Skip to content

Fixes and updates for Concourse deployment #472

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jochenehret merged 12 commits into from
Mar 24, 2026
Merged

Fixes and updates for Concourse deployment #472

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
24392bd
Migrate to OpenTofu v1.11.5
jochenehret Mar 20, 2026
51a4f46
Merge remote-tracking branch 'origin/main' into migrate_to_opentofu
jochenehret Mar 20, 2026
61a8778
Merge remote-tracking branch 'origin/main' into migrate_to_opentofu
jochenehret Mar 23, 2026
f2609b5
Reformat backend hcl files
jochenehret Mar 23, 2026
9620cfe
Align container_placement_strategy for wg-ci-test
jochenehret Mar 23, 2026
a42856b
Remove data resource "google_sql_database_instance"
jochenehret Mar 23, 2026
786892c
Set GKE version to 1.34 for wg-ci-test
jochenehret Mar 23, 2026
9df02c6
Reformat Terraform files
jochenehret Mar 23, 2026
9d1a360
Fix Postgres password definition
jochenehret Mar 23, 2026
dd27460
Terraform dependency lock file
jochenehret Mar 23, 2026
bde4186
Update READMEs
jochenehret Mar 23, 2026
8a7b768
Enable new feature flag "concourse_enable_redact_secrets" for wg-ci-test
jochenehret Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .tool-versions
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
concourse 7.13.1
gcloud 561.0.0
helm 3.20.1
opentofu 1.11.5
kapp 0.65.1
kubectl 1.35.3
python 3.14.3
terraform 1.13.3
terraform-lsp 0.0.12
terragrunt 0.99.4
vendir 0.45.2
Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Please see [ARC Readme](<./docs/actions-runner-controller/README.md>)
The required tools to work with this repository are:
* glcoud
* helm
* terraform
* opentofu
* terragrunt
* kapp
* ytt
Expand Down
10 changes: 5 additions & 5 deletions docs/concourse/concourse_minor_version_upgrade.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Please note the process should be also useful for upgrading major versions.

3. Confirm there are no pending changes for the Concourse stack
```
terragrunt run-all plan --terragrunt-source-update
terragrunt run --all plan --source-update
```
Note: The Cloud SQL database has "automatic storage increases" enabled. So the disk could have grown larger than the initial value from the `config.yaml` file. In that case, Terraform would have to shrink the disk which is not possible. Instead, it tries to destroy the database and recreate it, losing all data including backups:
```
Expand Down Expand Up @@ -52,7 +52,7 @@ Make sure the following flags are enabled:

7. Apply roll-out for new Concourse version
```
terragrunt run-all apply --terragrunt-source-update
terragrunt run --all apply --source-update
```

At this point depending on your use case:
Expand All @@ -67,7 +67,7 @@ At this point depending on your use case:
3. For `wg-ci-test` cluster: execute end-to-end test
```
cd e2e_test
terragrunt apply --terragrunt-source-update
terragrunt apply --source-update
cd ..
```

Expand All @@ -85,8 +85,8 @@ To guarantee SQL databases consistency delete Concourse deployment and restore S

3. Run Concourse stack deployment
```
terragrunt run-all plan
terragrunt run-all apply
terragrunt run --all plan
terragrunt run --all apply
```

4. Set back to the previous version of the `fly` binary
2 changes: 1 addition & 1 deletion docs/concourse/developer_notes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# Plan/apply terragrunt for changes to modules
Update your terragrunt cache folders when terraform source modules code would change
```sh
terragrunt run-all plan --terragrunt-source-update
terragrunt run --all plan --source-update
```

## Upgrade components managed by kapp and vendir (when needed)
Expand Down
17 changes: 5 additions & 12 deletions terraform-modules/concourse/backend/databases.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,15 @@
data "google_sql_database_instance" "concourse" {
name = var.sql_instance_name
project = var.project

}

resource "google_sql_database" "concourse" {

for_each = toset([
"concourse",
"credhub",
"uaa"
])
charset = "UTF8"
collation = "en_US.UTF8"
instance = data.google_sql_database_instance.concourse.name
charset = "UTF8"
collation = "en_US.UTF8"
# The SQL instance is created by the infra stack; use its configured name directly.
instance = var.sql_instance_name
name = each.key
project = var.project
depends_on = [data.google_sql_database_instance.concourse, carvel_kapp.sqlproxy, carvel_kapp.carvel_secretgen]

depends_on = [carvel_kapp.sqlproxy, carvel_kapp.carvel_secretgen]
}

6 changes: 6 additions & 0 deletions terraform-modules/concourse/backend/files/config/cloud_sql_proxy/sql_accounts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,12 @@ kind: Password
metadata:
name: #@ name + "-postgresql-password"
namespace: concourse
spec:
length: 32
digits: 8
uppercaseLetters: 8
lowercaseLetters: 16
symbols: 0
#@ end

--- #@ template.replace(add_database_user("concourse"))
Expand Down
10 changes: 5 additions & 5 deletions terraform-modules/concourse/backend/iam_sql-proxy.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
resource "google_service_account" "sql_proxy" {
account_id = "${var.gke_name}-sql-proxy"
account_id = "${var.gke_name}-sql-proxy"
display_name = "Used by Cloud SQL Auth proxy [${var.gke_name}]"
disabled = "false"
project = var.project
disabled = "false"
project = var.project
}

resource "google_service_account_iam_member" "sql_proxy" {
Expand All @@ -14,7 +14,7 @@ resource "google_service_account_iam_member" "sql_proxy" {
resource "google_project_iam_member" "sql_proxy" {
project = var.project
member = "serviceAccount:${google_service_account.sql_proxy.email}"
role = "roles/cloudsql.client"
role = "roles/cloudsql.client"

}

Expand All @@ -29,5 +29,5 @@ resource "kubectl_manifest" "sql_proxy_service_account" {
iam.gke.io/gcp-service-account: ${google_service_account.sql_proxy.email}
YAML

depends_on = [data.google_container_cluster.wg_ci, google_service_account.sql_proxy, kubectl_manifest.config_connector, kubernetes_namespace.concourse ]
depends_on = [google_service_account.sql_proxy, kubectl_manifest.config_connector, kubernetes_namespace.concourse]
}
8 changes: 4 additions & 4 deletions terraform-modules/concourse/backend/kapp_sqlproxy.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ data "carvel_ytt" "sqlproxy" {
"files/config/cloud_sql_proxy",
]
values = {
"google.project_id" = var.project
"google.region" = var.region
"database.instance" = var.sql_instance_name
"sql_proxy_account.name" = "${var.gke_name}-sql-proxy"
"google.project_id" = var.project
"google.region" = var.region
"database.instance" = var.sql_instance_name
"sql_proxy_account.name" = "${var.gke_name}-sql-proxy"
}
}

Expand Down
8 changes: 4 additions & 4 deletions terraform-modules/concourse/backend/providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,8 @@ data "google_container_cluster" "wg_ci" {
provider "carvel" {
kapp {
kubeconfig {
server = "https://${data.google_container_cluster.wg_ci.endpoint}"
token = data.google_client_config.provider.access_token
server = "https://${data.google_container_cluster.wg_ci.endpoint}"
token = data.google_client_config.provider.access_token
ca_cert = base64decode(data.google_container_cluster.wg_ci.master_auth[0].cluster_ca_certificate)
}
}
Expand All @@ -49,7 +49,7 @@ provider "kubectl" {


provider "kubernetes" {
host = "https://${data.google_container_cluster.wg_ci.endpoint}"
token = data.google_client_config.provider.access_token
host = "https://${data.google_container_cluster.wg_ci.endpoint}"
token = data.google_client_config.provider.access_token
cluster_ca_certificate = base64decode(data.google_container_cluster.wg_ci.master_auth[0].cluster_ca_certificate)
}
109 changes: 57 additions & 52 deletions terragrunt/concourse-wg-ci-test/app/.terraform.lock.hcl
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions terragrunt/concourse-wg-ci-test/app/terragrunt.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,4 +54,5 @@ inputs = {
concourse_container_placement_strategy = local.config.concourse_container_placement_strategy
concourse_max_days_to_retain_build_logs = local.config.concourse_max_days_to_retain_build_logs
concourse_max_build_logs_to_retain = local.config.concourse_max_build_logs_to_retain
concourse_enable_redact_secrets = try(local.config.concourse_enable_redact_secrets, null)
}
8 changes: 4 additions & 4 deletions terragrunt/concourse-wg-ci-test/backend/terragrunt.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ remote_state {
if_exists = "overwrite"
}
config = {
bucket = "${local.config.gcs_bucket}"
prefix = "${local.config.gcs_prefix}/concourse-backend"
project = "${local.config.project}"
location = "${local.config.region}"
bucket = local.config.gcs_bucket
prefix = "${local.config.gcs_prefix}/concourse-backend"
project = local.config.project
location = local.config.region
# use for uniform bucket-level access
# (https://cloud.google.com/storage/docs/uniform-bucket-level-access)
enable_bucket_policy_only = false
Expand Down
8 changes: 5 additions & 3 deletions terragrunt/concourse-wg-ci-test/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,17 @@ concourse_github_mainTeam: "cloudfoundry:wg-app-runtime-interfaces-autoscaler-ap
concourse_github_mainTeamUser: ""

# Concourse worker placement strategy: https://concourse-ci.org/container-placement.html
# Use default strategy for test system
concourse_container_placement_strategy: "volume-locality"
# The cloud controller unit tests cause a high system load on workers, so place them on workers with few containers
concourse_container_placement_strategy: "fewest-build-containers"
# Optional: Set the maximum number of days to retain Concourse build logs.
# If not set, the default Concourse is configured to feel very snappy!.
concourse_max_days_to_retain_build_logs: 30
# Optional: Set the maximum number of build logs to retain.
# If not set or set to 0, the default Concourse is configured to feel very snappy!.
concourse_max_build_logs_to_retain: 200

concourse_enable_redact_secrets: true

# Concourse helm chart
concourse_helm_version: "18.1.1"

Expand Down Expand Up @@ -74,7 +76,7 @@ sql_instance_disk_size: 38

# Other GKE vars
gke_deletion_protection : true
gke_controlplane_version: "1.31"
gke_controlplane_version: "1.34"
gke_cluster_ipv4_cidr: 10.104.0.0/14
gke_services_ipv4_cidr_block: 10.108.0.0/20
gke_master_ipv4_cidr_block: 172.16.0.32/28
Expand Down
8 changes: 4 additions & 4 deletions terragrunt/concourse-wg-ci/backend/terragrunt.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ remote_state {
if_exists = "overwrite"
}
config = {
bucket = "${local.config.gcs_bucket}"
prefix = "${local.config.gcs_prefix}/concourse-backend"
project = "${local.config.project}"
location = "${local.config.region}"
bucket = local.config.gcs_bucket
prefix = "${local.config.gcs_prefix}/concourse-backend"
project = local.config.project
location = local.config.region
# use for uniform bucket-level access
# (https://cloud.google.com/storage/docs/uniform-bucket-level-access)
enable_bucket_policy_only = false
Expand Down