Skip to content

Commit 81f07f7

Browse files
minrkminrk
committed
more ovh terraform notes
so's we don't forget
1 parent 22285d2 commit 81f07f7

File tree

1 file changed

+17
-7
lines changed

1 file changed

+17
-7
lines changed

terraform/README.md

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -27,12 +27,6 @@ which will create a plan and prompt for confirmation.
2727

2828
Review the proposed changes and if they look right, type 'yes' to apply the changes.
2929

30-
## OVH
31-
32-
The new OVH cluster is also deployed via terraform in the `ovh` directory.
33-
This has a lot less to deploy than flagship GKE,
34-
but deploys a Harbor registry as well.
35-
3630
## Getting secrets out
3731

3832
Terraform will create the service accounts needed for the deployment.
@@ -55,11 +49,27 @@ terraform output -json private_keys | jq '.["events-archiver"]' | pbcopy
5549

5650
with key names: "events-archiver", "matomo", and "binderhub-builder" and paste them into the appropriate fields in `secrets/config/$deployment.yaml`.
5751

58-
### Notes
52+
## Notes
5953

6054
- requesting previously-allocated static ip via loadBalancerIP did not work.
6155
Had to manually mark LB IP as static via cloud console.
6256

6357
- sql admin API needed to be manually enabled [here](https://console.developers.google.com/apis/library/sqladmin.googleapis.com)
6458
- matomo sql data was manually imported/exported via sql dashboard and gsutil in cloud console
6559
- events archive history was manually migrated via `gsutil -m rsync` in cloud console
60+
61+
## OVH
62+
63+
The new OVH cluster is also deployed via terraform in the `ovh` directory.
64+
This has a lot less to deploy than flagship GKE,
65+
but deploys a Harbor (container image) registry as well.
66+
67+
### OVH Notes
68+
69+
- credentials are in `terraform/secrets/ovh-creds.py`
70+
- token in credentials is owned by Min because OVH tokens are always owned by real OVH users, not per-project 'service account'.
71+
The token only has permissions on the MyBinder cloud project, however.
72+
- the only manual creation step was the s3 bucket and user for terraform state, the rest is created with terraform
73+
- harbor registry on OVH is old, and this forces us to use an older
74+
harbor _provider_.
75+
Once OVH upgrades harbor to at least 2.2 (2.4 expected in 2022-12), we should be able to upgrade the harbor provider and robot accounts.

0 commit comments

Comments
 (0)