add helm scripts + backup role

aliziel · aliziel · commit 4c520bb04c6e · 2025-05-20T12:43:19.000-07:00
diff --git a/Makefile b/Makefile
@@ -0,0 +1,38 @@
+AWS_PROFILE ?= default
+CLUSTER_NAME = tofu -chdir=terraform output cluster_name
+S3_BACKUP_ROLE = tofu -chdir=terraform output s3_backup_role
+
+PGO_CHART_VERSION = 5.7.4
+EOAPI_CHART_VERSION = 0.7.1
+
+.DEFAULT_GOAL := help
+
+$(VERBOSE).SILENT:
+
+.PHONY: help
+
+help: Makefile
+	@echo
+	@echo "Usage: make [target]"
+	@echo
+	@echo "Targets:"
+	@sed -n 's/^##//p' $< | column -t -s ':'
+	@echo
+
+## kubeconfig: Configure kubectl to connect to EKS cluster
+kubeconfig:
+	aws eks update-kubeconfig --name $(CLUSTER_NAME)
+
+## init-eoapi: Add eoAPI repo and install dependencies
+init-eoapi:
+	command -v helm >/dev/null 2>&1 || { echo "Helm is required but not installed"; exit 1; }
+	echo "Installing PostgresQL operator chart (eoAPI dependency)"
+	helm upgrade --install --set disable_check_for_upgrades=true pgo oci://registry.developers.crunchydata.com/crunchydata/pgo --version $(PGO_CHART_VERSION)
+	echo "Adding eoAPI repository."
+	helm repo add eoapi https://devseed.com/eoapi-k8s/
+
+## deploy-eoapi: Upgrade or install eoAPI release
+deploy-eoapi:
+	helm repo list | grep "eoapi" >/dev/null 2>&1 || { echo "Not initialized, run 'make init-eoapi' before retrying"; exit 1; }
+	helm upgrade --install --namespace eoapi --create-namespace eoapi eoapi/eoapi --version $(EOAPI_CHART_VERSION) -f kubernetes/helm/eoapi.yaml --set previousVersion=0.7.1
+	kubectl --namespace eoapi annotate postgresclusters eoapi --overwrite eks.amazonaws.com/role-arn=$(S3_BACKUP_ROLE)
diff --git a/kubernetes/helm/eoapi.yaml b/kubernetes/helm/eoapi.yaml
@@ -0,0 +1,37 @@
+ingress:
+  annotations:
+    # increase the max body size to 100MB
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/enable-access-log: "true"
+
+
+postgrescluster:
+  # # TODO: bridge alternatives for TF output to CRD annotations
+  # metadata:
+  #   annotations:
+  #     eks.amazonaws.com/role-arn: ""
+  backupsEnabled: true
+  s3:
+    bucket: "pgstac-backup"
+    endpoint: "s3.us-east-1.amazonaws.com"
+    region: "us-east-1"
+    keyType: "web-id"
+  instances:
+  - name: eoapi
+    replicas: 1
+    dataVolumeClaimSpec:
+      # TODO: gp3 SC
+      storageClassName: "gp2"
+      accessModes:
+      - "ReadWriteOnce"
+      resources:
+        requests:
+          storage: "10Gi"
+          cpu: "1024m"
+          memory: "3048Mi"
+
+pgstacBootstrap:
+  image:
+    name: ghcr.io/stac-utils/pgstac-pypgstac
+    tag: v0.9.6
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -1,4 +1,7 @@
-output "cluster_sg" {
-  description = "the cluster security group"
-  value = aws_eks_cluster.cluster.vpc_config[0].cluster_security_group_id
+output "cluster_name" {
+  value = aws_eks_cluster.cluster.name
+}
+
+output "s3_backup_role" {
+  value = aws_iam_role.bucket_access.arn
 }
diff --git a/terraform/s3.tf b/terraform/s3.tf
@@ -27,8 +27,14 @@ locals {
   s3_policy_arn = length(var.bucket_names) > 0 ? aws_iam_policy.eks_s3_access[0].arn : ""
 }
 
+resource "aws_iam_role" "bucket_access" {
+  name                 = "${local.cluster_prefix}-bucket-access"
+  assume_role_policy   = data.aws_iam_policy_document.assume_role_with_oidc.json
+  permissions_boundary = var.permissions_boundary
+}
+
 resource "aws_iam_role_policy_attachment" "s3_access" {
   count      = length(var.bucket_names) > 0 ? 1 : 0
-  role       = aws_iam_role.nodegroup.name
+  role       = aws_iam_role.bucket_access.name
   policy_arn = local.s3_policy_arn
 }
