gitpod-io · roboquat · Sep 28, 2022 · Sep 26, 2022 · Sep 27, 2022 · Pothulapati
diff --git a/.werft/eks-installer-tests.yaml b/.werft/eks-installer-tests.yaml
@@ -89,6 +89,8 @@ pod:
       value: "/mnt/secrets/sh-playground-sa-perm/sh-sa.json"
     - name: TF_VAR_dns_sa_creds
       value: "/mnt/secrets/sh-playground-dns-perm/sh-dns-sa.json"
+    - name: TF_VAR_sa_creds
+      value: "/mnt/secrets/sh-playground-sa-perm/sh-sa.json"
     - name: NODENAME
       valueFrom:
         fieldRef:

diff --git a/.werft/installer-tests.ts b/.werft/installer-tests.ts
@@ -347,6 +347,12 @@ export async function installerTests(config: TestConfig) {
             console.error("Failed to send message to Slack", error);
         });
 
+        if (selfSigned === "true") {
+            exec(
+                `werft log result -d  "Custom CA Certificate store underd GCP project 'sh-automated-tests'" url "gs://nightly-tests/tf-state/${process.env["TF_VAR_TEST_ID"]}-ca.pem"`,
+            );
+        }
+
         exec(
             `werft log result -d  "Terraform state" url "Terraform state file name is ${process.env["TF_VAR_TEST_ID"]}"`,
         );
@@ -384,10 +390,7 @@ function runIntegrationTests() {
 function callMakeTargets(phase: string, description: string, makeTarget: string, failable: boolean = false) {
     werft.log(phase, `Calling ${makeTarget}`);
     // exporting cloud env var is important for the make targets
-    var env = `export TF_VAR_cluster_version=${k8s_version} cloud=${cloud} TF_VAR_domain=${baseDomain} TF_VAR_gcp_zone=${gcpDnsZone}`;
-    if (selfSigned) {
-        env = env.concat(` self_signed=${selfSigned}`)
-    }
+    const env = `export TF_VAR_cluster_version=${k8s_version} cloud=${cloud} TF_VAR_domain=${baseDomain} TF_VAR_gcp_zone=${gcpDnsZone}`;
 
     const response = exec(
         `${env} && make -C ${makefilePath} ${makeTarget}`,

@@ -103,6 +103,18 @@ module "eks" {
     enable_bootstrap_user_data = true
     vpc_security_group_ids     = [aws_security_group.nodes.id]
     ebs_optimized              = true
+
+    post_bootstrap_user_data = <<-EOT
+      #!/bin/bash
+      cat << CONFIG >> /etc/containerd/config.toml
+
+      [plugins."io.containerd.grpc.v1.cri".registry]
+      config_path = "/etc/containerd/certs.d"
+
+      CONFIG
+
+      service containerd restart
+      EOT
   }
 
   eks_managed_node_groups = {
@@ -144,7 +156,7 @@ module "eks" {
         export CONTAINER_RUNTIME="containerd"
         export USE_MAX_PODS=false
         EOF
-        # Source extra environment 5ariables in bootstrap script
+        # Source extra environment variables in bootstrap script
         sed -i '/^set -o errexit/a\\nsource /etc/profile.d/bootstrap.sh' /etc/eks/bootstrap.sh
         EOT
     }
@@ -170,7 +182,7 @@ module "eks" {
       desired_size               = 2
       enable_bootstrap_user_data = true
       labels = {
-        "gitpod.io/workload_workspace_regular"  = true
+        "gitpod.io/workload_workspace_regular" = true
       }
 
       tags = {
@@ -262,14 +274,14 @@ resource "null_resource" "kubeconfig" {
 
 data "aws_iam_policy_document" "eks_policy" {
   statement {
-    actions   = [
+    actions = [
       "eks:DescribeCluster",
       "eks:ListClusters"
     ]
     resources = [
       "*",
     ]
-    effect    = "Allow"
+    effect = "Allow"
   }
 }
 
@@ -281,7 +293,7 @@ resource "aws_iam_policy" "eks_policy" {
 
 resource "aws_iam_user" "eks_user" {
   force_destroy = true
-  name  = "eks-user-${var.cluster_name}"
+  name          = "eks-user-${var.cluster_name}"
 }
 
 resource "aws_iam_user_policy_attachment" "eks_attachment" {
@@ -290,5 +302,5 @@ resource "aws_iam_user_policy_attachment" "eks_attachment" {
 }
 
 resource "aws_iam_access_key" "eks_user_key" {
-  user  = aws_iam_user.eks_user.name
+  user = aws_iam_user.eks_user.name
 }
@@ -314,6 +314,9 @@ self-signed-config:
 	envsubst < ./manifests/kots-config-self-signed.yaml > tmp_2_config.yml
 	yq m -i tmp_config.yml tmp_2_config.yml
 
+	# upload the Custom CA Cert into tf-state
+	gsutil cp ./ca.pem gs://nightly-tests/tf-state/${TF_VAR_TEST_ID}-ca.pem
+
 storage-config-incluster:
 	@echo "Nothing to do"
 
@@ -449,6 +452,9 @@ destroy-kubeconfig:
 	gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS} --project=sh-automated-tests
 	gsutil rm gs://nightly-tests/tf-state/${TF_VAR_TEST_ID}-kubeconfig || echo "No kubeconfig"
 	gsutil rm gs://nightly-tests/tf-state/${TF_VAR_TEST_ID}-creds || echo "No credentials file"
+ifeq (true,$(self_signed))
+	gsutil rm gs://nightly-tests/tf-state/${TF_VAR_TEST_ID}-ca.pem || echo "No custom CA cert file"
+endif
 	rm ${KUBECONFIG} || echo "No kubeconfig"
 
 select-workspace: