From 34e8fb520158600a96063db8c91279bb841f2e2e Mon Sep 17 00:00:00 2001 From: Aline Abler Date: Tue, 16 Jun 2026 17:49:08 +0200 Subject: [PATCH] Minor improvements to decommissioning spellbooks - Ensure compiled catalog is available before using Terraform - Make Terraform destroy step re-runnable by checking whether hieradata commit was already deleted from state - Mark passbolt passphrase as local and sensitive variable - Use "Delete PVs" spell for Exoscale as well - Use newly-improved API calls to delete server definitions in control.vshn.net, instead of doing so manually --- workflows/cloudscale/decommission-steps.yml | 10 +++++++++- workflows/exoscale-decommission.workflow | 1 + workflows/exoscale/decommission-steps.yml | 10 +++++++++- workflows/shared/decommission-steps.yml | 20 +++++++------------- 4 files changed, 26 insertions(+), 15 deletions(-) diff --git a/workflows/cloudscale/decommission-steps.yml b/workflows/cloudscale/decommission-steps.yml index 450414a..079eac8 100644 --- a/workflows/cloudscale/decommission-steps.yml +++ b/workflows/cloudscale/decommission-steps.yml @@ -79,6 +79,11 @@ spells: HIERADATA_REPO_TOKEN=${INPUT_gitlab_api_token} EOF + if [[ ! -d catalog ]] + then + commodore catalog compile "$INPUT_commodore_cluster_id" + fi + tf_image=$(\ yq eval ".parameters.openshift4_terraform.images.terraform.image" \ dependencies/openshift4-terraform/class/defaults.yml) @@ -195,7 +200,10 @@ spells: "-backend-config=unlock_method=DELETE" \ "-backend-config=retry_wait_min=5" - terraform state rm "module.cluster.module.lb.module.hiera[0].gitfile_checkout.appuio_hieradata" + if terraform state list | grep "gitfile_checkout.appuio_hieradata" > /dev/null + then + terraform state rm "module.cluster.module.lb.module.hiera[0].gitfile_checkout.appuio_hieradata" + fi # Suppress errors on the first run; it is expected to fail terraform destroy --auto-approve || true diff --git a/workflows/exoscale-decommission.workflow b/workflows/exoscale-decommission.workflow index c7228ae..0868c23 100644 --- a/workflows/exoscale-decommission.workflow +++ b/workflows/exoscale-decommission.workflow @@ -8,6 +8,7 @@ Then I confirm cluster deletion Then I disable the OpsGenie heartbeat And I disable Project Syn And I delete all Load Balancer services +And I delete all persistent volumes Then I save the loadbalancer metadata And I downtime the loadbalancers in icinga And I decommission Terraform resources diff --git a/workflows/exoscale/decommission-steps.yml b/workflows/exoscale/decommission-steps.yml index d89b8ba..e7f4653 100644 --- a/workflows/exoscale/decommission-steps.yml +++ b/workflows/exoscale/decommission-steps.yml @@ -42,6 +42,11 @@ spells: HIERADATA_REPO_TOKEN=${INPUT_gitlab_api_token} EOF + if [[ ! -d catalog ]] + then + commodore catalog compile "$INPUT_commodore_cluster_id" + fi + tf_image=$(\ yq eval ".parameters.openshift4_terraform.images.terraform.image" \ dependencies/openshift4-terraform/class/defaults.yml) @@ -165,7 +170,10 @@ spells: "-backend-config=unlock_method=DELETE" \ "-backend-config=retry_wait_min=5" - terraform state rm "module.cluster.module.lb.module.hiera[0].gitfile_checkout.appuio_hieradata" + if terraform state list | grep "gitfile_checkout.appuio_hieradata" > /dev/null + then + terraform state rm "module.cluster.module.lb.module.hiera[0].gitfile_checkout.appuio_hieradata" + fi # Suppress errors on the first run; it is expected to fail terraform destroy --auto-approve || true diff --git a/workflows/shared/decommission-steps.yml b/workflows/shared/decommission-steps.yml index cb798bf..423b9a8 100644 --- a/workflows/shared/decommission-steps.yml +++ b/workflows/shared/decommission-steps.yml @@ -9,6 +9,7 @@ spells: Usually of the form `.` - name: passbolt_passphrase + type: local-sensitive description: |- Your password for Passbolt. @@ -90,7 +91,7 @@ spells: kubectl delete machineautoscaler -A --all - match: And I delete all persistent volumes description: |- - This step deletes all persistent volumes on the cluster, so that the corresponding Cloudscale resources can be decommissioned by the controller. + This step deletes all persistent volumes on the cluster, so that the corresponding CSP resources can be decommissioned by the controller. By cordoning all non-master nodes and deleting all their pods (except the csi driver pods) we ensure that no new PVs are created, while the existing ones can be cleaned up. Deleting all pods has the additional benefit that we don’t have to deal with PDBs when deleting the machinesets in the next step. inputs: @@ -154,20 +155,13 @@ spells: inputs: - name: lb_fqdn_1 - name: lb_fqdn_2 + - name: control_vshn_api_token run: | set -euo pipefail - echo '###################################################################################' - echo '# #' - echo "# Please manually delete the cluster's LoadBalancer servers before proceeding. #" - echo '# #' - echo '###################################################################################' - echo - echo You can go to: - echo https://control.vshn.net/servers/definitions/appuio/${INPUT_lb_fqdn_1}/delete - echo https://control.vshn.net/servers/definitions/appuio/${INPUT_lb_fqdn_2}/delete - sleep 2 - # NOTE(aa): This step is currently annoying to automate, but once ticket PORTAL-253 is resolved, - # it should be easy. + echo "Deleting server definitions ..." + curl -XDELETE -H"$AUTH" https://control.vshn.net/api/servers/1/appuio/${INPUT_lb_fqdn_1} + curl -XDELETE -H"$AUTH" https://control.vshn.net/api/servers/1/appuio/${INPUT_lb_fqdn_2} + echo "Server definitions deleted." - match: And I decommission the LoadBalancers description: |-