Fix nexus bootstrapping #2818
Merged
Fix nexus bootstrapping #2818
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/test |
|
🤖 pr-bot 🤖 🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/3387925182 (with refid (in response to this comment from @jjgriff93) |
|
Tests have passed, https://github.com/microsoft/AzureTRE/actions/runs/3387925182 - forcing merge |
|
/test-force-approve |
|
🤖 pr-bot 🤖 ✅ Marking tests as complete (for commit 2cfff63) (in response to this comment from @jjgriff93) |
|
/test-force-approve |
|
🤖 pr-bot 🤖 ✅ Marking tests as complete (for commit f862a04) (in response to this comment from @jjgriff93) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #2785
What is being addressed
Due to the introduction of template pipelines and changing the firewall rule addition/removal step to occur outside the main bundle's terraform, a race condition was introduced where the Nexus bundle was being deployed and then the firewall rules (that it relied on to connect to ubuntu key server, packages.microsoft.com and docker.com) were being applied afterwards in the pipeline. As the Nexus clouding bootstrapping starts up, this firewall step wasn't always completed in time for it to work, causing regular failures.
How is this addressed
I tried swapping the order so that the firewall pipeline step happens first, however it depends on outputs from the main bundle terraform. After experimenting with a few workarounds the cleanest solution seems to be whitelisting the key server, Microsoft packages and docker fqdns in the main shared-subnet fqdn exceptions as part of the firewall bundle, as these will be whitelisted anyway as per the nexus bundle and are core trusted repositories already whitelisted by the resource processor.