Skip to content

Latest commit

 

History

History
103 lines (77 loc) · 3.67 KB

README.md

File metadata and controls

103 lines (77 loc) · 3.67 KB

Scaffolding Pipeline GCP

Building Infrastructure Platform

Cloud Architecture

Following resources would be created using this repo.

  1. VPC and subnet
  2. GKE regional cluster (default region: europe-west1, default name: demo-application) with a nodepool
  3. Relevant service accounts
  4. Container registry (GCR)
  5. Secret "gcr-json-key" for docker image pull access for deployments
  6. Static IP address
  7. Cloud DNS, DNS Zone with A type record set pointing to static IP
  8. nginx ingress-controller
  9. cert-manager and letsencrypt
  • This repo's Dockerfile is used to create image (japrakash/cci-terraform-light-gcloudsdk:0.0.1) with terraform and gcloud sdk

Getting Started

  1. Find out a GCP project or create a new one and then create a bucket e.g. "demo-application-tfstate-eu-gcs" for saving terraform state.

  2. Create a service account "cicd-pipeline" which will be used to run pipelines. Download its key file in json format and use as GCP_CREDS value.

  3. Create below mentioned env variables in CircleCi with respective values

        CLUSTER_NAME = demo-application
        CLUSTER_REGION = europe-west1
        GCP_CREDS = <json file contents created in step 2>
        GCP_PROJECT = Jagendraatal Prakash Contino
        DNS_NAME = demoapplication.squadzero.io.
    
  4. Let the pipeline run and that should create complete infra.

  5. Need to create a serviceaccount for dns by running below commands.

    $ PROJECT_ID=myproject-id $ gcloud iam service-accounts create dns01-solver --display-name "dns01-solver" $ gcloud projects add-iam-policy-binding $PROJECT_ID
    --member serviceAccount:dns01-solver@$PROJECT_ID.iam.gserviceaccount.com
    --role roles/dns.admin $ gcloud iam service-accounts keys create key.json
    --iam-account dns01-solver@$PROJECT_ID.iam.gserviceaccount.com $ kubectl create secret generic cert-manager-credentials
    --from-file=key.json

TODO

  1. PodSecurityPolicy (pod_security_policy_config) for cluster is currently disable. So need to enable it.

  2. Automation of new project, terraform state bucket and service account creation.

  3. Introduce tflint and tfsec checks in pipeline.

Cluster Module Details

Requirements

No requirements.

Providers

Name Version
google n/a
google-beta n/a
random n/a

Inputs

Name Description Type Default Required
default_max_nodes_per_zone_per_pool n/a string "3" no
default_min_nodes_per_zone_per_pool n/a string "1" no
disk_size_gb n/a string "100" no
disk_type n/a string "pd-standard" no
gcr_bucket_name The bucket name for the Google Container Registry any n/a yes
initial_node_count n/a string "1" no
machine_type n/a any n/a yes
min_master_version n/a any n/a yes
name n/a any n/a yes
node_ip_range n/a any n/a yes
node_pool_oauth_scopes The oauth scope(s) to apply to the node pools list(string)
[
"cloud-platform"
]
no
nodepool_count n/a any n/a yes
pod_ip_range n/a any n/a yes
preemptible n/a any n/a yes
region n/a any n/a yes
service_ip_range n/a any n/a yes

Outputs

Name Description
cluster_ca_certificate n/a
cluster_endpoint n/a
cluster_master_version n/a
cluster_name n/a
cluster_region n/a
network_name n/a
service_account_email n/a
subnet_name n/a