fix: timeouts for ingress controller (#185)

in-1911 · web-flow · commit bc97966c9472 · 2024-09-28T13:13:04.000+01:00
diff --git a/modules/roks-ingress/main.tf b/modules/roks-ingress/main.tf
@@ -98,17 +98,34 @@ resource "kubernetes_manifest" "workload_ingress" {
     }
   }
   wait {
-    # Wait until the ingress controller is fully available
-    # This requires a TLS secret to be created
-    # and will give time for the ALB to finish provisioning (private IPs are available)
+    # Wait until the load balancer is provisioned
+    # The subsequent wait will give time for the ALB to finish provisioning (private IPs are available)
+    # The ingress controller will become fully available when the TLS secret is created, but that may take much longer
     condition {
-      type   = "Available"
+      type   = "LoadBalancerReady"
       status = "True"
     }
   }
+  timeouts {
+    create = "20m"
+    update = "20m"
+    delete = "20m"
+  }
+}
+
+# Give some more time for ALB private IPs to become available in case only the ingress is being re-created
+resource "time_sleep" "wait_for_ingress_provisioning" {
+  depends_on = [restapi_object.workload_nlb_dns, kubernetes_manifest.workload_ingress]
+
+  destroy_duration = "5s"
+  create_duration  = "7m"
+  triggers = {
+    ingress_uid = kubernetes_manifest.workload_ingress.object.metadata.uid
+  }
 }
 
 data "kubernetes_service" "ingress_router_service" {
+  depends_on = [time_sleep.wait_for_ingress_provisioning]
   metadata {
     name      = "router-${kubernetes_manifest.workload_ingress.object.metadata.name}"
     namespace = "openshift-ingress"
@@ -169,7 +186,7 @@ resource "restapi_object" "workload_nlb_dns_cleanup" {
 # Need to get private IPs (private_ips) of the ALB to include in ACL
 data "ibm_is_lb" "ingress_vpc_alb" {
   name       = "kube-${local.cluster_id}-${replace(data.kubernetes_service.ingress_router_service.metadata[0].uid, "-", "")}"
-  depends_on = [time_sleep.wait_for_alb_provisioning]
+  depends_on = [time_sleep.wait_for_alb_provisioning, time_sleep.wait_for_ingress_provisioning]
 }
 
 # Assuming all SLZ zones for the ALB subnet will have the same ACL
diff --git a/solutions/banking/main.tf b/solutions/banking/main.tf
@@ -12,7 +12,8 @@ locals {
   watson_ml_project_name           = var.prefix != null ? "${var.prefix}-${var.watson_project_name}" : var.watson_project_name
   sensitive_tokendata              = sensitive(data.ibm_iam_auth_token.tokendata.iam_access_token)
 
-  elastic_index_name       = var.prefix != null ? "${var.prefix}-${var.elastic_index_name}" : var.elastic_index_name
+  # Translate index name to lowercase to avoid Elastic errors
+  elastic_index_name       = lower(var.prefix != null ? "${var.prefix}-${var.elastic_index_name}" : var.elastic_index_name)
   elastic_credentials_data = local.use_elastic_index ? jsondecode(data.ibm_resource_key.elastic_credentials[0].credentials_json).connection.https : null
   # Compose the URL without credentials to keep the latter sensitive
   elastic_service_binding = local.use_elastic_index ? {
