add configurable autopilot feature

Author: eebi-sotec

terraform/environment-template/infrastructure/backend.tf

@@ -1,6 +1,6 @@
 terraform {
   backend "gcs" {
-    bucket = "<bucket_name>"    # Insert the name of the storage bucket
+    bucket = "<bucket_name>" # Insert the name of the storage bucket
     prefix = "terraform/infrastructure"
   }
 }

terraform/environment-template/infrastructure/locals.tf

@@ -1,7 +1,7 @@
 locals {
-  project_id          = "<project_id>"                                           # Insert your project id
-  region              = "europe-west1"                                           # Insert the region for your cluster
-  zone                = "europe-west1-b"                                         # Insert the zone for your cluster and SQL database
-  node_locations      = ["europe-west1-c", "europe-west1-b", "europe-west1-d"]   # Insert the node locations for your cluster
-  enable_cert_manager = false                                                    # Toggle to enable the creation of service account needed for the cert-manager
+  project_id          = "<project_id>"                                         # Insert your project id
+  region              = "europe-west1"                                         # Insert the region for your cluster
+  zone                = "europe-west1-b"                                       # Insert the zone for your cluster and SQL database
+  node_locations      = ["europe-west1-c", "europe-west1-b", "europe-west1-d"] # Insert the node locations for your cluster
+  enable_cert_manager = false                                                  # Toggle to enable the creation of service account needed for the cert-manager
 }

terraform/environment-template/software/backend.tf

@@ -1,6 +1,6 @@
 terraform {
   backend "gcs" {
-    bucket = "<bucket_name>"    # Insert the name of the storage bucket
+    bucket = "<bucket_name>" # Insert the name of the storage bucket
     prefix = "terraform/software"
   }
 }

terraform/environment-template/software/locals.tf

@@ -1,14 +1,14 @@
 locals {
-  bucket_name                   = "<bucket_name>"                             # Insert the name of the storage bucket
-  oauth_app_name                = "<oauth-app_name>"                          # Insert the name of your OAuth application
-  device_communication_dns_name = "<dns_name>"                                # Insert the name of your API DNS (e.g. api.hono.my-domain.com)
-  oauth_client_id               = "<oauth_client_id>"                         # Insert the client ID of your OAuth 2.0 client
-  oauth_client_secret           = "<oauth_client_secret>"                     # Insert the client secret of your OAuth 2.0 client
-  helm_package_repository       = "<helm-package-repository>"                 # Insert the link to your helm chart (e.g. oci://europe-west1-docker.pkg.dev/my-project/my-repository)
-  hono_chart_name               = "<chart-name>"                              # Insert the name of your helm chart (e.g. hono)
-  hono_chart_version            = "<chart-version>"                           # Insert the version of your helm chart (e.g. 2.5.0-1)
+  bucket_name                   = "<bucket_name>"             # Insert the name of the storage bucket
+  oauth_app_name                = "<oauth-app_name>"          # Insert the name of your OAuth application
+  device_communication_dns_name = "<dns_name>"                # Insert the name of your API DNS (e.g. api.hono.my-domain.com)
+  oauth_client_id               = "<oauth_client_id>"         # Insert the client ID of your OAuth 2.0 client
+  oauth_client_secret           = "<oauth_client_secret>"     # Insert the client secret of your OAuth 2.0 client
+  helm_package_repository       = "<helm-package-repository>" # Insert the link to your helm chart (e.g. oci://europe-west1-docker.pkg.dev/my-project/my-repository)
+  hono_chart_name               = "<chart-name>"              # Insert the name of your helm chart (e.g. hono)
+  hono_chart_version            = "<chart-version>"           # Insert the version of your helm chart (e.g. 2.5.0-1)
 
-  enable_cert_manager           = false                                       # Toggle the use of the cert-manager
+  enable_cert_manager = false # Toggle the use of the cert-manager
 
   # In case enable_cert_manager is set to false:
   #
@@ -21,6 +21,6 @@ locals {
   # note: this is only needed to create the secret or to change it. Otherwise the key and certificate can be omitted.
 
   # The following variable only have to be given values if enable_cert_manager is set to true!
-  cert_manager_email            = "<email>"                                   # Insert an E-Mail address to contact in case something goes wrong with the certificate renewal
-  wildcard_domain               = "<wildcard-domain>"                         # Insert your root domain with a wildcard character as a sub domain (e.g. *.my-domain.com)
+  cert_manager_email = "<email>"           # Insert an E-Mail address to contact in case something goes wrong with the certificate renewal
+  wildcard_domain    = "<wildcard-domain>" # Insert your root domain with a wildcard character as a sub domain (e.g. *.my-domain.com)
 }

terraform/environment-template/software/providers.tf

@@ -21,25 +21,25 @@ terraform {
 
 provider "helm" {
   kubernetes {
-    host                   = "https://${data.google_container_cluster.default.endpoint}"
-    token                  = data.google_client_config.default.access_token
+    host  = "https://${data.google_container_cluster.default.endpoint}"
+    token = data.google_client_config.default.access_token
     cluster_ca_certificate = base64decode(
       data.google_container_cluster.default.master_auth[0].cluster_ca_certificate,
     )
   }
 }
 
 provider "kubernetes" {
-  host                   = "https://${data.google_container_cluster.default.endpoint}"
-  token                  = data.google_client_config.default.access_token
+  host  = "https://${data.google_container_cluster.default.endpoint}"
+  token = data.google_client_config.default.access_token
   cluster_ca_certificate = base64decode(
     data.google_container_cluster.default.master_auth[0].cluster_ca_certificate,
   )
 }
 
 provider "kubectl" {
-  host                   = "https://${data.google_container_cluster.default.endpoint}"
-  token                  = data.google_client_config.default.access_token
+  host  = "https://${data.google_container_cluster.default.endpoint}"
+  token = data.google_client_config.default.access_token
   cluster_ca_certificate = base64decode(
     data.google_container_cluster.default.master_auth[0].cluster_ca_certificate,
   )

terraform/infrastructure/README.md

@@ -34,12 +34,14 @@ No requirements.
 | <a name="input_enable_cert_manager"></a> [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enables the service account needed for the use of cert manager | `bool` | `false` | no |
 | <a name="input_enable_http_ip_creation"></a> [enable\_http\_ip\_creation](#input\_enable\_http\_ip\_creation) | Used to enable the creation of a static ip for the http adapter | `string` | `false` | no |
 | <a name="input_enable_mqtt_ip_creation"></a> [enable\_mqtt\_ip\_creation](#input\_enable\_mqtt\_ip\_creation) | Used to enable the creation of a static ip for the mqtt adapter | `string` | `true` | no |
-| <a name="input_gke_cluster_maintenance_policy_recurring_window"></a> [gke\_cluster\_maintenance\_policy\_recurring\_window](#input\_gke\_cluster\_maintenance\_policy\_recurring\_window) | The recurring window maintenance policy for the cluster. For details see: https://registry.terraform.io/providers/hashicorp/google/5.15.0/docs/resources/container_cluster#nested_maintenance_policy | <pre>object({<br>    start_time = string,<br>    end_time   = string,<br>    recurrence = string<br>  })</pre> | `null` | no |
+| <a name="input_gke_autopilot_enabled"></a> [gke\_autopilot\_enabled](#input\_gke\_autopilot\_enabled) | If autopilot mode should be enabled for the GKE cluster. | `bool` | `false` | no |
+| <a name="input_gke_cluster_maintenance_policy_recurring_window"></a> [gke\_cluster\_maintenance\_policy\_recurring\_window](#input\_gke\_cluster\_maintenance\_policy\_recurring\_window) | The recurring window maintenance policy for the cluster. For details see: https://registry.terraform.io/providers/hashicorp/google/5.15.0/docs/resources/container_cluster#nested_maintenance_policy | <pre>object({<br/>    start_time = string,<br/>    end_time   = string,<br/>    recurrence = string<br/>  })</pre> | `null` | no |
 | <a name="input_gke_cluster_name"></a> [gke\_cluster\_name](#input\_gke\_cluster\_name) | Name of the GKE Cluster | `string` | `"hono-cluster"` | no |
 | <a name="input_gke_machine_type"></a> [gke\_machine\_type](#input\_gke\_machine\_type) | Machine Type for node\_pools | `string` | `"c2-standard-8"` | no |
 | <a name="input_gke_node_pool_name"></a> [gke\_node\_pool\_name](#input\_gke\_node\_pool\_name) | The name of the Node Pool in the Hono Cluster | `string` | `"standard-node-pool"` | no |
 | <a name="input_gke_release_channel"></a> [gke\_release\_channel](#input\_gke\_release\_channel) | Which Release Channel to use for the Cluster | `string` | `"STABLE"` | no |
 | <a name="input_grafana_expose_externally"></a> [grafana\_expose\_externally](#input\_grafana\_expose\_externally) | Whether or not Grafana should be exposed externally. | `bool` | `false` | no |
+| <a name="input_helm_release_name"></a> [helm\_release\_name](#input\_helm\_release\_name) | Name of the helm realease | `string` | `"eclipse-hono"` | no |
 | <a name="input_ip_cidr_range"></a> [ip\_cidr\_range](#input\_ip\_cidr\_range) | The range of internal addresses that are owned by this subnetwork. Provide this property when you create the subnetwork.Ranges must be unique and non-overlapping within a network. Only IPv4 is supported. | `string` | `"10.10.1.0/24"` | no |
 | <a name="input_node_locations"></a> [node\_locations](#input\_node\_locations) | List of Strings for the Node Locations | `list(string)` | n/a | yes |
 | <a name="input_node_pool_autoscaling_enabled"></a> [node\_pool\_autoscaling\_enabled](#input\_node\_pool\_autoscaling\_enabled) | If node autoscaling should be enabled | `string` | `false` | no |
@@ -71,7 +73,7 @@ No requirements.
 | <a name="input_sql_instance_disk_type"></a> [sql\_instance\_disk\_type](#input\_sql\_instance\_disk\_type) | Disk Type of the SQL Instance | `string` | `"PD-SSD"` | no |
 | <a name="input_sql_instance_ipv4_enable"></a> [sql\_instance\_ipv4\_enable](#input\_sql\_instance\_ipv4\_enable) | Whether this Cloud SQL instance should be assigned a public IPV4 address. At least ipv4\_enabled must be enabled or a private\_network must be configured. | `bool` | `false` | no |
 | <a name="input_sql_instance_machine_type"></a> [sql\_instance\_machine\_type](#input\_sql\_instance\_machine\_type) | Machine Type of the SQL Instance | `string` | `"db-custom-1-3840"` | no |
-| <a name="input_sql_instance_maintenance_window"></a> [sql\_instance\_maintenance\_window](#input\_sql\_instance\_maintenance\_window) | The maintenance window settings for the cloud sql instance. For details see: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance | <pre>object({<br>    day          = number,<br>    hour         = number,<br>    update_track = optional(string, "stable")<br>  })</pre> | `null` | no |
+| <a name="input_sql_instance_maintenance_window"></a> [sql\_instance\_maintenance\_window](#input\_sql\_instance\_maintenance\_window) | The maintenance window settings for the cloud sql instance. For details see: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance | <pre>object({<br/>    day          = number,<br/>    hour         = number,<br/>    update_track = optional(string, "stable")<br/>  })</pre> | `null` | no |
 | <a name="input_sql_instance_name"></a> [sql\_instance\_name](#input\_sql\_instance\_name) | Name of the SQL Instance | `string` | `"hono-sql"` | no |
 | <a name="input_sql_instance_version"></a> [sql\_instance\_version](#input\_sql\_instance\_version) | Database Version | `string` | `"POSTGRES_14"` | no |
 | <a name="input_ssl_policy_min_tls_version"></a> [ssl\_policy\_min\_tls\_version](#input\_ssl\_policy\_min\_tls\_version) | The minimum TLS version the SSL policy should allow | `string` | `"TLS_1_2"` | no |

terraform/infrastructure/main.tf

@@ -79,6 +79,7 @@ module "gke" {
   region                                          = var.region
   network_name                                    = module.networking.network_name
   subnetwork_name                                 = module.networking.subnetwork_name
+  gke_autopilot_enabled                           = var.gke_autopilot_enabled
   gke_release_channel                             = var.gke_release_channel
   ip_ranges_services                              = module.networking.ip_ranges_services_name
   ip_ranges_pods                                  = module.networking.ip_ranges_pods_name
@@ -98,6 +99,7 @@ module "gke" {
   node_pool_batch_node_count                      = var.node_pool_batch_node_count
   node_pool_batch_soak_duration                   = var.node_pool_batch_soak_duration
   node_pool_soak_duration                         = var.node_pool_soak_duration
+  helm_release_name                               = var.helm_release_name
 
   depends_on = [
     google_project_service.project

terraform/infrastructure/outputs.tf

@@ -47,6 +47,7 @@ output "gke_cluster_name_endpoint" {
 output "gke_cluster_ca_certificate" {
   value       = module.gke.gke_cluster_ca_certificate
   description = "CA-Certificate for the cluster."
+  sensitive   = true
 }
 
 output "service_name_communication" {

terraform/infrastructure/variables.tf

@@ -137,6 +137,12 @@ variable "service_account_roles_gke_sa" {
   default     = []
 }
 
+variable "gke_autopilot_enabled" {
+  type        = bool
+  description = "If autopilot mode should be enabled for the GKE cluster."
+  default     = false
+}
+
 variable "gke_release_channel" {
   type        = string
   description = "Which Release Channel to use for the Cluster"
@@ -296,3 +302,9 @@ variable "grafana_expose_externally" {
   description = "Whether or not Grafana should be exposed externally."
   default     = false
 }
+
+variable "helm_release_name" {
+  type        = string
+  description = "Name of the helm realease"
+  default     = "eclipse-hono"
+}

terraform/modules/cert_manager/main.tf

@@ -19,6 +19,10 @@ resource "helm_release" "cert-manager" {
     name  = "installCRDs"
     value = "true"
   }
+  set {
+    name  = "global.leaderElection.namespace"
+    value = var.cert_manager_namespace
+  }
 }
 
 resource "kubernetes_secret" "cert_manager_sa_key_secret" {
@@ -35,21 +39,22 @@ resource "kubectl_manifest" "issuer_letsencrypt_prod" {
   yaml_body = yamlencode({
     "apiVersion" = "cert-manager.io/v1"
     "kind"       = var.cert_manager_issuer_kind
-    "metadata"   = {
+    "metadata" = {
       "name" = var.cert_manager_issuer_name
     }
     "spec" = {
       "acme" = {
-        "email"               = var.cert_manager_email
+        "email" = var.cert_manager_email
         "privateKeySecretRef" = {
           "name" = var.cert_manager_issuer_name
         }
-        "server"  = "https://acme-v02.api.letsencrypt.org/directory"
+        #  "server"  = "https://acme-staging-v02.api.letsencrypt.org/directory" # use this for testing
+        "server" = "https://acme-v02.api.letsencrypt.org/directory"
         "solvers" = [
           {
             "dns01" = {
               "cloudDNS" = {
-                "project"                 = var.cert_manager_issuer_project_id
+                "project" = var.cert_manager_issuer_project_id
                 "serviceAccountSecretRef" = {
                   "name" = var.cert_manager_sa_account_id
                   "key"  = "key.json"
@@ -68,15 +73,15 @@ resource "kubectl_manifest" "certificate" {
   yaml_body = yamlencode({
     "apiVersion" = "cert-manager.io/v1"
     "kind"       = "Certificate"
-    "metadata"   = {
+    "metadata" = {
       "name"      = var.hono_domain_managed_secret_name
       "namespace" = var.hono_namespace
     }
     "spec" = {
       "secretName"  = var.hono_domain_managed_secret_name
       "duration"    = var.cert_manager_cert_duration
       "renewBefore" = var.cert_manager_cert_renew_before
-      "issuerRef"   = {
+      "issuerRef" = {
         "name" = var.cert_manager_issuer_name
         "kind" = var.cert_manager_issuer_kind
       }
@@ -102,7 +107,7 @@ resource "kubectl_manifest" "trust-bundle" {
   yaml_body = yamlencode({
     "apiVersion" = "trust.cert-manager.io/v1alpha1"
     "kind"       = "Bundle"
-    "metadata"   = {
+    "metadata" = {
       "name" = var.hono_trust_store_config_map_name
     }
     "spec" = {

terraform/modules/cloud_sql/main.tf

@@ -47,14 +47,17 @@ resource "google_sql_user" "hono-sql-user" {
   name     = var.sql_db_user_name
   instance = google_sql_database_instance.hono_sql.id
   password = random_password.password.result
+  project  = var.project_id
 }
 
 resource "google_sql_database" "hono_sql_db" {
   name     = var.sql_hono_database_name
   instance = google_sql_database_instance.hono_sql.id
+  project  = var.project_id
 }
 
 resource "google_sql_database" "grafana_sql_db" {
   name     = var.sql_grafana_database_name
   instance = google_sql_database_instance.hono_sql.id
+  project  = var.project_id
 }

terraform/modules/gke/README.md

@@ -16,19 +16,22 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [google_container_cluster.hono_autopilot_cluster](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) | resource |
 | [google_container_cluster.hono_cluster](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) | resource |
 | [google_container_node_pool.standard_node_pool](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_gke_cluster_maintenance_policy_recurring_window"></a> [gke\_cluster\_maintenance\_policy\_recurring\_window](#input\_gke\_cluster\_maintenance\_policy\_recurring\_window) | The recurring window maintenance policy for the cluster. For details see: https://registry.terraform.io/providers/hashicorp/google/5.15.0/docs/resources/container_cluster#nested_maintenance_policy | <pre>object({<br>    start_time = string,<br>    end_time = string,<br>    recurrence = string<br>  })</pre> | n/a | yes |
+| <a name="input_gke_autopilot_enabled"></a> [gke\_autopilot\_enabled](#input\_gke\_autopilot\_enabled) | If autopilot mode should be enabled for the GKE cluster. | `bool` | n/a | yes |
+| <a name="input_gke_cluster_maintenance_policy_recurring_window"></a> [gke\_cluster\_maintenance\_policy\_recurring\_window](#input\_gke\_cluster\_maintenance\_policy\_recurring\_window) | The recurring window maintenance policy for the cluster. For details see: https://registry.terraform.io/providers/hashicorp/google/5.15.0/docs/resources/container_cluster#nested_maintenance_policy | <pre>object({<br/>    start_time = string,<br/>    end_time   = string,<br/>    recurrence = string<br/>  })</pre> | n/a | yes |
 | <a name="input_gke_cluster_name"></a> [gke\_cluster\_name](#input\_gke\_cluster\_name) | Name of the GKE Cluster | `string` | n/a | yes |
 | <a name="input_gke_machine_type"></a> [gke\_machine\_type](#input\_gke\_machine\_type) | Machine Type for node\_pools | `string` | n/a | yes |
 | <a name="input_gke_node_pool_name"></a> [gke\_node\_pool\_name](#input\_gke\_node\_pool\_name) | The name of the Node Pool in the Hono Cluster | `string` | n/a | yes |
 | <a name="input_gke_release_channel"></a> [gke\_release\_channel](#input\_gke\_release\_channel) | Which Release Channel to use for the Cluster | `string` | n/a | yes |
 | <a name="input_gke_service_account_email"></a> [gke\_service\_account\_email](#input\_gke\_service\_account\_email) | Email of the GKE Service Account | `string` | n/a | yes |
+| <a name="input_helm_release_name"></a> [helm\_release\_name](#input\_helm\_release\_name) | Name of the helm realease | `string` | n/a | yes |
 | <a name="input_ip_ranges_pods"></a> [ip\_ranges\_pods](#input\_ip\_ranges\_pods) | Secondary IP Ranges in Subnetwork for Pods | `string` | n/a | yes |
 | <a name="input_ip_ranges_services"></a> [ip\_ranges\_services](#input\_ip\_ranges\_services) | Secondary IP Ranges in Subnetwork for Services | `string` | n/a | yes |
 | <a name="input_network_name"></a> [network\_name](#input\_network\_name) | name of the network | `string` | n/a | yes |