilot/main.tf | 1 - terraform/modules/gke-autopilot/network.tf | 4 ++-- terraform/modules/gke-autopilot/variables.tf | 6 ----- terraform/root/netbox-infra/main.tf | 2 +- 6 files changed, 15 insertions(+), 24 deletions(-) diff --git a/netbox/garden.yml b/netbox/garden.yml index 53d53b8..ac99304 100644 --- a/netbox/garden.yml +++ b/netbox/garden.yml @@ -2,7 +2,7 @@ kind: Module type: helm name: netbox -repositoryUrl: https://github.com/bootc/netbox-chart#develop +repositoryUrl: https://github.com/scheuk/netbox-chart#develop timeout: 1200 dependencies: - netbox-app-infra @@ -17,7 +17,7 @@ values: repository: quay.io/netboxcommunity/netbox tag: ${var.netbox_version} autoscaling: - enabled: false + enabled: true minReplicas: "${environment.name == 'prod' ? 2 : 1}" maxReplicas: 10 superuser: @@ -75,19 +75,18 @@ values: name: ${providers.kubernetes.outputs.app-namespace} worker: autoscaling: - enabled: false + enabled: true extraContainers: - name: cloud-sql-proxy - image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.1 env: - - name: CONNECTION_NAME + - name: CSQL_PROXY_INSTANCE_CONNECTION_NAME valueFrom: secretKeyRef: name: cloudsql-instance key: connection_name - command: - - "/cloud_sql_proxy" - - "-instances=$(CONNECTION_NAME)=tcp:5432" + args: + - "--structured-logs" securityContext: runAsNonRoot: true resources: @@ -100,16 +99,15 @@ values: enabled: true extraContainers: - name: cloud-sql-proxy - image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.1 env: - - name: CONNECTION_NAME + - name: CSQL_PROXY_INSTANCE_CONNECTION_NAME valueFrom: secretKeyRef: name: cloudsql-instance key: connection_name - command: - - "/cloud_sql_proxy" - - "-instances=$(CONNECTION_NAME)=tcp:5432" + args: + - "--structured-logs" securityContext: runAsNonRoot: true resources: diff --git a/terraform/modules/app-infra/bucket.tf b/terraform/modules/app-infra/bucket.tf index 3bc4e32..e4ceabc 100644 --- a/terraform/modules/app-infra/bucket.tf +++ b/terraform/modules/app-infra/bucket.tf @@ -6,7 +6,7 @@ resource "random_id" "suffix" { module "bucket" { source = "terraform-google-modules/cloud-storage/google//modules/simple_bucket" - version = "~> 4.0" + version = "~> 5.0" name = "${local.name}-media-${random_id.suffix[0].hex}" project_id = var.project_id diff --git a/terraform/modules/gke-autopilot/main.tf b/terraform/modules/gke-autopilot/main.tf index 464179c..29ed3dd 100644 --- a/terraform/modules/gke-autopilot/main.tf +++ b/terraform/modules/gke-autopilot/main.tf @@ -34,7 +34,6 @@ module "gke" { enable_private_endpoint = false enable_private_nodes = true master_ipv4_cidr_block = var.master_ipv4_cidr_block - datapath_provider = var.enable_dataplane_v2 ? "ADVANCED_DATAPATH" : "DATAPATH_PROVIDER_UNSPECIFIED" add_master_webhook_firewall_rules = true diff --git a/terraform/modules/gke-autopilot/network.tf b/terraform/modules/gke-autopilot/network.tf index fb56095..897b44f 100644 --- a/terraform/modules/gke-autopilot/network.tf +++ b/terraform/modules/gke-autopilot/network.tf @@ -16,7 +16,7 @@ module "gcp-network" { source = "terraform-google-modules/network/google" - version = "< 8.0.0" + version = "~> 8.1.0" project_id = var.project_id network_name = local.network_name @@ -50,7 +50,7 @@ module "gcp-network" { module "cloud-router" { source = "terraform-google-modules/cloud-router/google" - version = "~> 5.0" + version = "~> 6.0" project = var.project_id name = local.router_name network = module.gcp-network.network_name diff --git a/terraform/modules/gke-autopilot/variables.tf b/terraform/modules/gke-autopilot/variables.tf index 132e9a9..773ef48 100644 --- a/terraform/modules/gke-autopilot/variables.tf +++ b/terraform/modules/gke-autopilot/variables.tf @@ -19,12 +19,6 @@ variable "master_ipv4_cidr_block" { default = "172.16.0.0/28" } -variable "enable_dataplane_v2" { - description = "Enable dataplane v2" - type = bool - default = true -} - variable "firewall_inbound_ports" { type = list(string) description = "List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied." diff --git a/terraform/root/netbox-infra/main.tf b/terraform/root/netbox-infra/main.tf index 89bc5d9..2b32c91 100644 --- a/terraform/root/netbox-infra/main.tf +++ b/terraform/root/netbox-infra/main.tf @@ -26,7 +26,7 @@ module "gke_autopilot" { module "postgresql-db" { source = "GoogleCloudPlatform/sql-db/google//modules/postgresql" - version = "15.0.0" + version = "18.1.0" name = "netbox-postgresql" random_instance_name = true database_version = "POSTGRES_13" From 75b9d758593e9b88b47bc819cd1b6135a41cbe8c Mon Sep 17 00:00:00 2001 From: Kevin Scheunemann Date: Mon, 1 Jan 2024 16:45:18 -0500 Subject: [PATCH 3/4] update all services to the latest remove uneeded .terraform.lock.hcl files --- cert-manager/garden.yml | 2 +- ingress-nginx/garden.yml | 3 ++- netbox-secrets/.terraform.lock.hcl | 21 ------------------- terraform/modules/gke-autopilot/main.tf | 1 + .../netbox-infra/bucket/.terraform.lock.hcl | 21 ------------------- vouch-proxy/garden.yml | 2 +- 6 files changed, 5 insertions(+), 45 deletions(-) delete mode 100644 netbox-secrets/.terraform.lock.hcl delete mode 100644 terraform/root/netbox-infra/bucket/.terraform.lock.hcl diff --git a/cert-manager/garden.yml b/cert-manager/garden.yml index 06119f5..2d39acb 100644 --- a/cert-manager/garden.yml +++ b/cert-manager/garden.yml @@ -3,7 +3,7 @@ type: helm name: cert-manager repo: https://charts.jetstack.io chart: cert-manager -version: v1.11.1 +version: v1.13.3 namespace: cert-manager values: installCRDs: true diff --git a/ingress-nginx/garden.yml b/ingress-nginx/garden.yml index bb86acf..9231a44 100644 --- a/ingress-nginx/garden.yml +++ b/ingress-nginx/garden.yml @@ -3,12 +3,13 @@ type: helm name: ingress-nginx repo: https://kubernetes.github.io/ingress-nginx chart: ingress-nginx -version: 4.6.1 +version: 4.9.0 namespace: ingress-nginx dependencies: - netbox-app-infra values: controller: + allowSnippetAnnotations: true watchIngressWithoutClass: true service: loadBalancerIP: ${runtime.services.netbox-app-infra.outputs.external_ip} diff --git a/netbox-secrets/.terraform.lock.hcl b/netbox-secrets/.terraform.lock.hcl deleted file mode 100644 index 0a664cf..0000000 --- a/netbox-secrets/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/random" { - version = "3.5.1" - hashes = [ - "h1:sZ7MTSD4FLekNN2wSNFGpM+5slfvpm5A/NLVZiB7CO0=", - "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", - "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", - "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", - "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", - "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", - "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", - "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", - "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", - "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", - "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", - ] -} diff --git a/terraform/modules/gke-autopilot/main.tf b/terraform/modules/gke-autopilot/main.tf index 29ed3dd..70311d6 100644 --- a/terraform/modules/gke-autopilot/main.tf +++ b/terraform/modules/gke-autopilot/main.tf @@ -34,6 +34,7 @@ module "gke" { enable_private_endpoint = false enable_private_nodes = true master_ipv4_cidr_block = var.master_ipv4_cidr_block + deletion_protection = false add_master_webhook_firewall_rules = true diff --git a/terraform/root/netbox-infra/bucket/.terraform.lock.hcl b/terraform/root/netbox-infra/bucket/.terraform.lock.hcl deleted file mode 100644 index 648feaa..0000000 --- a/terraform/root/netbox-infra/bucket/.terraform.lock.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/google" { - version = "4.34.0" - hashes = [ - "h1:GnCDMg913aBPMCTx0IaprY2S1mVGCJevEaMm7MXOnbg=", - "zh:1319b4e17e3242f36338ab4f422c09183dcae320272f611cfd06a225a2c8af8f", - "zh:29ca012946e89998af0924b64e482a904c29abba0c773930ff72b92d82bb740c", - "zh:3f87b2063a50c38482395e5dadd4bb4b451ac2f4b62387b07ef9e0fe54888e73", - "zh:55cef4dce0f563b853975b253861f46464ce25c1d5c52b930824d8cc65e3d882", - "zh:653cc915e79ccad55dfd78c98b0f9835996ce70d2415fc5ab8a3f0b5e2a3e2c9", - "zh:6be45154d6c190b4f37d7d5a464c900c1aee3d86806e2c3610f6c5e2e9e4230a", - "zh:895e5742fe4da10470c54441bec173fc1bb3f8e4123e1b12154175e12a0ad711", - "zh:a287505e82a55db481fc5da97c9d6a6bd2e8ba47e6688106ae299db68f3005d5", - "zh:d627b3b9c73e71bb109c5ce9b50dfe1f7a03e8ca08c9f5c7c68597dd588f1a07", - "zh:dcb0b653c479dcadc9d3403a784074d8f7e9a6f5bba633a11e4a1852ded2b3a8", - "zh:ef738a6ef05ef748074e05e516adb21a669c744808d47d0638bc01d85d26bcae", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/vouch-proxy/garden.yml b/vouch-proxy/garden.yml index 14a45f5..e8fec2a 100644 --- a/vouch-proxy/garden.yml +++ b/vouch-proxy/garden.yml @@ -15,7 +15,7 @@ dependencies: - netbox-secrets values: image: - tag: "0.36" + tag: "0.39" resources: requests: memory: "256Mi" From 181123e1a229bd9d968632de6ff5f081e35108e8 Mon Sep 17 00:00:00 2001 From: Kevin Scheunemann Date: Mon, 1 Jan 2024 17:17:46 -0500 Subject: [PATCH 4/4] update to netbox 3.7.0 add config to make it work --- netbox/garden.yml | 17 +++++++++++++++++ project.garden.yml | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/netbox/garden.yml b/netbox/garden.yml index ac99304..aa08496 100644 --- a/netbox/garden.yml +++ b/netbox/garden.yml @@ -76,6 +76,23 @@ values: worker: autoscaling: enabled: true + extraContainers: + - name: cloud-sql-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.1 + env: + - name: CSQL_PROXY_INSTANCE_CONNECTION_NAME + valueFrom: + secretKeyRef: + name: cloudsql-instance + key: connection_name + args: + - "--structured-logs" + securityContext: + runAsNonRoot: true + resources: + requests: + memory: "256Mi" + cpu: "200m" extraContainers: - name: cloud-sql-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.1 diff --git a/project.garden.yml b/project.garden.yml index 0acdc1b..cf16f82 100644 --- a/project.garden.yml +++ b/project.garden.yml @@ -13,7 +13,7 @@ variables: okta_assignment_group_name: ${local.env.OKTA_ASSIGNMENT_GROUP_NAME || "Everyone" } disable_okta_auth: ${local.env.DISABLE_OKTA_AUTH || true } cert_registration_email: ${local.env.CERT_REG_EMAIL || "user@example.com"} - netbox_version: ${local.env.NETBOX_VERSION || "v3.5.1"} # renovate: depName=netbox-community/netbox + netbox_version: ${local.env.NETBOX_VERSION || "v3.7.0"} # renovate: depName=netbox-community/netbox environments: - name: dev defaultNamespace: user-${var.base_envname}