[community-tc] please add an AWS worker provider & rename Google provider
Categories
(Cloud Services :: Operations: Taskcluster, task)
Tracking
(Not tracked)
People
(Reporter: dustin, Assigned: edunham)
References
Details
We currently have a provider named community-tc-workers
which uses GCP. Let's rename that to community-tc-workers-google
(I know, I know, breaking the "best practice" I mentioned this morning of keeping gcp project name and providerId the same..). This would ordinarily be a breaking change but since nothing's running in this deployment yet, it won't hurt.
Please also add a community-tc-workers-aws
provider, configured according to https://docs.taskcluster.net/docs/manual/deploying/workers#aws and using the AWS account associated with the community-tc deployment.
Reporter | ||
Updated•5 years ago
|
I've renamed community-tc-workers
to community-tc-workers-google
. Worker-manager's config now has the following structure:
worker_manager:
providers:
community-tc-workers-google:
creds: '{ "type": "service_account", "project_id": "community-tc-workers",
"private_key_id": "abc123",
"private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END
PRIVATE KEY-----\n", "client_email": "taskcluster-worker-manager@community-tc-workers.iam.gserviceaccount.com",
"client_id": "123", "auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url":
"https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url":
"https://www.googleapis.com/robot/v1/metadata/x509/taskcluster-worker-manager%40community-tc-workers.iam.gserviceaccount.com"}'
project: community-tc-workers
providerType: google
workerServiceAccountId: "123"
Sorting out that aws account's info next.
Reporter | ||
Comment 2•5 years ago
|
||
Perfect, thanks.
Comment 3•5 years ago
|
||
There's a meeting today to sort out AWS for community.
To summarize from the meeting: Dustin will get the root credentials for the worker account from Chris, then provision stuff within those accounts and provide me with the creds that go into cloudops configs. So the next step here is for Chris to create the worker account and provide credentials to Dustin.
Sent these to Dustin today
Reporter | ||
Comment 6•5 years ago
|
||
I've given everyone access, and I'm just setting up the VPCs and whatnot now. Once that's done I'll hand some credentials off to edunham.
Reporter | ||
Comment 7•5 years ago
|
||
for region in us-{west,east}-{1,2}; do
echo "region $region:"
vpcId=$(aws ec2 describe-vpcs --region $region --filter Name=tag:Name,Values=community-workers | jq -r '.Vpcs[0].VpcId')
if [ "$vpcId" = "null" ]; then
vpcId=$(aws ec2 create-vpc --region $region --cidr-block 10.0.0.0/16 | jq -r '.Vpc.VpcId')
aws ec2 create-tags --region $region --resources $vpcId --tags Key=Name,Value=community-workers
fi
echo " vpcId: $vpcId"
echo " subnets by AZ":
cidr=0
for az in $(aws ec2 describe-availability-zones --region $region | jq -r '.AvailabilityZones[] | .ZoneName'); do
subnetId=$(aws ec2 describe-subnets --region $region --filter "[{\"Name\": \"vpc-id\", \"Values\": [\"${vpcId}\"]}, {\"Name\": \"availability-zone\", \"Values\": [\"${az}\"]}]" | jq -r '.Subnets[0].SubnetId')
if [ "$subnetId" = "null" ]; then
subnetId=$(aws ec2 create-subnet --region $region --vpc-id $vpcId --availability-zone $az --cidr-block 10.0.$cidr.0/20 | jq -r '.Subnet.SubnetId')
aws ec2 create-tags --region $region --resources $subnetId --tags Key=Name,Value=community-workers
fi
echo " $az: $subnetId"
cidr=$((cidr + 16))
done
echo " security groups":
for name in no-inbound docker-worker; do
groupId=$(aws ec2 describe-security-groups --region $region --filter "[{\"Name\": \"vpc-id\", \"Values\": [\"${vpcId}\"]}, {\"Name\": \"group-name\", \"Values\": [\"${name}\"]}]" | jq -r '.SecurityGroups[0].GroupId')
if [ "$groupId" = "null" ]; then
groupId=$(aws ec2 create-security-group --region $region --description $name --group-name $name --vpc-id $vpcId | jq -r ".GroupId")
aws ec2 create-tags --region $region --resources $groupId --tags Key=Name,Value=community-workers
case $name in
no-inbound)
# security groups do not allow inbound traffic by default, so nothing to do..
;;
docker-worker)
# docker-worker allows incoming non-priv ports for livelog
aws ec2 authorize-security-group-ingress --region $region --group-id $groupId --protocol tcp --port 32768-65535 --cidr 0.0.0.0/0
;;
esac
fi
echo " $name: $groupId"
done
done
region us-west-1:
vpcId: vpc-0b4380783427d329a
subnets by AZ:
us-west-1a: subnet-0e43a99e9c865689e
us-west-1b: subnet-0a5344f7003aede7c
security groups:
no-inbound: sg-00c4014bc978171d5
docker-worker: sg-0d2ff88f36a05b499
region us-west-2:
vpcId: vpc-0d9ea382d97dd57a3
subnets by AZ:
us-west-2a: subnet-048a61782df5ba378
us-west-2b: subnet-05053e2898fc744e9
us-west-2c: subnet-036a0812d241733ef
us-west-2d: subnet-0fc336d9e5934c913
security groups:
no-inbound: sg-0659c2937ecbe7254
docker-worker: sg-0f8a656368c567425
region us-east-1:
vpcId: vpc-0691157d6095bd7ec
subnets by AZ:
us-east-1a: subnet-0ab0ba0d9836bb7ab
us-east-1b: subnet-08c284e43fd180150
us-east-1c: subnet-0034e6efd82d24939
us-east-1d: subnet-05a055adc7a81adc0
us-east-1e: subnet-03bbdcf0ec23f8caa
us-east-1f: subnet-0cc340c5cf9346dcc
security groups:
no-inbound: sg-07f7d21a488e192c6
docker-worker: sg-08fea1235cf66b102
region us-east-2:
vpcId: vpc-0b1bc52c63637982f
subnets by AZ:
us-east-2a: subnet-05205c91d6a9f06e6
us-east-2b: subnet-082be4d0d5e7e4d58
us-east-2c: subnet-01eb0c6a5e15846db
security groups:
no-inbound: sg-00a9d64b3595c5088
docker-worker: sg-0388de36e2f30ced2
Reporter | ||
Comment 8•5 years ago
|
||
Reporter | ||
Comment 9•5 years ago
|
||
OK! Creds sent of to bpitts/edunham. Plz to add to PROVIDERS and we can test it out..
Reporter | ||
Comment 10•5 years ago
|
||
Emily finished this up this morning!
Description
•