Migrate services from installer to pre-installer

installer/Dockerfile

@@ -64,7 +64,8 @@ ARG DEPLOY_TYPE
 ENV DEBIAN_FRONTEND=noninteractive DEPLOY_TYPE=$DEPLOY_TYPE SSHUTTLE_ARGS="--disable-ipv6" USER=root
 
 COPY Makefile configure-cluster.sh initialize-gitops-repos.sh start-tunnel.sh utils.sh await-argo.sh \
-    prepare-upgrade.sh update-cluster.sh query-git-user.sh get-argo-login.sh cluster.tpl \
+    prepare-upgrade.sh update-cluster.sh query-git-user.sh get-argo-login.sh cluster_aws.tpl generate_cluster_yaml.sh \
+    reconnect-aws-cluster.sh \
     ./
 ADD $DEPLOY_TARBALL .
 ADD $POD_CONFIGS_TARBALL .

installer/configure-cluster.sh

@@ -59,7 +59,6 @@ parse_params "$@"
 
 load_cluster_state_env
 check_provision_env -p
-load_provision_values
 save_cluster_env
 
 load_cluster_state_env
@@ -68,100 +67,25 @@ if ! load_scm_auth; then
 fi
 save_scm_auth
 
-update_kube_config
-
 #
 # Create Cluster Configuration
 #
-export FILE_SYSTEM_ID=$(aws efs --region ${AWS_REGION} describe-file-systems --query "FileSystems[?Name == '${CLUSTER_NAME}'].FileSystemId" --output text)
-export S3_PREFIX=$(get_s3_prefix)
-
-export TRAEFIK_TG_HASH=$(echo -n "${CLUSTER_NAME}-traefik-default" | sha256sum | cut -c-32)
-export TRAEFIKGRPC_TG_HASH=$(echo -n "${CLUSTER_NAME}-traefik-grpc" | sha256sum | cut -c-32)
-export NGINX_TG_HASH=$(echo -n "${CLUSTER_NAME}-traefik2-https" | sha256sum | cut -c-32)
-export ARGOCD_TG_HASH=$(echo -n "${CLUSTER_NAME}-argocd-default" | sha256sum | cut -c-32)
-
-export TRAEFIK_TG_ARN=$(aws elbv2 describe-target-groups --names ${TRAEFIK_TG_HASH} | jq -r '.TargetGroups[].TargetGroupArn')
-if [ -z $TRAEFIK_TG_ARN ]; then
-    export TRAEFIK_TG_ARN=$(aws elbv2 describe-target-groups --names ${CLUSTER_NAME}-traefik-https | jq -r '.TargetGroups[].TargetGroupArn')
-fi
-if [ -z $TRAEFIK_TG_ARN ]; then
-    echo "  error: Load balancer Target Group for ${CLUSTER_NAME} not found."
+if [ -z "$FILE_SYSTEM_ID" ] || [ -z "$TRAEFIK_TG_ARN" ] || [ -z "$ARGOCD_TG_ARN" ]; then
+    echo "  Missing one or more of: FILE_SYSTEM_ID, TRAEFIK_TG_ARN, ARGOCD_TG_ARN"
+    echo "  Please run provision.sh first."
     exit 1
 fi
 
-export TRAEFIKGRPC_TG_ARN=$(aws elbv2 describe-target-groups --names ${TRAEFIKGRPC_TG_HASH} | jq -r '.TargetGroups[].TargetGroupArn')
-export NGINX_TG_ARN=$(aws elbv2 describe-target-groups --names ${NGINX_TG_HASH} | jq -r '.TargetGroups[].TargetGroupArn')
-export ARGOCD_TG_ARN=$(aws elbv2 describe-target-groups --names ${ARGOCD_TG_HASH} | jq -r '.TargetGroups[].TargetGroupArn')
-if [ -z $ARGOCD_TG_ARN ]; then
-    export ARGOCD_TG_ARN=$(aws elbv2 describe-target-groups --names ${CLUSTER_NAME}-argocd-https | jq -r '.TargetGroups[].TargetGroupArn')
-fi
-
-
-# AO_PROFILE  disabled check
-if [ "${DISABLE_CO_PROFILE:-false}" = "true" ] || [ "${DISABLE_AO_PROFILE:-false}" = "true" ]; then
-    export AO_PROFILE="#- orch-configs/profiles/enable-app-orch.yaml"
-else
-    export AO_PROFILE="- orch-configs/profiles/enable-app-orch.yaml"
-fi
-
-# CO_PROFILE disabled check
-if [ "${DISABLE_CO_PROFILE:-false}" = "true" ]; then
-    export CO_PROFILE="#- orch-configs/profiles/enable-cluster-orch.yaml"
-    export AO_PROFILE="#- orch-configs/profiles/enable-app-orch.yaml"
-else
-    export CO_PROFILE="- orch-configs/profiles/enable-cluster-orch.yaml"
-fi
-
-if [ -n "$SRE_BASIC_AUTH_USERNAME" ] || [ -n "$SRE_BASIC_AUTH_PASSWORD" ] || [ -n "$SRE_DESTINATION_SECRET_URL" ] || [ -n "$SRE_DESTINATION_CA_SECRET" ]; then
-    export SRE_PROFILE="- orch-configs/profiles/enable-sre.yaml"
-else
-    export SRE_PROFILE="#- orch-configs/profiles/enable-sre.yaml"
-fi
-
-if [ -z $SINGLE_TENANCY ]; then
-    export SINGLE_TENANCY_PROFILE="#- orch-configs/profiles/enable-singleTenancy.yaml"
-else
-    export SINGLE_TENANCY_PROFILE="- orch-configs/profiles/enable-singleTenancy.yaml"
-fi
-
-if [ "${DISABLE_O11Y:-false}" = "true" ]; then
-    export O11Y_ENABLE_PROFILE="#- orch-configs/profiles/enable-o11y.yaml"
-else
-    export O11Y_ENABLE_PROFILE="- orch-configs/profiles/enable-o11y.yaml"
-fi
+export FILE_SYSTEM_ID
+export TRAEFIK_TG_ARN
+export TRAEFIKGRPC_TG_ARN
+export NGINX_TG_ARN
+export ARGOCD_TG_ARN
+export S3_PREFIX
 
-if [ -z $SMTP_URL ]; then
-    export EMAIL_PROFILE="#- orch-configs/profiles/alerting-emails.yaml"
-else
-    export EMAIL_PROFILE="- orch-configs/profiles/alerting-emails.yaml"
-fi
+source ./generate_cluster_yaml.sh aws
 
-if [ -z $AUTO_CERT ]; then
-    export AUTOCERT_PROFILE="#- orch-configs/profiles/profile-autocert.yaml"
-else
-    export AUTOCERT_PROFILE="- orch-configs/profiles/profile-autocert.yaml"
-fi
-
-export AWS_PROD_PROFILE="- orch-configs/profiles/profile-aws-production.yaml"
-if [[ "$DISABLE_AWS_PROD_PROFILE" == "true" ]]; then
-    export AWS_PROD_PROFILE="#- orch-configs/profiles/profile-aws-production.yaml"
-fi
-
-if [ "${DISABLE_O11Y:-false}" = "true" ]; then
-    export O11Y_PROFILE="#- orch-configs/profiles/o11y-release.yaml"
-else
-    export O11Y_PROFILE="- orch-configs/profiles/o11y-release.yaml"
-    if [[ "$CLUSTER_SCALE_PROFILE" == "500en" || "$CLUSTER_SCALE_PROFILE" == "1ken" || "$CLUSTER_SCALE_PROFILE" == "10ken" ]]; then
-      export O11Y_PROFILE="- orch-configs/profiles/o11y-release-large.yaml"
-    fi
-fi
-
-export CLUSTER_SCALE_PROFILE=$(grep -oP '^# Profile: "\K[^"]+' ~/pod-configs/SAVEME/${AWS_ACCOUNT}-${CLUSTER_NAME}-profile.tfvar)
-
-echo
-echo "Creating cluster definition for ${CLUSTER_NAME}"
-cat cluster.tpl | envsubst > edge-manageability-framework/orch-configs/clusters/${CLUSTER_NAME}.yaml
+cp -rf ${CLUSTER_NAME}.yaml edge-manageability-framework/orch-configs/clusters/
 
 echo
 echo =============================================================================

installer/reconnect-aws-cluster.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# SPDX-FileCopyrightText: 2025 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Run this script to re-establish connection to a provisioned AWS EKS cluster
+# from a new shell session. This updates your kubeconfig with the cluster
+# credentials before running configure-cluster.sh.
+
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    echo "Error: This script must be sourced, not executed."
+    echo "Usage:"
+    echo "  source ./reconnect-aws-cluster.sh"
+    echo "  OR"
+    echo "  . ./reconnect-aws-cluster.sh"
+    exit 1
+fi
+
+. ${HOME}/utils.sh
+
+load_provision_env
+load_cluster_state_env
+update_kube_config
+
+# Get FILE_SYSTEM_ID from cluster terraform state
+export FILE_SYSTEM_ID=$(aws s3 cp s3://${BUCKET_NAME}/${AWS_REGION}/cluster/${CLUSTER_NAME} - 2>/dev/null | jq -r '.outputs.efs_file_system_id.value // empty')
+export TRAEFIK_TG_ARN=$(aws s3 cp s3://${BUCKET_NAME}/${AWS_REGION}/orch-load-balancer/${CLUSTER_NAME} - 2>/dev/null | jq -r '.outputs.traefik_target_groups.value.default.arn // empty')
+export TRAEFIKGRPC_TG_ARN=$(aws s3 cp s3://${BUCKET_NAME}/${AWS_REGION}/orch-load-balancer/${CLUSTER_NAME} - 2>/dev/null | jq -r '.outputs.traefik_target_groups.value.grpc.arn // empty')
+export NGINX_TG_ARN=$(aws s3 cp s3://${BUCKET_NAME}/${AWS_REGION}/orch-load-balancer/${CLUSTER_NAME} - 2>/dev/null | jq -r '.outputs.traefik2_target_groups.value.https.arn // empty')
+export ARGOCD_TG_ARN=$(aws s3 cp s3://${BUCKET_NAME}/${AWS_REGION}/orch-load-balancer/${CLUSTER_NAME} - 2>/dev/null | jq -r '.outputs.argocd_target_groups.value.argocd.arn // empty')
+export S3_PREFIX=$(get_s3_prefix)
+
+echo "Environment variables loaded. You can now run: ./configure-cluster.sh"

pod-configs/orchestrator/cluster/output.tf

@@ -35,3 +35,38 @@ output "gitea_master_password" {
   value = module.gitea.gitea_master_password
   sensitive = true
 }
+
+output "efs_file_system_id" {
+  value = module.efs.efs.id
+}
+
+output "s3_prefix" {
+  value = var.s3_prefix
+}
+
+output "sre_basic_auth_username" {
+  value = var.sre_basic_auth_username
+  sensitive = true
+}
+
+output "sre_basic_auth_password" {
+  value = var.sre_basic_auth_password
+  sensitive = true
+}
+
+output "sre_destination_secret_url" {
+  value = var.sre_destination_secret_url
+}
+
+output "sre_destination_ca_secret" {
+  value = var.sre_destination_ca_secret
+}
+
+output "auto_cert" {
+  value = var.auto_cert
+}
+
+output "smtp_url" {
+  value = var.smtp_url
+}
+

pod-configs/orchestrator/cluster/variable.tf

@@ -418,3 +418,4 @@ variable "eks_cluster_dns_ip" {
   description = "IP address of the DNS server for the cluster, leave empty to use the default DNS server"
 }
 
+

pod-configs/utils/provision.sh

@@ -409,6 +409,9 @@ parse_params() {
 
     echo CLUSTER_FQDN=${ROOT_DOMAIN} >> ~/.env
     echo ADMIN_EMAIL=${EMAIL} >> ~/.env
+    echo DISABLE_CO_PROFILE=${DISABLE_CO_PROFILE:-false} >> ~/.env
+    echo DISABLE_AO_PROFILE=${DISABLE_AO_PROFILE:-false} >> ~/.env
+    echo DISABLE_O11Y_PROFILE=${DISABLE_O11Y_PROFILE:-false} >> ~/.env
     export AWS_DEFAULT_REGION=$AWS_REGION
 
     if [[ $COMMAND != "account" ]]; then
@@ -1093,8 +1096,53 @@ EOF
         gitea_argo_token=$(terraform show -json | jq '.values.outputs.gitea_user_passwords.value.argocd')
         gitea_co_user="\"clusterorch\""
         gitea_co_token=$(terraform show -json | jq '.values.outputs.gitea_user_passwords.value.clusterorch')
+
+        # export EFS file system ID to .env
+        efs_file_system_id=$(terraform show -json | jq -r '.values.outputs.efs_file_system_id.value')
+        if [[ -n "$efs_file_system_id" && "$efs_file_system_id" != "null" ]]; then
+            echo "FILE_SYSTEM_ID=${efs_file_system_id}" >> ~/.env
+        fi
+
+        # export S3 prefix to .env
+        s3_prefix=$(terraform show -json | jq -r '.values.outputs.s3_prefix.value')
+        if [[ -n "$s3_prefix" && "$s3_prefix" != "null" ]]; then
+            echo "S3_PREFIX=${s3_prefix}" >> ~/.env
+        fi
+
+        # export configuration values to .env
+        sre_basic_auth_username=$(terraform show -json | jq -r '.values.outputs.sre_basic_auth_username.value')
+        if [[ -n "$sre_basic_auth_username" && "$sre_basic_auth_username" != "null" ]]; then
+            echo "SRE_BASIC_AUTH_USERNAME=${sre_basic_auth_username}" >> ~/.env
+        fi
+
+        sre_basic_auth_password=$(terraform show -json | jq -r '.values.outputs.sre_basic_auth_password.value')
+        if [[ -n "$sre_basic_auth_password" && "$sre_basic_auth_password" != "null" ]]; then
+            echo "SRE_BASIC_AUTH_PASSWORD=${sre_basic_auth_password}" >> ~/.env
+        fi
+
+        sre_destination_secret_url=$(terraform show -json | jq -r '.values.outputs.sre_destination_secret_url.value')
+        if [[ -n "$sre_destination_secret_url" && "$sre_destination_secret_url" != "null" ]]; then
+            echo "SRE_DESTINATION_SECRET_URL=${sre_destination_secret_url}" >> ~/.env
+        fi
+
+        sre_destination_ca_secret=$(terraform show -json | jq -r '.values.outputs.sre_destination_ca_secret.value')
+        if [[ -n "$sre_destination_ca_secret" && "$sre_destination_ca_secret" != "null" ]]; then
+            echo "SRE_DESTINATION_CA_SECRET=${sre_destination_ca_secret}" >> ~/.env
+        fi
+
+        auto_cert=$(terraform show -json | jq -r '.values.outputs.auto_cert.value')
+        if [[ -n "$auto_cert" && "$auto_cert" != "null" ]]; then
+            echo "AUTO_CERT=${auto_cert}" >> ~/.env
+        fi
+
+        smtp_url=$(terraform show -json | jq -r '.values.outputs.smtp_url.value')
+        if [[ -n "$smtp_url" && "$smtp_url" != "null" ]]; then
+            echo "SMTP_URL=${smtp_url}" >> ~/.env
+        fi
+
         popd
 
+
         jq  -n ". += {\"gitea_argo_user\":${gitea_argo_user}}" | \
         jq  ". += {\"gitea_argo_token\":${gitea_argo_token}}" | \
         jq  ". += {\"gitea_co_user\":${gitea_co_user}}" | \
@@ -1289,6 +1337,29 @@ action_orch_loadbalancer() {
     fi
     rm -rf "$logs_file"
 
+    # export target group ARNs to .env
+    if [[ "$action" = "apply" ]]; then
+        pushd $module
+        traefik_tg_arn=$(terraform show -json | jq -r '.values.outputs.traefik_target_groups.value.default.arn // empty')
+        traefikgrpc_tg_arn=$(terraform show -json | jq -r '.values.outputs.traefik_target_groups.value.grpc.arn // empty')
+        nginx_tg_arn=$(terraform show -json | jq -r '.values.outputs.traefik2_target_groups.value.https.arn // empty')
+        argocd_tg_arn=$(terraform show -json | jq -r '.values.outputs.argocd_target_groups.value.argocd.arn // empty')
+
+        if [[ -n "$traefik_tg_arn" ]]; then
+            echo "TRAEFIK_TG_ARN=${traefik_tg_arn}" >> ~/.env
+        fi
+        if [[ -n "$traefikgrpc_tg_arn" ]]; then
+            echo "TRAEFIKGRPC_TG_ARN=${traefikgrpc_tg_arn}" >> ~/.env
+        fi
+        if [[ -n "$nginx_tg_arn" ]]; then
+            echo "NGINX_TG_ARN=${nginx_tg_arn}" >> ~/.env
+        fi
+        if [[ -n "$argocd_tg_arn" ]]; then
+            echo "ARGOCD_TG_ARN=${argocd_tg_arn}" >> ~/.env
+        fi
+        popd
+    fi
+
     rm -rf $dir
 }
 
@@ -1647,12 +1718,12 @@ install() {
     upload_savedir
     rm -f ${values_changed} || true
 
-    terminate_sshuttle
-
     if ! $SKIP_APPLY_CLUSTER; then
         wait_for_gitea
     fi
 
+    terminate_sshuttle
+
     echo "Info: Installation completed successfully. Please back up the files in ${SAVE_DIR} directory."
 }