NOTE: While the required minimum Terraform version is 0.12.0, automated CI tests are performed with 0.13 only. The only expected compatibility issues to be aware of are around provider requirements. For more information see here
This repo contains a Terraform module for provisioning a Kubernetes cluster for Jenkins X on Google Cloud.
- What is a Terraform module
- How do you use this module
- FAQ
- Development
- How do I contribute
A Terraform "module" refers to a self-contained package of Terraform configurations that are managed as a group. For more information around modules refer to the Terraform documentation.
To make use of this module, you need a Google Cloud project. Instructions on how to setup such a project can be found in the Google Cloud Installation and Setup guide. You need your Google Cloud project id as an input variable for using this module.
You also need to install the Cloud SDK, in particular gcloud
.
You find instructions on how to install and authenticate in the Google Cloud Installation and Setup guide as well.
Once you have gcloud
installed, you need to create Application Default Credentials by running:
gcloud auth application-default login
Alternatively, you can export the environment variable GOOGLE_APPLICATION_CREDENTIALS referencing the path to a Google Cloud service account key file.
Last but not least, ensure you have the following binaries installed:
gcloud
kubectl
~> 1.14.0kubectl
comes bundled with the Cloud SDK
terraform
~> 0.12.0- Terraform installation instruction can be found here
A default Jenkins X ready cluster can be provisioned by creating a file main.tf in an empty directory with the following content:
module "jx" {
source = "jenkins-x/jx/google"
gcp_project = "<my-gcp-project-id>"
}
output "jx_requirements" {
value = module.jx.jx_requirements
}
You can then apply this Terraform configuration via:
terraform init
terraform apply
This creates a cluster within the specified Google Cloud project with all possible configuration options defaulted.
On completion of terraform apply
a jx_requirements output is available which can be used as input to jx boot
.
Refer to Running jx boot
for more information.
In the default configuration, no custom domain is used. DNS resolution occurs via nip.io. For more information on how to configure and use a custom domain, refer to Using a custom domain.
If you just want to experiment with Jenkins X, you can set force_destroy
to true
.
This allows you to remove all generated resources when running terraform destroy
, including any generated buckets including their content.
If you want to remove a cluster with the terraform destroy
command and the cluster is protected by the deletion_protection=true
attribute, you can override the attribute by setting the delete_protect
variable to false
. It is recommended to override this value and the time of cluster deletion and you should successfully apply the attribute value change before attempting the terraform destroy
command.
The following two paragraphs provide the full list of configuration and output variables of this Terraform module.
Name | Description | Type | Default | Required |
---|---|---|---|---|
apex_domain | The parent / apex domain to be used for the cluster | string |
"" |
no |
apex_domain_gcp_project | The GCP project the apex domain is managed by, used to write recordsets for a subdomain if set. Defaults to current project. | string |
"" |
no |
apex_domain_integration_enabled | Flag that when set attempts to create delegation records in apex domain to point to domain created by this module | bool |
true |
no |
artifact_description | artifact registry repository Description | string |
"jenkins-x Docker Repository" |
no |
artifact_enable | Create artifact registry repository | bool |
true |
no |
artifact_location | artifact registry repository Location | string |
"us-central1" |
no |
artifact_repository_id | artifact registry repository Name | string |
"oci" |
no |
autoscaler_location_policy | location policy for primary node pool | string |
"ANY" |
no |
autoscaler_max_node_count | primary node pool max nodes | number |
5 |
no |
autoscaler_min_node_count | primary node pool min nodes | number |
3 |
no |
bucket_location | Bucket location for storage | string |
"US" |
no |
cluster_location | The location (region or zone) in which the cluster master will be created. If you specify a zone (such as us-central1-a), the cluster will be a zonal cluster with a single cluster master. If you specify a region (such as us-west1), the cluster will be a regional cluster with multiple masters spread across zones in the region | string |
"us-central1-a" |
no |
cluster_name | Name of the Kubernetes cluster to create | string |
"" |
no |
cluster_network | The name of the network (VPC) to which the cluster is connected | string |
"default" |
no |
cluster_subnetwork | The name of the subnetwork to which the cluster is connected. Leave blank when using the 'default' vpc to generate a subnet for your cluster | string |
"" |
no |
create_ui_sa | Whether the service accounts for the UI should be created | bool |
true |
no |
delete_protect | Flag used to set the deletion_protection attribute to prevent cluster deletion |
bool |
true |
no |
dev_env_approvers | List of git users allowed to approve pull request for dev enviornment repository | list(string) |
[] |
no |
enable_backup | Whether or not Velero backups should be enabled | bool |
false |
no |
enable_primary_node_pool | create a node pool for primary nodes if disabled you must create your own pool | bool |
true |
no |
enable_private_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint. Requires VPC-native | bool |
false |
no |
enable_private_nodes | (Beta) Whether nodes have internal IP addresses only. Requires VPC-native | bool |
false |
no |
force_destroy | Flag to determine whether storage buckets get forcefully destroyed | bool |
false |
no |
gcp_project | The name of the GCP project to use | string |
n/a | yes |
git_owner_requirement_repos | The git id of the owner for the requirement repositories | string |
"" |
no |
gsm | Enables Google Secrets Manager, not available with JX2 | bool |
false |
no |
initial_cluster_node_count | Initial number of cluster nodes | number |
3 |
no |
initial_primary_node_pool_node_count | Initial primary node pool nodes | number |
3 |
no |
ip_range_pods | The IP range in CIDR notation to use for pods. Set to /netmask (e.g. /18) to have a range chosen with a specific netmask. Enables VPC-native | string |
"" |
no |
ip_range_services | The IP range in CIDR notation use for services. Set to /netmask (e.g. /21) to have a range chosen with a specific netmask. Enables VPC-native | string |
"" |
no |
jenkins_x_namespace | Kubernetes namespace to install Jenkins X in | string |
"jx" |
no |
jx2 | Is a Jenkins X 2 install | bool |
true |
no |
jx_bot_token | Bot token used to interact with the Jenkins X cluster git repository | string |
"" |
no |
jx_bot_username | Bot username used to interact with the Jenkins X cluster git repository | string |
"" |
no |
jx_git_operator_version | The jx-git-operator helm chart version | string |
"0.0.192" |
no |
jx_git_url | URL for the Jenins X cluster git repository | string |
"" |
no |
kuberhealthy | Enables Kuberhealthy helm installation | bool |
true |
no |
lets_encrypt_production | Flag to determine wether or not to use the Let's Encrypt production server. | bool |
true |
no |
master_authorized_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically allowlists). | list(object({ cidr_block = string, display_name = string })) |
[] |
no |
master_ipv4_cidr_block | The IP range in CIDR notation to use for the hosted master network. This range must not overlap with any other ranges in use within the cluster's network, and it must be a /28 subnet | string |
"10.0.0.0/28" |
no |
max_pods_per_node | Max gke nodes = 2^($CIDR_RANGE_PER_NODE-$POD_NETWORK_CIDR) (see gke docs) | number |
64 |
no |
node_disk_size | Node disk size in GB | string |
"100" |
no |
node_disk_type | Node disk type, either pd-standard or pd-ssd | string |
"pd-standard" |
no |
node_machine_type | Node type for the Kubernetes cluster | string |
"n1-standard-2" |
no |
node_preemptible | Use preemptible nodes | bool |
false |
no |
node_spot | Use spot nodes | bool |
false |
no |
parent_domain | Deprecated Please use apex_domain variable instead.r | string |
"" |
no |
parent_domain_gcp_project | Deprecated Please use apex_domain_gcp_project variable instead. | string |
"" |
no |
release_channel | The GKE release channel to subscribe to. See https://cloud.google.com/kubernetes-engine/docs/concepts/release-channels | string |
"REGULAR" |
no |
resource_labels | Set of labels to be applied to the cluster | map(any) |
{} |
no |
subdomain | Optional sub domain for the installation | string |
"" |
no |
tls_email | Email used by Let's Encrypt. Required for TLS when apex_domain is specified | string |
"" |
no |
vault_url | URL to an external Vault instance in case Jenkins X shall not create its own system Vault | string |
"" |
no |
velero_namespace | Kubernetes namespace for Velero | string |
"velero" |
no |
velero_schedule | The Velero backup schedule in cron notation to be set in the Velero Schedule CRD (see default-backup.yaml) | string |
"0 * * * *" |
no |
velero_ttl | The the lifetime of a velero backup to be set in the Velero Schedule CRD (see default-backup.yaml) | string |
"720h0m0s" |
no |
version_stream_ref | The git ref for version stream to use when booting Jenkins X. See https://jenkins-x.io/docs/concepts/version-stream/ | string |
"master" |
no |
version_stream_url | The URL for the version stream to use when booting Jenkins X. See https://jenkins-x.io/docs/concepts/version-stream/ | string |
"https://github.com/jenkins-x/jenkins-x-versions.git" |
no |
webhook | Jenkins X webhook handler for git provider | string |
"lighthouse" |
no |
zone | Zone in which to create the cluster (deprecated, use cluster_location instead) | string |
"" |
no |
Name | Description |
---|---|
backup_bucket_url | The URL to the bucket for backup storage |
cluster_location | The location of the created Kubernetes cluster |
cluster_name | The name of the created Kubernetes cluster |
connect | The cluster connection string to use once Terraform apply finishes |
externaldns_dns_name | ExternalDNS name |
externaldns_ns | ExternalDNS nameservers |
gcp_project | The GCP project in which the resources got created |
jx_requirements | The jx-requirements rendered output |
log_storage_url | The URL to the bucket for log storage |
report_storage_url | The URL to the bucket for report storage |
repository_storage_url | The URL to the bucket for artifact storage |
tekton_sa_email | The Tekton service account email address, useful to provide further IAM bindings |
tekton_sa_name | The Tekton service account name, useful to provide further IAM bindings |
vault_bucket_url | The URL to the bucket for secret storage |
In a multi cluster setup, you should leave the value of artifact_enable
as true
only in a
development cluster and set artifact_enable = false
for other clusters. A development cluster is
one where application build pipelines are executed. If you have multiple development clusters you
can set artifact_repository_id
to different values for them. Alternatively you can have
artifact_enable = true
in one and manually copy the values of cluster.registry
and
cluster.dockerRegistryOrg
from jx-requirements.yml
from that cluster repository to the other
cdevelopment cluster repositories.
If you leave artifact_enable
as true
for multiple clusters and don't override
artifact_repository_id
terraform will fail since it can't create an already existing repository.
Google has deprecated gcr.io
and now recommends the use of Artifact Registry. The default of this module is now to create and use a repository in Artifact Registry for container images.
Google GKE clusters automatically have permissions to download from the Artifact Registry. For multi cluster setups across different projects, additional permission configurations may be necessary.
The jx-requirements.yml
will be automatically updated by the Jenkins X boot job when triggered by a push to the main branch of the cluster repository.
Here are two strategies for transitioning container images from gcr.io
to the Artifact Registry:
- Continue developing applications as usual. New images, upon their release, will be pushed to the Artifact Registry.
- Important: Ensure that all builds are triggered and applications are promoted before Google completely shuts down the Container Registry. This step is critical to avoid disruptions in service.
To identify which images from you container registry are currently used in your cluster, you can use the following command line (replace
project_id
with your actual GCP project id):
kubectl get pods --all-namespaces -o jsonpath="{range .items[*].spec['initContainers', 'containers'][*]}{.image}{'\n'}{end}" | fgrep gcr.io/project_id | sort -u
If you have a large number of applications running that are unlikely to be released in the coming
year, migration of images to artifact registry while retaining the image names (in the domain
gcr.io
) could be considered. This means that existing helm charts will continue to work.
This process is not supported by this terraform module, instead you need to follow the steps outlined in the guide Set up repositories with gcr.io domain support. These steps include create the a repository in Artifact Registry, migrate images to it from container registry and enable redirection of gcr.io traffic.
If you keep the default settings for this module it will create another artifact repository that
will be used for new images. If you want to use gcr.io
artifact repository for new images you
should set artifact_enable = false
.
If you want to use a custom domain with your Jenkins X installation, you need to provide values for the variables apex_domain and tls_email. apex_domain is the fully qualified domain name you want to use and tls_email is the email address you want to use for issuing Let's Encrypt TLS certificates.
Before you apply the Terraform configuration, you also need to create a Cloud DNS managed zone, with the DNS name in the managed zone matching your custom domain name, for example in the case of example.jenkins-x.rocks as domain:
When creating the managed zone, a set of DNS servers get created which you need to specify in the DNS settings of your DNS registrar.
It is essential that before you run jx boot
, your DNS servers settings are propagated, and your domain resolves.
You can use DNS checker to check whether your domain settings have propagated.
When a custom domain is provided, Jenkins X uses ExternalDNS together with cert-manager to create A record entries in your managed zone for the various exposed applications.
If apex_domain id not set, your cluster will use nip.io in order to create publicly resolvable URLs of the form http://<app-name>-<environment-name>.<cluster-ip>.nip.io.
The configuration as seen in Cluster provisioning is not suited for creating and maintaining a production Jenkins X cluster. The following is a list of considerations for a production usecase.
-
Specify the version attribute of the module, for example:
module "jx" { source = "jenkins-x/jx/google" version = "1.2.4" # insert your configuration } output "jx_requirements" { value = module.jx.jx_requirements }
Specifying the version ensures that you are using a fixed version and that version upgrades cannot occur unintented.
-
Keep the Terraform configuration under version control, by creating a dedicated repository for your cluster configuration or by adding it to an already existing infrastructure repository.
-
Setup a Terraform backend to securely store and share the state of your cluster. For more information refer to Configuring a Terraform backend.
A "backend" in Terraform determines how state is loaded and how an operation such as apply is executed. By default, Terraform uses the local backend which keeps the state of the created resources on the local file system. This is problematic since sensitive information will be stored on disk and it is not possible to share state across a team. When working with Google Cloud a good choice for your Terraform backend is the gcs backend which stores the Terraform state in a Google Cloud Storage bucket. The examples directory of this repository contains configuration examples for using the gcs backed with and without optionally configured customer supplied encryption key.
To use the gcs backend you will need to create the bucket upfront.
You can use gsutil
to create the bucket:
gsutil mb gs://<my-bucket-name>/
It is also recommended to enable versioning on the bucket as an additional safety net in case of state corruption.
gsutil versioning set on gs://<my-bucket-name>
You can verify whether a bucket has versioning enabled via:
gsutil versioning get gs://<my-bucket-name>
terraform init -upgrade
provider "google" {
version = "~> 2.12.0"
project = var.gcp_project
}
provider "google-beta" {
version = "~> 2.12.0"
project = var.gcp_project
}
The recommended way to authenticate to the Google Cloud API is by using a service account.
This allows for authentication regardless of where your code runs.
This Terraform module expects authentication via a service account key.
You can either specify the path to this key directly using the GOOGLE_APPLICATION_CREDENTIALS environment variable or you can run gcloud auth application-default login
.
In the latter case gcloud
obtains user access credentials via a web flow and puts them in the well-known location for Application Default Credentials (ADC), usually ~/.config/gcloud/application_default_credentials.json.
At the moment there is no release pipeline defined in jenkins-x.yml.
A Terraform release does not require building an artifact, only a tag needs to be created and pushed.
To make this task easier and there is a helper script release.sh
which simplifies this process and creates the changelog as well:
./scripts/release.sh
This can be executed on demand whenever a release is required. For the script to work the envrionment variable $GH_TOKEN must be exported and reference a valid GitHub API token.
Contributions are very welcome! Check out the Contribution Guidelines for instructions.