Cache the internal CR token to avoid jumbox reconciliations (#246)

nacx · web-flow · commit a32973a32da0 · 2023-02-25T07:50:22.000-05:00
diff --git a/Makefile b/Makefile
@@ -210,8 +210,7 @@ destroy_%:
 
 .PHONY: destroy_tfstate
 destroy_tfstate:
-	find . -name terraform.tfstate.d -exec rm -rf {} +
-	find . -name terraform.tfstate -delete
+	find . -name *tfstate* -exec rm -rf {} +
 
 .PHONY: destroy_tfcache
 destroy_tfcache:
diff --git a/modules/aws/jumpbox/main.tf b/modules/aws/jumpbox/main.tf
@@ -230,6 +230,14 @@ data "aws_availability_zones" "available" {}
 module "internal_registry" {
   source      = "../../internal_registry"
   tsb_version = var.tsb_version
+  # The internal registry token is needed only if the TSB version is a development version, and only once when the
+  # jumpbox bootstraps the first time. It is not needed later as all images are already pushed to the registry (and
+  # cloud-init won't run again anyway).
+  # Since the token is short-lived, successive calls to this module would cause the jumpbox to reconcile, restart, and
+  # eventually changing the IP address, etc, unnecessarily.
+  # By setting this, subsequent calls to this module will return the token returned on the initial run, if present, avoiding
+  # the jumbox reconcile.
+  cached_by   = "${var.name_prefix}-internal-registry.tfstate.tokencache"
 }
 
 resource "aws_instance" "jumpbox" {
diff --git a/modules/azure/jumpbox/main.tf b/modules/azure/jumpbox/main.tf
@@ -96,6 +96,14 @@ resource "tls_private_key" "generated" {
 module "internal_registry" {
   source      = "../../internal_registry"
   tsb_version = var.tsb_version
+  # The internal registry token is needed only if the TSB version is a development version, and only once when the
+  # jumpbox bootstraps the first time. It is not needed later as all images are already pushed to the registry (and
+  # cloud-init won't run again anyway).
+  # Since the token is short-lived, successive calls to this module would cause the jumpbox to reconcile, restart, and
+  # eventually changing the IP address, etc, unnecessarily.
+  # By setting this, subsequent calls to this module will return the token returned on the initial run, if present, avoiding
+  # the jumbox reconcile.
+  cached_by   = "${var.name_prefix}-internal-registry.tfstate.tokencache"
 }
 
 resource "azurerm_linux_virtual_machine" "jumpbox" {
diff --git a/modules/gcp/jumpbox/main.tf b/modules/gcp/jumpbox/main.tf
@@ -26,6 +26,14 @@ data "google_compute_default_service_account" "default" {
 module "internal_registry" {
   source      = "../../internal_registry"
   tsb_version = var.tsb_version
+  # The internal registry token is needed only if the TSB version is a development version, and only once when the
+  # jumpbox bootstraps the first time. It is not needed later as all images are already pushed to the registry (and
+  # cloud-init won't run again anyway).
+  # Since the token is short-lived, successive calls to this module would cause the jumpbox to reconcile, restart, and
+  # eventually changing the IP address, etc, unnecessarily.
+  # By setting this, subsequent calls to this module will return the token returned on the initial run, if present, avoiding
+  # the jumbox reconcile.
+  cached_by   = "${var.name_prefix}-internal-registry.tfstate.tokencache"
 }
 
 resource "google_compute_instance" "jumpbox" {
diff --git a/modules/internal_registry/internal-cr-token.sh b/modules/internal_registry/internal-cr-token.sh
@@ -2,12 +2,24 @@
 
 set -e
 
-TSB_VERSION=$(jq -r '.tsb_version')
+eval "$(jq -r '@sh "TSB_VERSION=\(.tsb_version) CACHED_BY=\(.cached_by)"')"
+
+# If a cached value was requested and is present, just return it
+if [[ -f "${CACHED_BY}" ]]; then
+    cat "${CACHED_BY}"
+    exit 0
+fi
 
 if [[ "${TSB_VERSION}" =~ .*"-dev" ]]; then
     TSB_GCR_INTERNAL_REGISTRY="gcr.io/tetrate-internal-containers"
     TSB_GCR_INTERNAL_TOKEN=$(gcloud auth print-access-token)
-    echo "{\"token\":\"${TSB_GCR_INTERNAL_TOKEN}\",\"registry\":\"${TSB_GCR_INTERNAL_REGISTRY}\"}"
+    OUT="{\"token\":\"${TSB_GCR_INTERNAL_TOKEN}\",\"registry\":\"${TSB_GCR_INTERNAL_REGISTRY}\"}"
+else
+    OUT="{\"token\":\"\",\"registry\":\"\"}"
+fi
+
+if [[ -n "${CACHED_BY}" ]]; then
+    echo "${OUT}" | tee "${CACHED_BY}"
 else
-    echo "{\"token\":\"\",\"registry\":\"\"}"
+    echo "${OUT}"
 fi
diff --git a/modules/internal_registry/main.tf b/modules/internal_registry/main.tf
@@ -3,5 +3,6 @@ data "external" "gcr_token" {
   program = ["bash", "${path.module}/internal-cr-token.sh"]
   query = {
     "tsb_version" = var.tsb_version
+    "cached_by"   = var.cached_by
   }
 }
diff --git a/modules/internal_registry/variables.tf b/modules/internal_registry/variables.tf
@@ -1,2 +1,5 @@
 variable "tsb_version" {
 }
+variable "cached_by" {
+  default = ""
+}

Original file line number	Diff line number	Diff line change
`@@ -3,5 +3,6 @@ data "external" "gcr_token" {`
`3`	`3`	`program = ["bash", "${path.module}/internal-cr-token.sh"]`
`4`	`4`	`query = {`
`5`	`5`	`"tsb_version" = var.tsb_version`
	`6`	`+ "cached_by" = var.cached_by`
`6`	`7`	`}`
`7`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,5 @@`
`1`	`1`	`variable "tsb_version" {`
`2`	`2`	`}`
	`3`	`+variable "cached_by" {`
	`4`	`+ default = ""`
	`5`	`+}`