The latest articles on Forem by Chabane R. (@chabane). https://forem.com/chabane https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F383123%2F7cc2e0f2-9f96-49eb-8079-98212a89428d.jpg https://forem.com/chabane en Chabane R. Fri, 12 Nov 2021 12:55:25 +0000 https://forem.com/stack-labs/mayday-mayday-i-need-a-scalable-infrastructure-to-migrate-on-scaleway-elements-part-2-ops-container-migration-h02 https://forem.com/stack-labs/mayday-mayday-i-need-a-scalable-infrastructure-to-migrate-on-scaleway-elements-part-2-ops-container-migration-h02 <p>Hello again!</p> <p>We saw in <a href="https://dev.to/stack-labs/mayday-mayday-i-need-a-scalable-infrastructure-to-migrate-on-scaleway-elements-part-1-networking-security-37bg">the part 1</a> how to build a scalable Scaleway Elements organization, implementing a networking topology, defining a disaster recovery and centralizing IAM and key management.</p> <p>In this part 2, we will talk about DevOps, monitoring, logging and migration of business applications in Kubernetes as an example.</p> <h1> DevOps </h1> <p><em>The Cloud is ruled by DevOps – this fact has been proven time and again.</em> [1]</p> <p>I highly recommend all my customers to adopt a DevOps culture and practices from the beginning.</p> <p>Using a CI/CD tool becomes vital when you have multiples environments and a complex infrastructure configuration that depends on infrastructure as code.</p> <p>Many DevOps tools exist in the market. Let's take Gitlab as an example.</p> <h2> Gitlab </h2> <p>With Gitlab, you could manage your own instance in your infrastructure or use the SaaS solution, gitlab.com.</p> <p>In the SaaS solution, you can choose between:</p> <ul> <li>shared runners that are managed by GitLab infrastructure and limited in minutes (Depending on your licence subscription)</li> <li>specific or group runners that will be managed by your infrastructure with no limit of minutes.</li> </ul> <p>If you choose the shared runners to deploy your resources in Scaleway Elements, you will need to create and save service accounts keys as variables in the Gitlab CI configuration. You will face all the security issues related to storing credentials outside of your cloud infrastructure: Key rotation, age, destruction, location, etc.</p> <p>For production use, I recommend customers to use specific or group runners with jobs running in a Kubernetes Kapsule cluster. </p> <p>The runner configuration that I had used for customers:</p> <ul> <li>Specific or group runners only,</li> <li>Deployed using Helm Chart, more easy to upgrade,</li> <li>Accessibles by tags,</li> <li>Locked to current project(s),</li> <li>Ran only on protected branches (Production),</li> <li>Assigned a specific Kubernetes Service Account,</li> <li>Jobs run in separate nodepools per environment.</li> </ul> <p>The Kapsule cluster that hosts those runners has its own private network which is isolated from the internet with an explicit allow security group rule for gitlab ingress traffic on port 443.</p> <blockquote> <p>If your organization has multiple teams, you can grant specific teams access to only the runners that they use:</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmzau3epl1aowboozvc83.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmzau3epl1aowboozvc83.png" alt="DevOps Kapsule Cluster management" width="800" height="560"></a></p> <h2> GitOps </h2> <p><em>GitOps builds on DevOps with Git as a single source of truth for declarative infrastructure like Kubernetes.</em> [2]</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fkgzt6pqctrpumdz5xsj5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fkgzt6pqctrpumdz5xsj5.png" alt="GitOps concept" width="800" height="359"></a></p> <p>If you have the possibility to migrate your existing workloads to Kubernetes for example, you can take advantage of GitOps practices.</p> <h3> GitOps Tools </h3> <p>Many tools exist in the market like ArgoCD and FluxCD. Personally I consider ArgoCD as the most complete tool for GitOps but you will need to manage it by yourself in your infrastructure. </p> <p>ArgoCD allows you to:</p> <ul> <li>Manage configurations for multiple environments using a Git repository as a single source of truth.</li> <li>Review changes before deployment through pull requests on GitHub or merge requests on Gitlab.</li> <li>Test and promote changes across different environments.</li> <li>Roll back changes quickly.</li> <li>See your applications version and status on the ArgoCD Console.</li> </ul> <h3> GitOps Integration </h3> <p>The common patterns used to integrate GitOps practices is creating multiples repositories instead of a single source.</p> <ul> <li>Image repository dedicated for the business application. The dockerfile(s) will reside in this repository.</li> <li>Env repository dedicated for the deployment in Kubernetes. The kubernetes manifests will reside in this repository.</li> <li>Infra repository dedicated for the deployment in Scaleway Elements. The terraform plans will reside in this repository.</li> </ul> <p>Let's illustrate that with a diagram:</p> <p>1 - We start by deploying the Kapsule cluster using terraform and infra repo:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcb2ltw8hb1byumlcvyie.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcb2ltw8hb1byumlcvyie.png" alt="Deploy Kapsule cluster" width="800" height="390"></a></p> <p>The gitlab runner job has a Kubernetes Service Account (KSA) which is bound with an API Key (stored in Vault) with appropriate permissions in the Env project.</p> <p>2 - Build a new docker image after each <code>git tag</code>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbdtu0xntuh1yobh64zga.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbdtu0xntuh1yobh64zga.png" alt="Build and push docker image" width="800" height="332"></a></p> <p>The new docker image is built and published in a centralized container registry.</p> <p>Share the specific runner registered in infra repo with the image repo.</p> <p>3 - Edit the docker image version of Kuberentes manifests using <a href="https://kustomize.io/" rel="noopener noreferrer">Kustomize</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmvi5iaji9jzxdpc64q0w.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmvi5iaji9jzxdpc64q0w.png" alt="Sync ArgoCD" width="800" height="298"></a></p> <p>The kubernetes workloads are updated automatically with the new docker image version using a GitOps tool like ArgoCD.</p> <p>Share the specific runner registered in infra repo with the env repo and lock the runner to the current Gitlab projects.</p> <p>4 - Authorize the kubernetes cluster of the env project to access docker images from the DevOps project:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff8uu56ejqpgqdfenis5y.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff8uu56ejqpgqdfenis5y.png" alt="Pull image" width="800" height="454"></a></p> <p>We can easily develop a generator that create for each new env project a blueprint of gitlab repositories and pipelines. I had the chance to build a generator like this for a customer using <a href="https://yeoman.io/authoring/" rel="noopener noreferrer">Yeoman</a>. It was a really cool challenge.</p> <p>Final architecture:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcfglkgi6n3h0opls9tgu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcfglkgi6n3h0opls9tgu.png" alt="GitOps architecture" width="800" height="412"></a></p> <h1> Operations </h1> <h2> Monitoring </h2> <p>If you have multiple Kubernetes clusters to operate, you have the possibility to centralize all of your metrics in a centralized monitoring dashboard for all of your environments (development, integration, and production).</p> <p>You can achieve this centralization using:</p> <ul> <li> <a href="https://prometheus.io/" rel="noopener noreferrer">Prometheus</a> to collect metrics.</li> <li> <a href="https://thanos.io/" rel="noopener noreferrer">Thanos</a> alongside Prometheus. It will be used for long term storing capabilities and federation.</li> <li> <a href="https://prometheus.io/docs/alerting/latest/alertmanager/" rel="noopener noreferrer">Alert Manager</a> to send alerts based on metrics query.</li> <li> <a href="https://grafana.com/" rel="noopener noreferrer">Grafana</a> fancy dashboards.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuul2y8fliy0xymyzxyk3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuul2y8fliy0xymyzxyk3.png" alt="Monitoring" width="800" height="446"></a></p> <blockquote> <p>For more details, you can consult this article: <a href="https://particule.io/en/blog/thanos-monitoring/" rel="noopener noreferrer">Multi-Cluster Monitoring with Thanos</a></p> </blockquote> <h2> Logging </h2> <h3> Hot </h3> <p>When you deploy containers to your development cluster, you will need quick access to logging to analyze container errors. A good solution is to deploy <a href="https://rancher.com/" rel="noopener noreferrer">Rancher</a> in your DevOps cluster. Rancher has many features:</p> <ul> <li>An admin console,</li> <li>Give you a cluster overview,</li> <li>Access to workloads logs and states,</li> <li>Role-based Access Control, etc.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frb2qryauk6n5s9ja478t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frb2qryauk6n5s9ja478t.png" alt="Cold Logging" width="800" height="450"></a></p> <h3> Cold </h3> <p>When you operate your production cluster, in the event of a disaster or failure, you will need to access the log history. The <a href="https://www.elastic.co/what-is/elk-stack" rel="noopener noreferrer">ELK</a> might be a good solution for storing logs for the long term:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nhyfjlg0h8pfeq16lbl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4nhyfjlg0h8pfeq16lbl.png" alt="Hot logging" width="800" height="449"></a></p> <h1> Business applications </h1> <p>Let's say we have docker images hosted on premise and we want to deploy them in a Scaleway Elements Service.</p> <p>There are two ways to achieve that:</p> <ul> <li>Lift &amp; Shift in Virtual instance, if we had a self-managed docker platform.</li> <li>Improve &amp; Move in <a href="https://www.scaleway.com/en/serverless-containers/" rel="noopener noreferrer">Serverless Containers</a> or Kubernetes Kapsule.</li> </ul> <p>Unless there is a strong dependency between the docker runtime and the business applications, there is no value to go to the Cloud if you don't use a managed services for Docker.</p> <p>Serverless Containers is currently ideal if your application is internet facing and does not depend on network or security restrictions.</p> <p>Kapsule is still the most used to deploy docker images, as it's fully managed by Scaleway Elements and highly maintained and secured by the cloud provider.</p> <h2> Configuring a Kapsule cluster </h2> <p>I apply the following configuration to secure a Kapsule cluster:</p> <ul> <li>Stable version as possible. Do not use an upstream release.</li> <li>Kapsule attached to a private network (Possible soon),</li> <li>Backup of the cluster using Velero,</li> <li>Pools with auto scaling &amp; auto healing enabled,</li> <li>Network Policy enabled to manage network traffic,</li> <li>HTTPs Load balancer (LB) enabled for internet facing applications + LB ACLs when necessary,</li> <li>Keycloak for internal applications.</li> </ul> <h2> Kubernetes architecture </h2> <p>To migrate a 3-tiers architecture in Kapsule, I commonly deploy this architecture in Kubernetes:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2sozon8gavqyluewj3z0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2sozon8gavqyluewj3z0.png" alt="Kubernetes Architecture" width="800" height="448"></a></p> <p>Depending on the use case, you can deploy additional tools like <a href="https://istio.io/" rel="noopener noreferrer">Istio</a>.</p> <blockquote> <p>I wrote a complete article on <a href="https://dev.to/stack-labs/securing-the-connectivity-between-a-scaleway-kubernetes-kapsule-application-and-scaleway-rdb-database-4g7b">how to secure connectivity between a Kapsule container and RDB databases</a>.</p> </blockquote> <h2> Docker images </h2> <p>When you migrate existing docker images in the cloud, it's not easy to optimize the existing layers for fear of breaking something.</p> <p>What I recommend for all existing images is to:</p> <ul> <li>Properly tag images (semantic versioning and/or Git commit bash),</li> <li>Use <a href="https://github.com/GoogleContainerTools/kaniko" rel="noopener noreferrer">Kaniko</a> to build and push images,</li> <li>Use Container Registry to store the images.</li> </ul> <p>For new images:</p> <ul> <li>Package a single app per container,</li> <li>Build the smallest image possible,</li> <li>Optimize for the Docker build cache,</li> <li>Remove unnecessary tools,</li> <li>Carefully consider whether to use a public image,</li> <li>Use <a href="https://github.com/quay/clair" rel="noopener noreferrer">Clair</a> for vulnerability scanning.</li> </ul> <h1> Cost Savings tips </h1> <p>When you move existing workloads in a Cloud Provider, you can save money in two differents ways:</p> <ul> <li>Cost-optimization: Running the workloads in the right service with the right configuration.</li> <li>Cost-cutting: Removing deprecated and unused resources.</li> </ul> <p>To apply a cost-cutting, you can develop a Serverless Function that:</p> <ul> <li>Stops all resources that are not Serverless on non production environments like VMs and RDB instances,</li> <li>Resizes Kapsule nodepools to zero on non production environments,</li> <li>Removes old docker images.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8a7ll8kefdkepevegetw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8a7ll8kefdkepevegetw.png" alt="Cost Cutting" width="800" height="229"></a></p> <p>For new workloads, the best way to save money is to use Scaleway Serverless services as possible.</p> <h1> Conclusion </h1> <p>It took us around 20 days the first time we deployed such architectures. However, after applying these principles, the ensuing implementations took just few days to deploy them.</p> <p>There are other subjects I would have liked to give feedback on: Data Analytics and AI implementation. We can keep it for a part 3. </p> <p>In the meantime, if you have any questions or feedback, please feel free to leave a comment. </p> <p>Otherwise, I hope it helped you to see how automating everything via CI/CD and using infrastructure as code anywhere will ensure you to have a scalable strategy to migrate on Scaleway Elements whatever is your business.</p> <p>By the way, do not hesitate to share with peers 😊</p> <h1> Documentation: </h1> <p>[1] <a href="https://www.idexcel.com/blog/true-business-efficiency-combines-the-power-of-cloud-computing-and-devops-practices/" rel="noopener noreferrer">https://www.idexcel.com/blog/true-business-efficiency-combines-the-power-of-cloud-computing-and-devops-practices/</a><br> [2] <a href="https://www.weave.works/blog/gitops-modern-best-practices-for-high-velocity-application-development" rel="noopener noreferrer">https://www.weave.works/blog/gitops-modern-best-practices-for-high-velocity-application-development</a></p> scaleway devops monitoring kubernetes Chabane R. Fri, 12 Nov 2021 10:14:11 +0000 https://forem.com/stack-labs/mayday-mayday-i-need-a-scalable-infrastructure-to-migrate-on-scaleway-elements-part-1-networking-security-37bg https://forem.com/stack-labs/mayday-mayday-i-need-a-scalable-infrastructure-to-migrate-on-scaleway-elements-part-1-networking-security-37bg <p>That's it! We are going to migrate our on-premise applications to <a href="https://www.scaleway.com/fr/elements/" rel="noopener noreferrer">Scaleway Elements</a>! </p> <p>We start by deploying a first Web application to please the business team, we set up auto scaling and backups to satisfy the ops team, we encrypt the storage and the database with a key and a firewall to reassure the security team, all at a lower price. </p> <p>Everything has been thought of and the migration of the first application is a real success and the business accepts to migrate other applications ... But wait ... no long-term strategy has been established to facilitate the migration of new applications 😱</p> <p>Moving to the Public Cloud represents a major change within a company. A phase of adoption and acculturation is necessary for a successful transition. </p> <p>A lack of a long-term vision can be costly during migrations to the Cloud and in particular to Scaleway Elements (SCW).</p> <ul> <li>Organization of projects</li> <li>Network topology</li> <li>Centralization of security and monitoring</li> <li>The DevOps platform</li> <li>A plan for every migration strategy</li> </ul> <p>Must be defined in advance, at the onboarding phases!</p> <p>Did you also find it difficult to go further in your migration? Or are you thinking of migrating to Scaleway Elements?</p> <p>Before discovering how to plan a migration in Scaleway Elements, let's see the common traps.</p> <h1> Traps to avoid </h1> <h2> Poc to production </h2> <p>Some companies starting by developing a proof of concept put that POC into production.</p> <p>A POC is a disposable, it should be dropped after the concept has been proved.</p> <p>So if during the POC you created a SCW organization, used a CI/CD tool, deployed the resources using an infrastructure as code, it's not a POC but an MVP (Minimum Valuable Product) which it's different !</p> <p>I saw many companies deployed their POC to production and asked a partner to perform a complete refactoring of their network topology, reorganazing the cloud projects, implementing a CI/CD and infrastructure as code and it finally costs more than they thought to save.</p> <h2> On Premise mindset </h2> <p>Some companies moving to the cloud continue to follow their on-premises practices.</p> <p>Only the "business" workload should be moved to the cloud and it's called "lift &amp; shift". All existing applications for security, networking, monitoring, etc. should be replaced either by the equivalent in the cloud provider or the cloud version of those applications.</p> <p>Also for this case I saw that many companies wanted to move their IT software to the cloud which is not able to interact with cloud services.</p> <h2> Avoiding vendor lock-in at extreme level </h2> <p>Some companies moving to the cloud do not use managed services when it's possible.</p> <p>Avoiding vendor lock-in has a sense when you are looking for portability of your business application and you don't want to depend on cloud SDKs. But all non-business applications for databases and storage should be hosted in managed services.</p> <p>There are many other 'don't do' that can be listed in a dedicated post.</p> <p>So before any move to the cloud, a strong sponsorship is needed to adopt a cloud mindset in the organization.</p> <h1> Choose a scalable strategy </h1> <p>When a customer asks to migrate to the cloud, I always recommend the deciders to think about a long-term vision and value with the selected cloud provider.</p> <ul> <li>Why is the current approach and computing environment insufficient?</li> <li>What are the primary metrics that you want to optimize by using the public cloud?</li> <li>How long do you plan to use this cloud provider? Do you consider this solution permanent?</li> </ul> <p>When the vision is defined, the strategy to adopt is clearer:</p> <ul> <li>Identifying candidate workloads</li> <li>Identifying applicable patterns</li> <li>Identifying candidate topologies</li> <li>Prioritizing workloads</li> <li>Select initial workload to put in the public cloud</li> <li>Setting the Scaleway Elements organization, projects, and policies</li> <li>Implementing the network topology</li> <li>Defining the disaster recovery plan</li> <li>Setting the DevOps platform</li> <li>Start workloads migration</li> </ul> <h2> Organization </h2> <p>When you have created the Scaleway Elements organization for your company, the first step to do is defining the projects roles. What I recommend to customers is to separate the business workloads from the operational workloads.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv2uxp9a8oqxf7mlkurqb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv2uxp9a8oqxf7mlkurqb.png" alt="Project management" width="800" height="275"></a></p> <p>These roles help:</p> <ul> <li>to apply granular permissions</li> <li>to facilitate infrastructure as code automation</li> <li>to centralize IT operations</li> </ul> <h2> Network </h2> <p>Many network topologies types exist and help to ensure communications between network node.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F808plwwr98f6z1tbn5lt.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2F808plwwr98f6z1tbn5lt.jpg" alt="Hub and Spoke" width="800" height="505"></a></p> <p>As we have a connection to establish between differents projects, we need to ensure a secure connectivity between networks.</p> <p>1 - Create a <a href="https://www.scaleway.com/en/private-networks/" rel="noopener noreferrer">private network</a> for each project</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdeuvfqtsl2ppgvd3yxyj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdeuvfqtsl2ppgvd3yxyj.png" alt="Private Networks" width="800" height="431"></a></p> <p>2 - Create a <a href="https://www.scaleway.com/en/public-gateway/" rel="noopener noreferrer">public gateway</a> with a reserved IP for each project and attach it to the private network.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fftyhfs9204rxwm3tp6uk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fftyhfs9204rxwm3tp6uk.png" alt="Public Gateways" width="800" height="438"></a></p> <p>3 - For each <a href="https://www.scaleway.com/en/kubernetes-kapsule/" rel="noopener noreferrer">Kubernetes Kapsule</a> cluster of each environment project, create an HTTPs <a href="https://www.scaleway.com/en/load-balancer/" rel="noopener noreferrer">Load balancer</a> (LB) and whitelist the Public Gateway IPs of the Security and DevOps projects using LB ACLs.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw4rffmql59xzq1g1j2l0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw4rffmql59xzq1g1j2l0.png" alt="HTTPs load balancers" width="800" height="436"></a></p> <blockquote> <p>At the time of writing this article, a Kubernetes Kapsule cluster cannot be attached to the private network and the public gateway. It's coming soon.</p> </blockquote> <h2> SecOps </h2> <h2> Identity and Access Management </h2> <p>When you have a LDAP in your organization, it is common to connect it to your internal tools. There are many solutions to help you set up identity and access management, one of the most tool is <a href="https://www.keycloak.org/" rel="noopener noreferrer">Keycloak</a>.</p> <p>Keycloak supports multiples procotols: </p> <ul> <li>OpenID Connect</li> <li>OAuth 2.0</li> <li>SAML 2.0</li> </ul> <p>A support for Single Sign-On and Single Sign-Out, Admin Console, etc. </p> <p>The tool could be centralized in a dedicated project and used to centralize authentication on each application in your organization. The following diagram illustrates IAM management:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjn0ghftubss7jh8rm8cf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjn0ghftubss7jh8rm8cf.png" alt="Keycloak" width="800" height="443"></a></p> <h2> Key management </h2> <p>There are three very sensitives resources in SCW and in any cloud provider that we need to protect whatever the price:</p> <ul> <li>API Keys</li> <li>Cryptographic keys</li> <li>Secrets</li> </ul> <p>Virtual instance images could also be critical for some organizations.</p> <h3> API Keys </h3> <p>There are some important best practices to secure the sensitives credentials:</p> <ul> <li>Create single-purpose API keys</li> <li>Don’t embed API keys in code</li> <li>For easier visibility and auditing, central store API keys in a solution like <a href="https://www.vaultproject.io/" rel="noopener noreferrer">Vault</a> and in a dedicated project. </li> </ul> <blockquote> <p>I wrote a complete tutorial on <a href="https://dev.to/stack-labs/securing-access-to-scaleway-elements-api-keys-from-gitlab-ci-3p1h">Securing access to Scaleway Elements API Keys from Gitlab CI</a></p> </blockquote> <h3> Cryptographic keys </h3> <p>If you need to encrypt your data using a cryptopgraphic key, there are some important best practices to apply:</p> <ul> <li>Hosting encryption keys in a separate project,</li> <li>For critical projects, some enterprises save the keys in a separate organization,</li> <li>Least privilege and separation of duties.</li> </ul> <h3> Secrets </h3> <p>In any IT project, you will need two types of credentials:</p> <ul> <li>Secrets for running your business applications like DB credentials.</li> <li>Secrets to access shared applications like Elasticsearch, ArgoCD, Git repositories, etc.</li> </ul> <p>In Scaleway Elements, you can host shared secrets in the Security project and keep secrets used by business applications in a Kubernetes secret.</p> <p>There are some important best practices to manage secrets:</p> <ul> <li>Use the replication feature when creating secrets in Vault.</li> <li>Reference secrets by their version number rather than using the latest alias.</li> <li>Disable secret versions before destroying them or deleting secrets. </li> </ul> <p>The following diagram illustrates the key management:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw4erh5nt1cmsqhlyd7o7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw4erh5nt1cmsqhlyd7o7.png" alt="Vault" width="800" height="466"></a></p> <h2> Disaster recovery </h2> <blockquote> <p>A <a href="https://en.wikipedia.org/wiki/Disaster_recovery" rel="noopener noreferrer">Disaster Recovery</a> (DR) involves a set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster.</p> </blockquote> <p>In Scaleway Elements, there are managed services to help you implement a disaster recovery plan, such as backup services on your databases and virtual instances. But in the event of a zone/region failure or human error that deleted a project, you will need to react very quickly to restore your data and applications.</p> <p>Let's take an example of a kubernetes cluster and a RDB database that we want to backup and restore in the event of an outage:</p> <h3> Backup </h3> <p><a href="https://velero.io/" rel="noopener noreferrer">Velero</a> is an open source disaster recovery tool used to backup an entire Kubernetes cluster and save the backup in a bucket. A Scaleway <a href="https://www.scaleway.com/en/serverless-functions/" rel="noopener noreferrer">Serverless function</a> could be used to download and upload backups periodecally to a bucket:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgb1j04upj4fyezzxq1jf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgb1j04upj4fyezzxq1jf.png" alt="Backup" width="800" height="506"></a></p> <h3> Restore after a zone failure </h3> <p>In the event of a zone failure, a CI/CD pipeline could be run to restore the Kubernetes cluster with Velero and restore the databases using <a href="https://www.scaleway.com/en/cli/" rel="noopener noreferrer">Scaleway CLI</a>.</p> <blockquote> <p>In the case of a re-creation of the RDB instance, you will also need to update the host and port information.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgjl28pz9xi8wnzuonm5o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgjl28pz9xi8wnzuonm5o.png" alt="Restore zone" width="800" height="494"></a></p> <h3> Restore after a region failure </h3> <p>In the event of a region failure or a project being deleted, CI/CD pipelines could be run to recreate the Kubernetes cluster and the RDB instances with <a href="https://www.scaleway.com/en/terraform/" rel="noopener noreferrer">Terraform</a>, restore the Kubernetes cluster with Velero and restore the database using <a href="https://www.scaleway.com/en/cli/" rel="noopener noreferrer">Scaleway CLI</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flj04h2yhcauodd288ia4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flj04h2yhcauodd288ia4.png" alt="Restore region/project" width="800" height="488"></a></p> <h1> Conclusion </h1> <p>In this part we saw how it easy to build a scalable SCW organization, implementing a network topology, defining a disaster recovery and centralizing the IAM and key management.</p> <h1> What's next ? </h1> <p>In the <a href="https://dev.to/stack-labs/mayday-mayday-i-need-a-scalable-infrastructure-to-migrate-on-scaleway-elements-part-2-ops-container-migration-h02">second part</a> we will see how we can deploy a DevOps platform using Gitlab and following the GitOps practices. We will also see how to centralize monitoirng and logging using Open Source tools. We will finish with an example of a migration of Docker applications in Kubernetes Kapsule and finishing with cost saving tips.</p> scaleway architecture security networking Chabane R. Fri, 05 Nov 2021 08:22:46 +0000 https://forem.com/stack-labs/securing-the-connectivity-between-a-scaleway-kubernetes-kapsule-application-and-scaleway-rdb-database-4g7b https://forem.com/stack-labs/securing-the-connectivity-between-a-scaleway-kubernetes-kapsule-application-and-scaleway-rdb-database-4g7b <p>It is very easy today to establish a connection between a container in Kubernetes and a relational database server, just create a SQL user and open a TCP connection. In cloud computing, in the case of Scaleway Elements, the equivalent is connecting a container in a Scaleway Kubernetes Kapsule cluster to a Scaleway Relational Database instance (RDB).</p> <p>Important points should be taken into account in setting up this connectivity.</p> <p>Which network topology to choose? How to authenticate and authorize the connection to the RDB instance? Can I publicly expose a RDB instance?</p> <p>Which architecture could be the most efficient, maintainable and scalable?</p> <h1> Scenarios </h1> <p>RDB service supports the following scenarios for accessing the RDB instance:</p> <ul> <li>A virtual instance in the same project</li> <li>A virtual instance in a different project</li> <li><p>A client application through the internet</p></li> <li><p>The private network scenario is actually not possible. A <a href="https://feature-request.scaleway.com/posts/72/private-networks-for-managed-database" rel="noopener noreferrer">feature request</a> is opened and it's ongoing.</p></li> </ul> <p>The scenarios that concern us are the first two:</p> <ul> <li>A Kapsule cluster and a RDB instance in the same project</li> <li>A Kapsule cluster and a RDB instance in a different project</li> </ul> <p>Let's discover the possible architectures that could be used to implement each scenario.</p> <h2> Direct communication with public IP and authorized networks </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg39g8zkgbaqp50z82s86.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg39g8zkgbaqp50z82s86.png" alt="Kapsule and RDB communication with public IP and authorized networks" width="800" height="561"></a></p> <p>In this architecture, our RDB instance is isolated on Scaleway network and accessible through public IP address to only Kapsule cluster that requires access to it. Pods have access to RDB database using Username/Password.</p> <blockquote> <p>Public Gateway is not available yet for Kubernetes Kapsule and RDB instance, see <a href="https://feature-request.scaleway.com/posts/79/nat-gateway" rel="noopener noreferrer">featurer request</a>, so you need to whitelist all the Kubernetes nodes IPs.</p> </blockquote> <h2> Direct communication in separate projects </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj4ve6zudp5ob98138vjp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj4ve6zudp5ob98138vjp.png" alt="Kapsule and RDB communication with public IP and authorized networks and in differents projects" width="800" height="415"></a></p> <p>In this architecture, our RDB instance is isolated on its own project accessible through public IP address to only Kapsule cluster that requires access to it. Pods have access to RDB database using Username/Password.</p> <p>Each architecture has its own advantages and disadvantages but all apply project isolation best practices for securing sensitive data in RDB.</p> <p>Let's implement the scenario 1.</p> <h1> Prerequisites </h1> <ul> <li>Download, install, and configure the <a href="https://github.com/scaleway/scaleway-cli" rel="noopener noreferrer">Scaleway CLI</a>.</li> <li><a href="https://www.terraform.io/downloads.html" rel="noopener noreferrer">Terraform</a></li> <li><a href="https://kubernetes.io/docs/tasks/tools/" rel="noopener noreferrer">Kubectl</a></li> <li><a href="https://kubectl.docs.kubernetes.io/installation/kustomize/" rel="noopener noreferrer">Kustomize</a></li> </ul> <h1> Architecture </h1> <p>The overall architecture that we will implement during this article is as follows:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2n6oqnutc9saj3bqj32.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2n6oqnutc9saj3bqj32.png" alt="Overral architecture" width="800" height="382"></a></p> <h1> Objectives </h1> <p>During this section of the workshop:</p> <p>With Terraform</p> <ul> <li>We will create a Kapsule cluster</li> <li>a higly available RDB instance</li> <li>a virtual instance to act as a bastion to access RDB from outside</li> <li>a security group for the virtual instance</li> </ul> <p>With Kubectl</p> <ul> <li>We will deploy a metabase application</li> <li>A load balancer with Treafik 2</li> <li>a SSL certificate</li> </ul> <p>The article is divided into four sections:</p> <ul> <li>Configuring the bastion</li> <li>Creating a Kubernetes Kapsule cluster using Terraform</li> <li>Securing sensitive data in Scaleway RDB </li> <li>Securing the connectivity between a Kubernetes Kapsule application and a RDB database</li> </ul> <h1> Configuring the bastion </h1> <p>In this section we will deploy the following SCW resources:</p> <ul> <li>a virtual instance to act as a bastion to access RDB from outside</li> <li>a security group to allow only authorized users to access the virtual instance</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvsj4q3oh4atpcft880c4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvsj4q3oh4atpcft880c4.png" alt="Bastion" width="800" height="587"></a></p> <h2> Security Groups </h2> <p>Security Groups allows us to restrict the inbound and outbound network traffic to and from a virtual instance. In our case, we implement the following rule:</p> <ul> <li>A rule to restrict access to the virtual instance from the SSH port to only authorized networks.</li> </ul> <p>Create a terraform file <code>infra/plan/sg.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"scaleway_instance_security_group"</span> <span class="s2">"bastion"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"bastion"</span> <span class="nx">inbound_default_policy</span> <span class="p">=</span> <span class="s2">"drop"</span> <span class="nx">outbound_default_policy</span> <span class="p">=</span> <span class="s2">"accept"</span> <span class="nx">dynamic</span> <span class="s2">"inbound_rule"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">authorized_source_ranges</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"accept"</span> <span class="nx">port</span> <span class="p">=</span> <span class="s2">"22"</span> <span class="nx">ip</span> <span class="p">=</span> <span class="nx">inbound_rule</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Bastion </h2> <p>In order to access the RDB instance from outside, we need to create a bastion host. We can achieve that by creating a virtual instance. During the initialization of the instance we install the PostgreSQL client.</p> <blockquote> <p>We also create a SSH key to connect to the virtual instance. You can remove this resource if you want to manage the keys outside of terraform.</p> </blockquote> <p>Create a terraform file <code>infra/plan/bastion.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"scaleway_instance_ip"</span> <span class="s2">"bastion"</span> <span class="p">{}</span> <span class="k">resource</span> <span class="s2">"scaleway_instance_server"</span> <span class="s2">"bastion"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">scaleway_account_ssh_key</span><span class="p">.</span><span class="nx">bastion</span><span class="p">]</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"bastion"</span> <span class="nx">type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">bastion_instance_type</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"ubuntu_xenial"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">scaleway_instance_security_group</span><span class="p">.</span><span class="nx">bastion</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ip_id</span> <span class="p">=</span> <span class="nx">scaleway_instance_ip</span><span class="p">.</span><span class="nx">bastion</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"bastion"</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="p">]</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">env</span> <span class="nx">cloud-init</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"</span><span class="k">${</span><span class="nx">path</span><span class="p">.</span><span class="k">module}</span><span class="s2">/cloud-init.sh"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"scaleway_account_ssh_key"</span> <span class="s2">"bastion"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"bastion"</span> <span class="nx">public_key</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">bastion_public_ssh_key</span> <span class="p">}</span> </code></pre> </div> <p>Create a script file <code>cloud-init.sh</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">#!/bin/sh</span> <span class="s">apt update</span> <span class="s">apt install -y unzip</span> <span class="c1"># install awscli</span> <span class="s">curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"</span> <span class="s">unzip awscliv2.zip</span> <span class="s">sudo ./aws/install</span> <span class="c1"># install psql</span> <span class="s">wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -</span> <span class="s">echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" | sudo tee /etc/apt/sources.list.d/pgdg.list</span> <span class="s">apt update</span> <span class="s">apt install -y postgresql-client-13</span> </code></pre> </div> <p>Let's configure our terraform.</p> <p>Create a terraform file <code>infra/plan/variable.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"zone"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"env"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"authorized_source_ranges"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Addresses or CIDR blocks which are allowed to connect to Virtual Instance."</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"bastion_instance_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"bastion_public_ssh_key"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>Add a <code>infra/plan/version.tf</code> file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">scaleway</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"scaleway/scaleway"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"2.1.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 0.13"</span> <span class="p">}</span> </code></pre> </div> <p>Add a <code>infra/plan/provider.tf</code> file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"scaleway"</span> <span class="p">{</span> <span class="nx">zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">zone</span> <span class="nx">region</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> </code></pre> </div> <p>Add a <code>infra/plan/backend.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And a <code>ìnfra/plan/output.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"bastion_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">scaleway_instance_ip</span><span class="p">.</span><span class="nx">bastion</span><span class="p">.</span><span class="nx">address</span> <span class="p">}</span> </code></pre> </div> <p>Now, export the following variables and create a bucket to save your terraform states.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &gt;~/.aws/credentials [default] aws_access_key_id=&lt;SCW_ACCESS_KEY&gt; aws_secret_access_key=&lt;SCW_SECRET_KEY&gt; region=fr-par </span><span class="no">EOF </span><span class="nb">export </span><span class="nv">SCW_ACCESS_KEY</span><span class="o">=</span>&lt;SCW_ACCESS_KEY&gt; <span class="nb">export </span><span class="nv">SCW_SECRET_KEY</span><span class="o">=</span>&lt;SCW_SECRET_KEY&gt; <span class="nb">export </span><span class="nv">SCW_REGION</span><span class="o">=</span>fr-par <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/&lt;SCW_ACCESS_KEY&gt;/</span><span class="nv">$SCW_ACCESS_KEY</span><span class="s2">/g; s/&lt;SCW_SECRET_KEY&gt;/</span><span class="k">${</span><span class="nv">SCW_SECRET_KEY</span><span class="k">}</span><span class="s2">/g;"</span> ~/.aws/credentials <span class="nb">export </span><span class="nv">ENV</span><span class="o">=</span>dev aws s3api create-bucket <span class="nt">--bucket</span> company-<span class="nv">$ENV</span><span class="nt">-terraform-backend</span> <span class="nt">--endpoint-url</span> https://s3.<span class="nv">$SCW_REGION</span>.scw.cloud aws s3api put-bucket-versioning <span class="nt">--bucket</span> company-<span class="nv">$ENV</span><span class="nt">-terraform-backend</span> <span class="nt">--versioning-configuration</span> <span class="nv">Status</span><span class="o">=</span>Enabled <span class="nt">--endpoint-url</span> https://s3.<span class="nv">$SCW_REGION</span>.scw.cloud </code></pre> </div> <p>Create a <code>infra/plan/config/dev/terraform.tfvars</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">zone</span> <span class="err">=</span> <span class="s2">"fr-par-1"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"fr-par"</span> <span class="nx">env</span> <span class="err">=</span> <span class="s2">"dev"</span> <span class="nx">authorized_source_ranges</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"&lt;AUTHORIZED_NETWORK&gt;"</span><span class="p">]</span> <span class="nx">bastion_instance_type</span> <span class="err">=</span> <span class="s2">"STARDUST1-S"</span> <span class="nx">bastion_public_ssh_key</span> <span class="err">=</span> <span class="s2">"&lt;BASTION_PUBLIC_SSH_KEY&gt;"</span> </code></pre> </div> <p>Create a <code>infra/plan/config/dev/s3.backend</code> and deploy the infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">bucket</span> <span class="err">=</span> <span class="s2">"company-dev-terraform-backend"</span> <span class="nx">key</span> <span class="err">=</span> <span class="s2">"terraform.tfstate"</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"fr-par"</span> <span class="nx">endpoint</span> <span class="err">=</span> <span class="s2">"https://s3.fr-par.scw.cloud"</span> <span class="nx">skip_credentials_validation</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">skip_region_validation</span> <span class="err">=</span> <span class="kc">true</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/plan <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s,&lt;AUTHORIZED_NETWORK&gt;, </span><span class="si">$(</span>curl <span class="nt">-s</span> http://checkip.amazonaws.com/<span class="si">)</span><span class="s2">,g; s,&lt;BASTION_PUBLIC_SSH_KEY&gt;,</span><span class="si">$(</span><span class="nb">cat</span> &lt;PATH_TO_SSH_PUB&gt;/id_rsa.pub<span class="si">)</span><span class="s2">,g;"</span> terraform.tfvars terraform init <span class="nt">--backend-config</span><span class="o">=</span>config/<span class="nv">$ENV</span>/s3.backend <span class="nt">-reconfigure</span> terraform validate terraform apply <span class="nt">-var-file</span><span class="o">=</span>config/<span class="nv">$ENV</span>/terraform.tfvars </code></pre> </div> <p>Let's check if all the resources have been created and are working correctly</p> <p>Reserved IP</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqb4yxlwaft6plv3gmoj5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqb4yxlwaft6plv3gmoj5.png" alt="Reserved IP" width="800" height="93"></a></p> <p>Security Groups</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkmsl4b3xut6woo8ln2l3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkmsl4b3xut6woo8ln2l3.png" alt="Security group rules" width="800" height="505"></a></p> <p>Virtual instance</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdjk0eepyp1j4zricgnl5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdjk0eepyp1j4zricgnl5.png" alt="Virtual instance" width="800" height="458"></a></p> <p>Let's check the connection<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> &lt;PRIVATE_KEY_PATH&gt; root@<span class="si">$(</span>terraform output <span class="nt">--raw</span> bastion_ip<span class="si">)</span> Welcome to Ubuntu 18.04.6 LTS <span class="o">(</span>GNU/Linux 4.15.0-159-generic x86_64<span class="o">)</span> <span class="k">*</span> Documentation: https://help.ubuntu.com <span class="k">*</span> Management: https://landscape.canonical.com <span class="k">*</span> Support: https://ubuntu.com/advantage System information as of Thu Nov 4 21:13:14 UTC 2021 System load: 0.09 Processes: 83 Usage of /: 19.4% of 8.86GB Users logged <span class="k">in</span>: 0 Memory usage: 15% IP address <span class="k">for </span>ens2: 10.69.86.243 Swap usage: 0% </code></pre> </div> <h1> Creating a Kubernetes Kapsule cluster using Terraform </h1> <p>In the section we created our network stack. In this part we will create and configure the Kubernetes Kapsule cluster.</p> <p>The following resources will be created:</p> <ul> <li>Kubernetes Kapsule cluster</li> <li>Kubernetes Kapsule pools</li> <li>Traefik2 Load balancer</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzl55vk8c5amelshosyqe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzl55vk8c5amelshosyqe.png" alt="Kubernetes Kapsule Cluster and pools" width="800" height="928"></a></p> <h2> Kubernetes Kapsule cluster </h2> <p>Our Kubernetes Kapsule cluster is hosted in the Scaleway network. Each node of a pool has its own public IP, there is no such a mecanism that permit to access the private IPs of the cluster from outside. So all of the communications between RDB and Kapsule will be throught the public internet.</p> <blockquote> <p>Scaleway is working on a feature to attach a Kapsule cluster to a private network. See the <a href="https://feature-request.scaleway.com/posts/8/private-networks-for-kapsule" rel="noopener noreferrer">feature request</a>.</p> </blockquote> <p>Create the terraform file <code>infra/plan/kapsule.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"scaleway_k8s_cluster"</span> <span class="s2">"kapsule"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"kapsule-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="k">}</span><span class="s2">"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="k">}</span><span class="s2"> cluster"</span> <span class="nx">version</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">kapsule_cluster_version</span> <span class="nx">cni</span> <span class="p">=</span> <span class="s2">"calico"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="p">]</span> <span class="nx">autoscaler_config</span> <span class="p">{</span> <span class="nx">disable_scale_down</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">scale_down_delay_after_add</span> <span class="p">=</span> <span class="s2">"5m"</span> <span class="nx">estimator</span> <span class="p">=</span> <span class="s2">"binpacking"</span> <span class="nx">expander</span> <span class="p">=</span> <span class="s2">"random"</span> <span class="nx">ignore_daemonsets_utilization</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">balance_similar_node_groups</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">expendable_pods_priority_cutoff</span> <span class="p">=</span> <span class="nx">-5</span> <span class="p">}</span> <span class="nx">auto_upgrade</span> <span class="p">{</span> <span class="nx">enable</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">maintenance_window_start_hour</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">maintenance_window_day</span> <span class="p">=</span> <span class="s2">"sunday"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"scaleway_k8s_pool"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="nx">cluster_id</span> <span class="p">=</span> <span class="nx">scaleway_k8s_cluster</span><span class="p">.</span><span class="nx">kapsule</span><span class="p">.</span><span class="nx">id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">node_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">kapsule_pool_node_type</span> <span class="nx">size</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">kapsule_pool_size</span> <span class="nx">autoscaling</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">autohealing</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">kapsule_pool_min_size</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">kapsule_pool_max_size</span> <span class="p">}</span> </code></pre> </div> <p>Complete the file <code>infra/plan/variable.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"kapsule_cluster_version"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"kapsule_pool_size"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"kapsule_pool_min_size"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"kapsule_pool_max_size"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"kapsule_pool_node_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <p>Complete the file <code>infra/plan/config/$ENV/terraform.tfvars</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">kapsule_cluster_version</span> <span class="err">=</span> <span class="s2">"1.22"</span> <span class="nx">kapsule_pool_size</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">kapsule_pool_min_size</span> <span class="err">=</span> <span class="mi">2</span> <span class="nx">kapsule_pool_max_size</span> <span class="err">=</span> <span class="mi">4</span> <span class="nx">kapsule_pool_node_type</span> <span class="err">=</span> <span class="s2">"gp1-xs"</span> </code></pre> </div> <p>Let's deploy our cluster<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/plan terraform apply <span class="nt">-var-file</span><span class="o">=</span>config/<span class="nv">$ENV</span>/terraform.tfvars </code></pre> </div> <p>Let's check if the cluster and the pools have been created and are working correctly:</p> <p>Kubernetes Kapsule Cluster</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnll6cjxa1jhtbav19x7x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnll6cjxa1jhtbav19x7x.png" alt="Kubernetes Kapsule Cluster" width="800" height="419"></a></p> <p>Kubernetes Kapsule Pool</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm86nno7ai6nx2p845b9z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm86nno7ai6nx2p845b9z.png" alt="Kubernetes Kapsule Pools" width="800" height="178"></a></p> <p>Kubernetes Kapsule NodePools</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgojpk0b7ges11ggaa855.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgojpk0b7ges11ggaa855.png" alt="Kubernetes Kapsule NodePools" width="800" height="232"></a></p> <p>Enable the Traefik load balancer using the Scaleway CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scw k8s cluster update <span class="si">$(</span>scw k8s cluster list | <span class="nb">grep </span>kapsule-<span class="k">${</span><span class="nv">ENV</span><span class="k">}</span> | <span class="nb">awk</span> <span class="s1">'{ print $1 }'</span><span class="si">)</span> <span class="nv">ingress</span><span class="o">=</span>traefik2 <span class="nv">region</span><span class="o">=</span><span class="nv">$SCW_REGION</span> </code></pre> </div> <p>Let's check if Traefik 2 has been enabled</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F97b10q6y6wdx0vodnv3v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F97b10q6y6wdx0vodnv3v.png" alt="Traefik2 enabled" width="800" height="322"></a></p> <p>Get the Kube config file and test the cluster access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/.kube/<span class="nv">$ENV</span> scw k8s kubeconfig get <span class="si">$(</span>scw k8s cluster list | <span class="nb">grep </span>kapsule-<span class="k">${</span><span class="nv">ENV</span><span class="k">}</span> | <span class="nb">awk</span> <span class="s1">'{ print $1 }'</span><span class="si">)</span> <span class="nv">region</span><span class="o">=</span><span class="nv">$SCW_REGION</span> <span class="o">&gt;</span> ~/.kube/<span class="nv">$ENV</span>/config <span class="nb">export </span><span class="nv">KUBECONFIG</span><span class="o">=</span>~/.kube/<span class="nv">$ENV</span>/config kubectl get nodes NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME scw-kapsule-dev-default-ad56eb1786504a99957ea8 Ready &lt;none&gt; 100m v1.22.3 10.66.32.141 212.47.252.20 Ubuntu 20.04.1 LTS fc08d0ff0a 5.4.0-80-generic containerd://1.5.5 scw-kapsule-dev-default-c4056d33bede4f3883fade Ready &lt;none&gt; 100m v1.22.3 10.66.242.89 51.15.205.158 Ubuntu 20.04.1 LTS fc08d0ff0a 5.4.0-80-generic containerd://1.5.5 </code></pre> </div> <p>To expose Traefik 2 with a Scaleway LoadBalancer, create the file <code>infra/k8s/traefik-loadbalancer.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">traefik-ingress</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">k8s.scw.cloud/ingress</span><span class="pi">:</span> <span class="s">traefik2</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8000</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app.kubernetes.io/name</span><span class="pi">:</span> <span class="s">traefik</span> </code></pre> </div> <p>Deploy the configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create <span class="nt">-f</span> infra/k8s/traefik-loadbalancer.yml </code></pre> </div> <p>Verify that the LoadBalancer has been deployed correctly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">-n</span> kube-system get svc traefik-ingress NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE traefik-ingress LoadBalancer 10.43.99.132 51.159.74.228 80:31912/TCP,443:30860/TCP 16s </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq5xnmg72ghroec7s6d7u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq5xnmg72ghroec7s6d7u.png" alt="Kubernetes Kapsule Load balancer" width="800" height="423"></a></p> <blockquote> <p>See <a href="https://www.scaleway.com/en/docs/compute/kubernetes/api-cli/exposing-services/#exposing-traefik2" rel="noopener noreferrer">Exposing services in Scaleway Kubernetes</a> for more details.</p> </blockquote> <p>To avoid losing the IP, let's reserve this one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">TRAEFIK_EXTERNAL_IP</span><span class="o">=</span><span class="si">$(</span>kubectl get svc traefik-ingress <span class="nt">-n</span> kube-system <span class="nt">-o</span> json | jq <span class="nt">-r</span> .status.loadBalancer.ingress[0].ip<span class="si">)</span> kubectl patch svc traefik-ingress <span class="nt">-n</span> kube-system <span class="nt">--type</span> merge <span class="nt">--patch</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">spec</span><span class="se">\"</span><span class="s2">:{</span><span class="se">\"</span><span class="s2">loadBalancerIP</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="nv">$TRAEFIK_EXTERNAL_IP</span><span class="se">\"</span><span class="s2">}}"</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzc54go8k6t9fucrxhwhk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzc54go8k6t9fucrxhwhk.png" alt="Kubernetes Kapsule Load balancer Reserved IP" width="800" height="166"></a></p> <h1> Securing sensitive data in Scaleway RDB </h1> <p>Our Kapsule Kubernetes cluster is now active. In this section we will configure the RDB Instance.</p> <p>The following resources will be created:</p> <ul> <li>A highly available RDB Instance</li> <li>A database and a user for metabase</li> <li>ACLs to restrict the traffic to only Kubernetes Kapsule pools nodes and Bastion public IP</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxun61ef43pdr3v1t12qo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxun61ef43pdr3v1t12qo.png" alt="RDB" width="740" height="627"></a></p> <h1> RDB instance </h1> <ul> <li>The RDB Instance used is a PostgreSQL database server </li> <li>The <code>Multiples zones</code> option is enabled to ensure high-availability</li> <li>Automated backup is enabled</li> <li>We create a database and a user for later</li> </ul> <p>Create a terraform file <code>infra/plan/rdb.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"random_string"</span> <span class="s2">"db_name_suffix"</span> <span class="p">{</span> <span class="nx">length</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">special</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">upper</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"scaleway_rdb_instance"</span> <span class="s2">"rdb"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"postgresql-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">env</span><span class="k">}</span><span class="s2">"</span> <span class="nx">node_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rdb_instance_node_type</span> <span class="nx">volume_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rdb_instance_volume_type</span> <span class="nx">engine</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rdb_instance_engine</span> <span class="nx">is_ha_cluster</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rdb_is_ha_cluster</span> <span class="nx">disable_backup</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rdb_disable_backup</span> <span class="nx">volume_size_in_gb</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rdb_instance_volume_size_in_gb</span> <span class="nx">user_name</span> <span class="p">=</span> <span class="s2">"root"</span> <span class="nx">password</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rdb_user_root_password</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"scaleway_rdb_database"</span> <span class="s2">"metabase"</span> <span class="p">{</span> <span class="nx">instance_id</span> <span class="p">=</span> <span class="nx">scaleway_rdb_instance</span><span class="p">.</span><span class="nx">rdb</span><span class="p">.</span><span class="nx">id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"metabase"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"scaleway_rdb_user"</span> <span class="s2">"metabase"</span> <span class="p">{</span> <span class="nx">instance_id</span> <span class="p">=</span> <span class="nx">scaleway_rdb_instance</span><span class="p">.</span><span class="nx">rdb</span><span class="p">.</span><span class="nx">id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"metabase"</span> <span class="nx">password</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rdb_user_metabase_password</span> <span class="nx">is_admin</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> </code></pre> </div> <p>Complete the file <code>infra/plan/variable.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"rdb_is_ha_cluster"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"rdb_disable_backup"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"rdb_instance_node_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"rdb_instance_engine"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"rdb_instance_volume_size_in_gb"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"rdb_user_root_password"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"rdb_user_metabase_password"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"rdb_instance_volume_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> </code></pre> </div> <h2> RDB ACLs </h2> <p>Each node in the Kubernetes Kapsule has an attached ephemeral IP. For now, we cannot reserve the node IP or use Public Gateway with Kubernetes Kapsule. If we put the actual node IPs manually, the IP can change if an autoscaling occurs. A temporary solution is to create a Kubernetes cronjob that refresh the RDB ACLs each minute with the current node IPs.</p> <p>Complete the file <code>infra/plan/rdb.tf</code> with the following resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"scaleway_rdb_acl"</span> <span class="s2">"rdb"</span> <span class="p">{</span> <span class="nx">instance_id</span> <span class="p">=</span> <span class="nx">scaleway_rdb_instance</span><span class="p">.</span><span class="nx">rdb</span><span class="p">.</span><span class="nx">id</span> <span class="nx">dynamic</span> <span class="s2">"acl_rules"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span><span class="kd">var</span><span class="p">.</span><span class="nx">rdb_acl_rules</span><span class="p">,</span> <span class="p">[{</span> <span class="nx">ip</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="nx">scaleway_instance_ip</span><span class="p">.</span><span class="nx">bastion</span><span class="p">.</span><span class="nx">address</span><span class="k">}</span><span class="s2">/32"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Bastion IP"</span> <span class="p">}])</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">ip</span> <span class="p">=</span> <span class="nx">acl_rules</span><span class="p">.</span><span class="nx">value</span><span class="p">[</span><span class="s2">"ip"</span><span class="p">]</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">acl_rules</span><span class="p">.</span><span class="nx">value</span><span class="p">[</span><span class="s2">"description"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Complete the <code>ìnfra/plan/output.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"rdb_endpoint_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">scaleway_rdb_instance</span><span class="p">.</span><span class="nx">rdb</span><span class="p">.</span><span class="nx">endpoint_ip</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"rdb_endpoint_port"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">scaleway_rdb_instance</span><span class="p">.</span><span class="nx">rdb</span><span class="p">.</span><span class="nx">endpoint_port</span> <span class="p">}</span> </code></pre> </div> <p>Complete the file <code>infra/plan/variable.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"rdb_acl_rules"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">ip</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}))</span> <span class="p">}</span> </code></pre> </div> <p>Complete the file <code>infra/plan/config/$ENV/terraform.tfvars</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">rdb_instance_node_type</span> <span class="err">=</span> <span class="s2">"db-gp-xs"</span> <span class="nx">rdb_instance_engine</span> <span class="err">=</span> <span class="s2">"PostgreSQL-13"</span> <span class="nx">rdb_is_ha_cluster</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">rdb_disable_backup</span> <span class="err">=</span> <span class="kc">false</span> <span class="nx">rdb_instance_volume_type</span> <span class="err">=</span> <span class="s2">"bssd"</span> <span class="nx">rdb_instance_volume_size_in_gb</span> <span class="err">=</span> <span class="s2">"50"</span> <span class="nx">rdb_user_root_password</span> <span class="err">=</span> <span class="s2">"&lt;RDB_ROOT_USER_PWD&gt;"</span> <span class="nx">rdb_user_metabase_password</span> <span class="err">=</span> <span class="s2">"&lt;RDB_METABASE_USER_PWD&gt;"</span> <span class="nx">rdb_acl_rules</span> <span class="err">=</span> <span class="p">[{</span> <span class="nx">ip</span> <span class="p">=</span> <span class="s2">"&lt;KAPSULE_NODEPOOL_IP_1&gt;"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Kapsule dev node 1"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">ip</span> <span class="p">=</span> <span class="s2">"&lt;KAPSULE_NODEPOOL_IP_2&gt;"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Kapsule dev node 2"</span> <span class="p">}]</span> </code></pre> </div> <p>Let's deploy our RDB instance<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/plan <span class="nv">KAPSULE_NODEPOOL_IP_1</span><span class="o">=</span><span class="si">$(</span>scw k8s node list cluster-id<span class="o">=</span><span class="si">$(</span>scw k8s cluster list | <span class="nb">grep </span>kapsule-<span class="k">${</span><span class="nv">ENV</span><span class="k">}</span> | <span class="nb">awk</span> <span class="s1">'{ print $1 }'</span><span class="si">)</span> | <span class="nb">awk</span> <span class="s1">'{ print $4 }'</span> | <span class="nb">sed</span> <span class="nt">-n</span> <span class="s1">'2 p'</span><span class="si">)</span> <span class="nv">KAPSULE_NODEPOOL_IP_2</span><span class="o">=</span><span class="si">$(</span>scw k8s node list cluster-id<span class="o">=</span><span class="si">$(</span>scw k8s cluster list | <span class="nb">grep </span>kapsule-<span class="k">${</span><span class="nv">ENV</span><span class="k">}</span> | <span class="nb">awk</span> <span class="s1">'{ print $1 }'</span><span class="si">)</span> | <span class="nb">awk</span> <span class="s1">'{ print $4 }'</span> | <span class="nb">sed</span> <span class="nt">-n</span> <span class="s1">'3 p'</span><span class="si">)</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/&lt;RDB_ROOT_USER_PWD&gt;/</span><span class="nv">$RDB_ROOT_USER_PWD</span><span class="s2">/g; s/&lt;RDB_METABASE_USER_PWD&gt;/</span><span class="k">${</span><span class="nv">RDB_METABASE_USER_PWD</span><span class="k">}</span><span class="s2">/g; s,&lt;KAPSULE_NODEPOOL_IP_1&gt;,</span><span class="k">${</span><span class="nv">KAPSULE_NODEPOOL_IP_1</span><span class="k">}</span><span class="s2">/32,g; s,&lt;KAPSULE_NODEPOOL_IP_2&gt;,</span><span class="k">${</span><span class="nv">KAPSULE_NODEPOOL_IP_2</span><span class="k">}</span><span class="s2">/32,g; "</span> config/<span class="nv">$ENV</span>/terraform.tfvars terraform apply <span class="nt">-var-file</span><span class="o">=</span>config/<span class="nv">$ENV</span>/terraform.tfvars </code></pre> </div> <blockquote> <p>The secret should be stored in a secret storage like Vault. You can deploy a vault in your Kapsule or in a virtual instance and retrieve the secret in terraform using the vault provider. This method avoid to store the password in the terraform state.</p> </blockquote> <p>Add the connect privilege to the <code>metabase</code> RDB user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scw rdb privilege <span class="nb">set </span>instance-id<span class="o">=</span><span class="si">$(</span>scw rdb instance list | <span class="nb">grep </span>postgresql-<span class="k">${</span><span class="nv">ENV</span><span class="k">}</span> | <span class="nb">awk</span> <span class="s1">'{ print $1 }'</span><span class="si">)</span> database-name<span class="o">=</span>metabase user-name<span class="o">=</span>metabase <span class="nv">permission</span><span class="o">=</span>all </code></pre> </div> <p>Let's check if all the resources have been created and are working correctly:</p> <p>RDB HA instance<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxyrb5fr1ioa83ukrinbf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxyrb5fr1ioa83ukrinbf.png" alt="RDB instance" width="800" height="370"></a></p> <p>RDB backup enabled<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffeln43dr9nzkd5p6ifd2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffeln43dr9nzkd5p6ifd2.png" alt="RDB instance" width="800" height="267"></a></p> <p>RDB databases<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd6d2yol5j3vbj9oqzv99.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd6d2yol5j3vbj9oqzv99.png" alt="RDB Databases" width="800" height="182"></a></p> <p>RDB Users<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3bxfc4bkq1cw7rtts7g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe3bxfc4bkq1cw7rtts7g.png" alt="RDB Users" width="800" height="187"></a></p> <p>RDB ACLs<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7m7t2x20kwbwc14soi3d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7m7t2x20kwbwc14soi3d.png" alt="RDB ACLs" width="800" height="209"></a></p> <p>Let's check the connection<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-i</span> &lt;PRIVATE_KEY_PATH&gt; root@<span class="si">$(</span>terraform output <span class="nt">--raw</span> bastion_ip<span class="si">)</span> </code></pre> </div> <p>Run the <code>psql</code> command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>psql <span class="nt">-h</span> &lt;RDB_ENDPOINT_IP&gt; <span class="nt">-p</span> &lt;RDB_ENDPOINT_PORT&gt; <span class="nt">-U</span> metabase <span class="nt">-d</span> metabase psql <span class="o">(</span>13.3 <span class="o">(</span>Ubuntu 13.3-1.pgdg16.04+1<span class="o">))</span> SSL connection <span class="o">(</span>protocol: TLSv1.2, cipher: &lt;CIPHER&gt;, bits: 256, compression: off<span class="o">)</span> Type <span class="s2">"help"</span> <span class="k">for </span>help. <span class="nv">metabase</span><span class="o">=&gt;</span> </code></pre> </div> <h1> Securing the connectivity between a Kubernetes Kapsule application and a RDB database </h1> <p>Our RDB instance is now available. In this section, we put them all together and deploy Metabase to Kubernetes and connect it to the RDB database. Our objectives are to:</p> <ul> <li>Deploy the metabase application.</li> <li>Create a DNS zone and a DNS record for the metabase application.</li> <li>Create the SSL certificates</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2n6oqnutc9saj3bqj32.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd2n6oqnutc9saj3bqj32.png" alt="Overral architecture" width="800" height="382"></a></p> <h2> Kustomize files </h2> <p>Let's create the Kustomize <code>base</code> files.</p> <p>Create the metabase deployment <code>infra/k8s/base/deployment.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">image</span><span class="pi">:</span> <span class="s">metabase/metabase</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> </code></pre> </div> <p>Create the metabase service <code>infra/k8s/base/service.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">metabase</span> </code></pre> </div> <p>Create a secret to save the RDB user password <code>infra/k8s/base/database-secret.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">data</span><span class="pi">:</span> <span class="na">password</span><span class="pi">:</span> <span class="s">metabase</span> </code></pre> </div> <p>Create the ingress file <code>infra/k8s/base/ingress.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">metabase.&lt;DOMAIN_NAME&gt;</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8000</span> </code></pre> </div> <blockquote> <p>Replace by your domain name.</p> </blockquote> <p>Create the kustomization file <code>infra/k8s/base/kustomization.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">namespace</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">deployment.yaml</span> <span class="pi">-</span> <span class="s">service.yaml</span> <span class="pi">-</span> <span class="s">database-secret.yaml</span> <span class="pi">-</span> <span class="s">ingress.yaml</span> </code></pre> </div> <p>Now let's create the files for the <code>dev</code> environment:</p> <p><code>infra/k8s/envs/dev/database-secret.patch.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">data</span><span class="pi">:</span> <span class="na">password</span><span class="pi">:</span> <span class="s">&lt;MB_DB_PASS&gt;</span> </code></pre> </div> <p><code>infra/k8s/envs/dev/deployment.patch.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">image</span><span class="pi">:</span> <span class="s">metabase/metabase</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MB_DB_TYPE</span> <span class="na">value</span><span class="pi">:</span> <span class="s">postgres</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MB_DB_HOST</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;MB_DB_HOST&gt;"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MB_DB_PORT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">&lt;MB_DB_PORT&gt;"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MB_DB_DBNAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s">metabase</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MB_DB_USER</span> <span class="na">value</span><span class="pi">:</span> <span class="s">metabase</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MB_DB_PASS</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">key</span><span class="pi">:</span> <span class="s">password</span> </code></pre> </div> <p><code>infra/k8s/envs/dev/ingress.patch.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">kubernetes.io/tls-acme</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">cert-manager.io/cluster-issuer</span><span class="pi">:</span> <span class="s">letsencrypt-prod</span> <span class="na">traefik.ingress.kubernetes.io/router.tls</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">metabase.dev.&lt;DOMAIN_NAME&gt;</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">metabase-tls</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">metabase.dev.&lt;DOMAIN_NAME&gt;</span> </code></pre> </div> <blockquote> <p>Replace by your domain name.</p> </blockquote> <p><code>infra/k8s/envs/dev/kustomization.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">namespace</span><span class="pi">:</span> <span class="s">metabase</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../../base</span> <span class="na">patchesStrategicMerge</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">database-secret.patch.yaml</span> <span class="pi">-</span> <span class="s">deployment.patch.yaml</span> <span class="pi">-</span> <span class="s">ingress.patch.yaml</span> </code></pre> </div> <p>Let's prepare the kubernetes files.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/k8s/envs/dev <span class="nv">RDB_METABASE_USER_PWD</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="nt">-n</span> <span class="nv">$RDB_METABASE_USER_PWD</span> | <span class="nb">base64</span> <span class="nt">-w</span> 0 <span class="si">)</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/&lt;MB_DB_PASS&gt;/</span><span class="nv">$RDB_METABASE_USER_PWD</span><span class="s2">/g"</span> database-secret.patch.yaml <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/&lt;MB_DB_HOST&gt;/</span><span class="si">$(</span>terraform output <span class="nt">--raw</span> rdb_endpoint_ip<span class="si">)</span><span class="s2">/g; s/&lt;MB_DB_PORT&gt;/</span><span class="si">$(</span>terraform output <span class="nt">--raw</span> rdb_endpoint_port<span class="si">)</span><span class="s2">/g;"</span> deployment.patch.yaml </code></pre> </div> <h2> Create the DNS record </h2> <blockquote> <p>To add an external domain name to Scaleway, please follow the official documentation: <a href="https://www.scaleway.com/en/docs/network/dns-cloud/how-to/add-external-domain/" rel="noopener noreferrer">How to add an external domain to DNS<br> </a>.</p> </blockquote> <p>Create the DNS zone:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scw dns zone create <span class="nv">domain</span><span class="o">=</span>&lt;DOMAIN_NAME&gt; <span class="nv">subdomain</span><span class="o">=</span>dev Domain &lt;DOMAIN_NAME&gt; Subdomain dev Ns.0 ns0.dom.scw.cloud Ns.1 ns1.dom.scw.cloud NsDefault.0 ns0.dom.scw.cloud NsDefault.1 ns1.dom.scw.cloud Status active UpdatedAt now ProjectID &lt;PROJECT_ID&gt; </code></pre> </div> <p>Create the DNS record:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scw dns record add dev.&lt;DOMAIN_NAME&gt; <span class="nv">name</span><span class="o">=</span>metabase <span class="nv">data</span><span class="o">=</span><span class="nv">$TRAEFIK_EXTERNAL_IP</span> <span class="nb">type</span><span class="o">=</span>A DATA NAME PRIORITY TTL TYPE COMMENT ID 51.159.74.228 metabase 0 300 A - &lt;DNS_RECORD_ID&gt; </code></pre> </div> <h2> Create the SSL certificates </h2> <p>To make metabase more secure, we need to deploy Cert-manager to create <a href="https://www.letsencrypt.org/" rel="noopener noreferrer">Let's Encrypt</a> TLS certificates:</p> <blockquote> <p>More information in the documentation: <a href="https://www.scaleway.com/en/docs/compute/kubernetes/api-cli/exposing-services/#deploying-cert-manager" rel="noopener noreferrer">Deploying Cert Manager</a>.</p> </blockquote> <p>Use the command below to install cert-manager and its needed CRD (<a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/" rel="noopener noreferrer">Custom Resource Definitions</a>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.yaml customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created namespace/cert-manager created serviceaccount/cert-manager-cainjector created serviceaccount/cert-manager created serviceaccount/cert-manager-webhook created clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrole.rbac.authorization.k8s.io/cert-manager-view created clusterrole.rbac.authorization.k8s.io/cert-manager-edit created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-approve:cert-manager-io created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificatesigningrequests created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:subjectaccessreviews created role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created role.rbac.authorization.k8s.io/cert-manager:leaderelection created role.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:dynamic-serving created service/cert-manager created service/cert-manager-webhook created deployment.apps/cert-manager-cainjector created deployment.apps/cert-manager created deployment.apps/cert-manager-webhook created mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created </code></pre> </div> <p>Create a cluster issuer that allow you to specify:</p> <ul> <li>the Let’s Encrypt server, if you want to replace the production environment with the staging one.</li> <li>the mail used by Let’s Encrypt to warn you about certificate expiration.</li> </ul> <p>Create the file <code>infra/k8s/cluster-issuer.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt-prod</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">acme</span><span class="pi">:</span> <span class="c1"># You must replace this email address with your own.</span> <span class="c1"># Let's Encrypt will use this to contact you about expiring</span> <span class="c1"># certificates, and issues related to your account.</span> <span class="na">email</span><span class="pi">:</span> <span class="s">&lt;MAILING_LIST&gt;</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://acme-v02.api.letsencrypt.org/directory</span> <span class="na">privateKeySecretRef</span><span class="pi">:</span> <span class="c1"># Secret resource used to store the account's private key.</span> <span class="na">name</span><span class="pi">:</span> <span class="s">issuer-account-key</span> <span class="c1"># Add a single challenge solver, HTTP01</span> <span class="na">solvers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http01</span><span class="pi">:</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">class</span><span class="pi">:</span> <span class="s">traefik</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create <span class="nt">-f</span> infra/k8s/cluster-issuer.yaml kubectl get ClusterIssuer letsencrypt-prod NAME READY AGE letsencrypt-prod True 32s </code></pre> </div> <p>Now we can deploy metabase:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/k8s/envs/dev kubectl create namespace metabase kubectl config set-context <span class="nt">--current</span> <span class="nt">--namespace</span><span class="o">=</span>metabase kustomize build <span class="nb">.</span> | kubectl apply <span class="nt">-f</span> - kubectl get ingress NAME CLASS HOSTS ADDRESS PORTS AGE cm-acme-http-solver-n8x5s traefik metabase.dev.&lt;DOMAIN_NAME&gt; 80 1s metabase traefik metabase.dev.&lt;DOMAIN_NAME&gt; 80, 443 5s kubectl get ingress NAME CLASS HOSTS ADDRESS PORTS AGE metabase traefik metabase.dev.&lt;DOMAIN_NAME&gt; 80, 443 2m16s kubectl get deploy metabase NAME READY UP-TO-DATE AVAILABLE AGE metabase 1/1 1 1 2m kubectl get svc metabase NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE metabase ClusterIP 10.39.118.166 &lt;none&gt; 80/TCP 2m40s kubectl get secret metabase NAME TYPE DATA AGE metabase Opaque 1 7m30s </code></pre> </div> <p>Let's check if the connection to the database has been completed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs deploy/metabase <span class="o">[</span>..] 2021-11-04 19:30:15,524 INFO db.setup :: Verifying postgres Database Connection ... 2021-11-04 19:30:16,029 INFO db.setup :: Successfully verified PostgreSQL 13.3 <span class="o">(</span>Debian 13.3-1.pgdg100+1<span class="o">)</span> application database connection. ✅ 2021-11-04 19:30:16,030 INFO db.setup :: Running Database Migrations... <span class="o">[</span>..] 2021-11-04 19:30:56,208 INFO metabase.core :: Metabase Initialization COMPLETE </code></pre> </div> <p>After a few minutes of waiting, you will see that the metabase is accessible via HTTPS!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8f18xhvj206eol7gwi2x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8f18xhvj206eol7gwi2x.png" alt="metabase page 1" width="800" height="508"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvo8eyaxypmi2t9gutsus.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvo8eyaxypmi2t9gutsus.png" alt="metabase page 2" width="800" height="454"></a></p> <p>Ok then!</p> <h1> Conclusion </h1> <p>Congratulations! You have completed this long workshop. In this series we have:</p> <ul> <li>Created a highly-available Scaleway RDB instance</li> <li>Configured a Scaleway Kubernetes Kapsule cluster with fine-grained access control to RDB instance</li> <li>Tested the connectivity between a Kubernetes container and a RDB database.</li> <li>Secured the access to the metabase application</li> </ul> <p>That's it!</p> <h1> Clean </h1> <p>To clean the resoures, run the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">-var-file</span><span class="o">=</span>config/<span class="nv">$ENV</span>/terraform.tfvars scw dns record delete dev.&lt;DOMAIN_NAME&gt; <span class="nv">name</span><span class="o">=</span>metabase <span class="nv">data</span><span class="o">=</span><span class="nv">$TRAEFIK_EXTERNAL_IP</span> <span class="nb">type</span><span class="o">=</span>A </code></pre> </div> <h1> Final Words </h1> <p>I will update the article as soon as private network and/or public gateway are available for Kapsule and RDB.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhg7sv0px4pphsviia4el.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhg7sv0px4pphsviia4el.png" alt="Scaleway Elements Private networks Web page" width="800" height="499"></a></p> <p>If you have any questions or feedback, please feel free to leave a comment.</p> <p>Otherwise, I hope I have helped you answer some of the hard questions about connecting Kapsule cluster to RDB instance.</p> <p>By the way, do not hesitate to share with peers 😊</p> <p>Thanks for reading!</p> scaleway kubernetes terraform postgres Chabane R. Fri, 15 Oct 2021 11:26:30 +0000 https://forem.com/stack-labs/securing-access-to-scaleway-elements-api-keys-from-gitlab-ci-3p1h https://forem.com/stack-labs/securing-access-to-scaleway-elements-api-keys-from-gitlab-ci-3p1h <p>How many api keys are stored per day as variables in the Gitlab CI configuration? </p> <p>When a <code>Scaleway Elements API Key</code> is saved in Gitlab, we face all the security issues of storing credentials outside of the cloud infrastructure: Access, authorization, key rotation, age, destruction, location, etc.</p> <p>There are 2 common reasons for developers to store GCP credentials in Gitlab CI:</p> <ul> <li>They use <code>shared runners</code>.</li> <li>They use <code>specific/group runners</code> deployed in a <code>Scaleway Kubernetes Kapsule</code> cluster but do not use (or do not know about) <a href="https://docs.gitlab.com/runner/install/kubernetes.html#additional-configuration" rel="noopener noreferrer">Gitlab additional configurations</a>.</li> </ul> <p>The alternative that Gitlab CI proposes for users is to mount a secret volume to the runner pods that are created for each build.</p> <h1> Prerequisites </h1> <p>Install the following tools:</p> <ul> <li><a href="https://github.com/scaleway/scaleway-cli" rel="noopener noreferrer">Scaleway cli</a></li> <li> <a href="https://kubernetes.io/docs/tasks/tools/" rel="noopener noreferrer">kubectl</a> </li> <li><a href="https://helm.sh/docs/intro/install/" rel="noopener noreferrer">Helm</a></li> </ul> <p>And create 2 projects in your Scaleway organization:</p> <ul> <li>devops</li> <li>development</li> </ul> <h1> Working with Kapsule </h1> <p>The first step is to create the Kapsule devops cluster and configuring our environment [1]. </p> <blockquote> <p>Generate the API Key for the <code>devops</code> project. You can create one by following the documentation <a href="https://dev.toscw-2">How to generate an API key</a>.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scw init scw k8s cluster create <span class="nv">name</span><span class="o">=</span>kapsule-devops </code></pre> </div> <p>Let's create a pool for the runner jobs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scw k8s pool create cluster-id<span class="o">=</span><span class="si">$(</span>scw k8s cluster list | <span class="nb">grep </span>kapsule-devops | <span class="nb">awk</span> <span class="s1">'{ print $1 }'</span><span class="si">)</span> <span class="nv">name</span><span class="o">=</span>dev node-type<span class="o">=</span>GP1_XS <span class="nv">size</span><span class="o">=</span>2 </code></pre> </div> <p>Add a taint<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl taint nodes gitlab-runner-jobs-dev-reserved<span class="o">=</span><span class="nb">true</span>:NoSchedule <span class="nt">--selector</span><span class="o">=</span>k8s.scaleway.com/pool-name<span class="o">=</span>dev </code></pre> </div> <ul> <li>Configure <code>kubectl</code> to communicate with the cluster: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scw k8s kubeconfig <span class="nb">install </span>kapsule-devops </code></pre> </div> <ul> <li>Create the namespace for the dev runner: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create namespace dev </code></pre> </div> <ul> <li>Create the Kubernetes service account to use for specific runner: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create serviceaccount <span class="nt">--namespace</span> dev app-deployer </code></pre> </div> <ul> <li>Generate an <a href="https://dev.toscw-2">API Key</a> for the specific runner.</li> </ul> <blockquote> <p>Note: For easier visibility and auditing, I recommend to centrally store API keys in a dedicated project and in an external tools like Vault.</p> </blockquote> <ul> <li>To allow the specific runner to impersonate the API Key we need to store the credentials in a Kubernetes secret. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic dev-api-key <span class="nt">--from-file</span> ~/.config/scw/config.yaml <span class="nt">-n</span> dev </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fohnv5z1batvn9ju6z2wn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fohnv5z1batvn9ju6z2wn.png" alt="Binding Kubernetes Secrets with Scaleway API Keys" width="800" height="760"></a></p> <h1> Assign the API Key to the Gitlab runner </h1> <p>The next step is to mount the secret as a data volume [4].</p> <ul> <li>Start by installing Helm: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-fsSL</span> <span class="nt">-o</span> get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 <span class="nb">chmod </span>700 get_helm.sh ./get_helm.sh </code></pre> </div> <ul> <li>Add Gitlab Helm package: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add gitlab https://charts.gitlab.io </code></pre> </div> <ul> <li>Configure the runner: </li> </ul> <p>Create the file <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">IfNotPresent</span> <span class="na">gitlabUrl</span><span class="pi">:</span> <span class="s">https://gitlab.com/</span> <span class="na">unregisterRunners</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">terminationGracePeriodSeconds</span><span class="pi">:</span> <span class="m">3600</span> <span class="na">concurrent</span><span class="pi">:</span> <span class="m">10</span> <span class="na">checkInterval</span><span class="pi">:</span> <span class="m">30</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">create</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">metrics</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">runners</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ubuntu:18.04</span> <span class="na">config</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">[[runners]]</span> <span class="s">[runners.kubernetes]</span> <span class="s">[[runners.kubernetes.volumes.secret]]</span> <span class="s">name = "dev-api-key"</span> <span class="s">mount_path = "/root/.config/scw"</span> <span class="s">read_only = true</span> <span class="na">locked</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">pollTimeout</span><span class="pi">:</span> <span class="m">360</span> <span class="na">protected</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">app-deployer</span> <span class="na">privileged</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">secret</span><span class="pi">:</span> <span class="s">dev-runner-tokens</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">builds</span><span class="pi">:</span> <span class="na">cpuRequests</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memoryRequests</span><span class="pi">:</span> <span class="s">128Mi</span> <span class="na">services</span><span class="pi">:</span> <span class="na">cpuRequests</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memoryRequests</span><span class="pi">:</span> <span class="s">128Mi</span> <span class="na">helpers</span><span class="pi">:</span> <span class="na">cpuRequests</span><span class="pi">:</span> <span class="s">100m</span> <span class="na">memoryRequests</span><span class="pi">:</span> <span class="s">128Mi</span> <span class="na">tags</span><span class="pi">:</span> <span class="s2">"</span><span class="s">k8s-dev-runner"</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">k8s.scaleway.com/pool-name</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">nodeTolerations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">gitlab-runner-jobs-dev-reserved"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Equal"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">effect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">NoSchedule"</span> </code></pre> </div> <blockquote> <p>You can find the description of each attribute in the Gitlab runner charts repository [2]</p> </blockquote> <ul> <li>Get the Gitlab registration token from <code>Project -&gt; Settings -&gt; CI/CD -&gt; Runners</code> in the <code>Setup a specific Runner manually</code> section and create the following secret: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic dev-runner-tokens <span class="nt">--from-literal</span><span class="o">=</span>runner-token<span class="o">=</span><span class="s1">''</span> <span class="nt">--from-literal</span><span class="o">=</span>runner-registration-token<span class="o">=</span><span class="s1">'&lt;TOKEN&gt;'</span> <span class="nt">-n</span> dev </code></pre> </div> <ul> <li>Install the runner: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install</span> <span class="nt">-n</span> dev app-dev-runner <span class="nt">-f</span> values.yaml gitlab/gitlab-runner </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F42qhdf7jw44vb4o2io6u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F42qhdf7jw44vb4o2io6u.png" alt="Specific Runner with Kapsule" width="800" height="437"></a></p> <h1> Using the specific runner in Gitlab CI </h1> <p>Create the pipeline <code>.gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">dev</span> <span class="na">infra</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">scaleway/cli:v2.3.1</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/scw k8s cluster create name=kapsule-dev</span> <span class="pi">-</span> <span class="s">/scw k8s pool create cluster-id=$(/scw k8s cluster list | grep kapsule-dev | awk '{ print $1 }') name=apps node-type=DEV1_M size=2</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">k8s-dev-runner</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> </code></pre> </div> <p>The job will create a Kapsule cluster in the <code>development</code> project. We can follow the same steps for a <code>production</code> environment.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F24xnad2z7a75wtharkhx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F24xnad2z7a75wtharkhx.png" alt="Deploy Kapsule Dev from Kapsule DevOps using Gitlab CI" width="800" height="564"></a></p> <blockquote> <p>If you want to change the API Key, you just need to delete and recreate the <code>dev-api-key</code> secret.</p> </blockquote> <h1> Access the Kapsule cluster </h1> <p>You can follow the same steps to connect to the Kapsule Cluster from your Gitlab job. </p> <ul> <li>Create a secret: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic dev-kapsule-config <span class="nt">--from-file</span> ~/.kube/config <span class="nt">-n</span> dev </code></pre> </div> <ul> <li>and mount it as a data volume: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">[[</span><span class="nv">runners.kubernetes.volumes.secret</span><span class="pi">]]</span> <span class="s">name = "dev-kapsule-config"</span> <span class="s">mount_path = "/root/.kube"</span> <span class="s">read_only = </span><span class="kc">true</span> </code></pre> </div> <blockquote> <p>In this example, we used a kubeconfig with admin access. You should use <a href="https://kubernetes.io/docs/reference/access-authn-authz/" rel="noopener noreferrer">RBAC</a> to restrict access to only specific Kubernetes resources that the runner needs.</p> </blockquote> <h1> Implementing Gitlab Flow </h1> <p><a href="https://docs.gitlab.com/ee/topics/gitlab_flow.html#environment-branches-with-gitlab-flow" rel="noopener noreferrer">Environment branches with Gitlab Flow</a> is a branching strategy and workflow. Suppose you have additional environments like a pre-production environment and a production environment. Deploy the main branch to your development environment. To deploy to pre-production, create a merge request [3] from the main branch to the pre-prod branch. Go live by merging the pre-prod branch into the production branch.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn1ychv25gbzt6zhwfsvq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn1ychv25gbzt6zhwfsvq.png" alt="Gitlab flow" width="800" height="350"></a></p> <p>Add the following script <code>./utils/autoMergeRequest.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="o">[[</span> <span class="nv">$CI_PROJECT_URL</span> <span class="o">=</span>~ ^https?://[^/]+ <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="nv">CI_PROJECT_URL</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">BASH_REMATCH</span><span class="p">[0]</span><span class="k">}</span><span class="s2">/api/v4/projects/"</span> <span class="nv">BODY</span><span class="o">=</span><span class="s2">"{ </span><span class="se">\"</span><span class="s2">id</span><span class="se">\"</span><span class="s2">: </span><span class="k">${</span><span class="nv">CI_PROJECT_ID</span><span class="k">}</span><span class="s2">, </span><span class="se">\"</span><span class="s2">source_branch</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="k">${</span><span class="nv">CI_COMMIT_REF_NAME</span><span class="k">}</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">target_branch</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="k">${</span><span class="nv">TARGET_BRANCH</span><span class="k">}</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">remove_source_branch</span><span class="se">\"</span><span class="s2">: false, </span><span class="se">\"</span><span class="s2">title</span><span class="se">\"</span><span class="s2">: </span><span class="se">\"</span><span class="s2">Deployment to </span><span class="k">${</span><span class="nv">TARGET_BRANCH</span><span class="k">}</span><span class="se">\"</span><span class="s2">, </span><span class="se">\"</span><span class="s2">assignee_id</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="k">${</span><span class="nv">GITLAB_USER_MAILINGLIST_ID</span><span class="k">}</span><span class="se">\"</span><span class="s2"> }"</span><span class="p">;</span> <span class="nv">LISTMR</span><span class="o">=</span><span class="sb">`</span>curl <span class="nt">--silent</span> <span class="s2">"</span><span class="k">${</span><span class="nv">CI_PROJECT_URL</span><span class="k">}${</span><span class="nv">CI_PROJECT_ID</span><span class="k">}</span><span class="s2">/merge_requests?state=opened"</span> <span class="nt">--header</span> <span class="s2">"PRIVATE-TOKEN:</span><span class="k">${</span><span class="nv">PRIVATE_TOKEN</span><span class="k">}</span><span class="s2">"</span><span class="sb">`</span><span class="p">;</span> <span class="nv">COUNTBRANCHES</span><span class="o">=</span><span class="sb">`</span><span class="nb">echo</span> <span class="k">${</span><span class="nv">LISTMR</span><span class="k">}</span> | <span class="nb">grep</span> <span class="nt">-o</span> <span class="s2">"</span><span class="se">\"</span><span class="s2">source_branch</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="k">${</span><span class="nv">CI_COMMIT_REF_NAME</span><span class="k">}</span><span class="se">\"</span><span class="s2">"</span> | <span class="nb">wc</span> <span class="nt">-l</span><span class="sb">`</span><span class="p">;</span> <span class="k">if</span> <span class="o">[</span> <span class="k">${</span><span class="nv">COUNTBRANCHES</span><span class="k">}</span> <span class="nt">-eq</span> <span class="s2">"0"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>curl <span class="nt">-X</span> POST <span class="s2">"</span><span class="k">${</span><span class="nv">CI_PROJECT_URL</span><span class="k">}${</span><span class="nv">CI_PROJECT_ID</span><span class="k">}</span><span class="s2">/merge_requests"</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s2">"PRIVATE-TOKEN:</span><span class="k">${</span><span class="nv">PRIVATE_TOKEN</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">--data</span> <span class="s2">"</span><span class="k">${</span><span class="nv">BODY</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="nb">echo</span> <span class="s2">"Opened a new merge request: Deployment to </span><span class="k">${</span><span class="nv">TARGET_BRANCH</span><span class="k">}</span><span class="s2"> and assigned to you"</span><span class="p">;</span> <span class="nb">exit</span><span class="p">;</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"No new merge request opened"</span><span class="p">;</span> </code></pre> </div> <p>It's a common pattern to receive the merge request from a mailing list. Create a Gitlab user with this mailing list and add the variable CI/CD <code>GITLAB_USER_MAILINGLIST_ID</code> with the user ID. You can get the ID using the URL <code>https://gitlab.com/api/v4/users?username=&lt;USERNAME&gt;</code>.</p> <p>Add the Variable CI/CD <code>PRIVATE_TOKEN</code>, you can create one from <code>Settings &gt; Project Access Tokens</code>.</p> <p>Example of a <code>gitlab-ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build</span> <span class="pi">-</span> <span class="s">dev</span> <span class="pi">-</span> <span class="s">preprod</span> <span class="pi">-</span> <span class="s">prod</span> <span class="na">build</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo 'build'</span> <span class="pi">-</span> <span class="s">TARGET_BRANCH=main ./utils/autoMergeRequest.sh</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/^feature\/*/</span> <span class="pi">-</span> <span class="s">/^hotfix\/*/</span> <span class="na">dev</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">dev</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo 'deploy dev'</span> <span class="pi">-</span> <span class="s">TARGET_BRANCH=preprod ./utils/autoMergeRequest.sh</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">k8s-dev-runner</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">preprod</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">preprod</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo 'deploy preprod'</span> <span class="pi">-</span> <span class="s">TARGET_BRANCH=prod ./utils/autoMergeRequest.sh</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">k8s-preprod-runner</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">preprod</span> <span class="na">prod</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">prod</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo 'deploy prod'</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">k8s-prod-runner</span> <span class="na">only</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">prod</span> </code></pre> </div> <blockquote> <p>The <code>preprod</code> and <code>prod</code> branches need to be marked as protected. Go to <code>Settings &gt; Repository &gt; Protected branches</code>.</p> </blockquote> <h1> Conclusion </h1> <p>In this post, we created a devops cluster, we mounted the config.yml file to the specific runner, and we ended up deploying our Scaleway Elements and Kubernetes resources in an environment project.</p> <p>This mechanism guarantees end-to-end security for your API Keys resources in Scaleway Elements.</p> <p>If you have any questions or feedback, please feel free to leave a comment.</p> <p>Otherwise, I hope I've convinced you to remove your API keys from Gitlab CI variables.</p> <p>By the way, do not hesitate to share with peers 😊</p> <p>Thanks for reading!</p> <h1> Documentation </h1> <p>[1] <a href="https://www.scaleway.com/en/docs/compute/kubernetes/api-cli/creating-managing-kubernetes-lifecycle-cliv2/" rel="noopener noreferrer">https://www.scaleway.com/en/docs/compute/kubernetes/api-cli/creating-managing-kubernetes-lifecycle-cliv2/</a><br> [2] <a href="https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/values.yaml" rel="noopener noreferrer">https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/values.yaml</a><br> [3] <a href="https://about.gitlab.com/blog/2017/09/05/how-to-automatically-create-a-new-mr-on-gitlab-with-gitlab-ci/" rel="noopener noreferrer">https://about.gitlab.com/blog/2017/09/05/how-to-automatically-create-a-new-mr-on-gitlab-with-gitlab-ci/</a><br> [4] <a href="https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod" rel="noopener noreferrer">https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod</a></p> scaleway security devops gitlab Chabane R. Mon, 19 Jul 2021 06:28:02 +0000 https://forem.com/stack-labs/top-5-ways-to-run-your-legacy-containers-on-google-cloud-3k9b https://forem.com/stack-labs/top-5-ways-to-run-your-legacy-containers-on-google-cloud-3k9b <p>If your private environment is using Docker and you want to migrate your containers to Google Cloud, this article can help you to choose the right Google Cloud Computing service.</p> <p>There are many reasons for using public cloud technology like:</p> <ul> <li>increasing scalability, </li> <li>improving business agility, </li> <li>reducing cost, </li> <li>enhancing security.</li> </ul> <p>All of these motivations can turn into big challenges if you choose the wrong cloud computing service. </p> <p>I have met customers trying to adapt their legacy on a Google Cloud computing service by ignoring the network, security, and devops aspects. This method is not a lift &amp; shift migration. The lift &amp; shift is a journey, it needs a migration plan, cloud adoption, migration path and a clear vision! </p> <p>I also met customers moving their containerized application to an orchestrator thinking it was a lift &amp; shift migration. They expected minor or no modifications or refactoring needed. This strategy is an <code>improve and move</code> migration and it's also a journey that requires more time.</p> <p>As a last example, I met a customer wanted to move their containerized application to a serverless, networkless service while maintaining communication with their on-premises environment. A worthless strategy.</p> <p>When you move to Google Cloud or any other public cloud provider, only your workloads and data will be migrated, your current network, some security patterns and devops practices will remain on your private environments. In Google Cloud, you will need to embrace new best practices and patterns if you want to see your workloads running in production with the initial reasons that motivated you to choose Google Cloud.</p> <p>In this article, we take an example of a containerized application that needs to be migrated to Google Cloud taking into account many aspects such as network, security, cost and devops challenges.</p> <h1> Google Cloud Compute Services </h1> <p>I explained in a previous post <a href="https://dev.to/stack-labs/serverless-is-not-always-networkless-51j9">Serverless is not (always) Networkless!</a> that we can represent Google Cloud services in 2 categories:</p> <ul> <li>Services deployed on the Google Cloud network (networkless)</li> <li>Services deployed in your private network (infrastructure)</li> </ul> <p>The first category is represented by the following computing services:</p> <ul> <li>Cloud functions</li> <li>Cloud Run</li> <li>App Engine standard</li> </ul> <p>The second category is represented by the following computing services:</p> <ul> <li>App Engine flexible</li> <li>Kubernetes Engine </li> <li>Compute Engine</li> </ul> <p>A container application can be deployed on Cloud Run, App Engine flexible, Kubernetes Engine Standard, Kubernetes Engine Autopilot or Compute Engine.</p> <h2> 5) Compute Engine </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7nk9t3fv4kda25pcw9lg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7nk9t3fv4kda25pcw9lg.png" alt="Compute Engine Container Optimized OS" width="130" height="140"></a></p> <p>I would say: don't migrate to Google Cloud if you plan to use Compute Engine to host your containerized application. However, if you still want to host your existing containerized application in Compute Engine, you should be aware of the following constraints:</p> <ul> <li>Compute Engine is not designed to host containers, but you can use <a href="https://cloud.google.com/container-optimized-os/docs" rel="noopener noreferrer">Container-Optimized OS</a>, an operating system image that is optimized for running Docker containers.</li> <li>If you want to scale your application using managed instance group (MIG), each containerized application needs to run on a separate virtual machine. It Could make the operating system overhead a significant part of your cost.</li> <li>You will have to operate the entire infrastructure on your own: complex security environment, lack of flexibility, upgrade &amp; maintenance, etc.</li> <li><a href="https://cloud.google.com/container-optimized-os/docs/concepts/features-and-benefits#limitations" rel="noopener noreferrer">And other limits</a></li> </ul> <h2> 4) App Engine flexible </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F513mkgq8eb565qsd9pxw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F513mkgq8eb565qsd9pxw.png" alt="App Engine flexible" width="187" height="155"></a></p> <p>If you want to host your existing containerized application in App Engine flexible you should be aware of the following constraints:</p> <ul> <li>App Engine flexible is not a serverless service, at least one running container is required</li> <li>The service requires a private network to create the instances</li> <li>You can remotely log in to your running instances but they are not accessible through Compute Engine</li> <li>The most expensive container service because it comes with full PaaS features like firewalls, cron jobs, canary deployment, etc.</li> <li>Becomes obsolete. Google Cloud doesn't invest much in new features.</li> </ul> <h2> 3) Kubernetes Engine Standard </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5pg5zg7vp5d8oc47d3k3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5pg5zg7vp5d8oc47d3k3.png" alt="Kubernetes Engine Standard" width="150" height="177"></a></p> <p>If you want to host your existing containerized application in this Kubernetes Engine mode you should be aware of the following constraints:</p> <ul> <li>The service requires a private network to create the nodes</li> <li>You manage the cluster. So you need a solid knowledge of Kubernetes</li> <li>Even if no workload is running in the cluster, you will have to pay the GKE control plane fee</li> </ul> <h2> 2) Kubernetes Engine Autopilot </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5pg5zg7vp5d8oc47d3k3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5pg5zg7vp5d8oc47d3k3.png" alt="Kubernetes Engine Autopilot" width="150" height="177"></a></p> <p>If you want to host your existing containerized application in this Kubernetes Engine mode you should be aware of the following constraints:</p> <ul> <li>The service requires a private network to create the nodes</li> <li>Even if no workload is running in the cluster, you will have to pay the GKE control plane fee</li> <li>Suitable for hosting business applications that you control and maintain. You cannot deploy external tools like Istio (e.g Ingress Gateway)</li> <li>Nodes are not accessible through Compute Engine</li> <li><a href="https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview" rel="noopener noreferrer">And other limits</a></li> </ul> <h2> 1) Cloud Run </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flyudvql4k8snnuokyhrj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flyudvql4k8snnuokyhrj.png" alt="Cloud Run" width="147" height="155"></a></p> <p>If you want to host your existing containerized application in Cloud Run you should be aware of the following constraints:</p> <ul> <li>Your application should start very quickly. Because Cloud Run starts a new container for each new request (in case of cold start) [1]</li> <li>The service supports only HTTP(s)</li> <li>Your HTTP(s) requests cannot exceed 60 minutes</li> <li>Your app does not need to communicate with a service hosted on-premises or in a Google Cloud virtual private cloud (VPC). If you use the <a href="https://cloud.google.com/vpc/docs/configure-serverless-vpc-access" rel="noopener noreferrer">Serverless VPC Connector</a> with Cloud Run, you will face network and security challenges that you cannot ignore.</li> </ul> <h1> Recommendations </h1> <ul> <li>If your existing application is a Web application and does not need to communicate with a private environment, choose Cloud Run.</li> <li>If your existing application does not need to communicate with a private environment (even if it's possible) and you have multiple teams and projects that need to be separated from each other, App Engine flexible is best suited for this type of organization as it is full PaaS that lets developers focus on what they do best: writing code.</li> <li>If your existing application needs to communicate with a private environment and <ul> <li>you need Kubernetes for basic usage, so choose Kubernetes Engine Autopilot.</li> <li>you have strong knowledge of Kubernetes, so choose Kubernetes Engine Standard.</li> </ul> </li> <li>Only if your containerized application depends on the Docker Engine, choose Compute Engine.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faidzubc5ywusk85kdc2a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faidzubc5ywusk85kdc2a.png" alt="Alt Text" width="800" height="392"></a></p> <p>That's all folks!</p> <p>Thanks for reading this post :-)</p> <h1> Documentation </h1> <p>[1] <a href="https://cloud.google.com/blog/topics/developers-practitioners/3-ways-optimize-cloud-run-response-times" rel="noopener noreferrer">https://cloud.google.com/blog/topics/developers-practitioners/3-ways-optimize-cloud-run-response-times</a></p> googlecloud docker kubernetes cloudnative Chabane R. Mon, 12 Jul 2021 06:47:29 +0000 https://forem.com/stack-labs/serverless-is-not-always-networkless-51j9 https://forem.com/stack-labs/serverless-is-not-always-networkless-51j9 <blockquote> <p>"I want to put my code in a Google Cloud function and send my messages to a message broker". </p> </blockquote> <p>A serverless application deployed in the cloud provider's network that needs to communicate with an infrastructure application deployed in a private network. It's not that easy to set up and maintain!</p> <p>Serverless and infrastructure, two worlds initially designed to not work together?</p> <p>Many customers on Google Cloud use Serverless services to get away from server management, network infrastructure management, and some layers of security. This is a good approach, but not always the best solution. When we start from scratch in the Cloud, choosing a service based on the Google Cloud network is indeed the best approach, but when we come from the world of private infrastructure and want to communicate the two, we will quickly realize that they are different. So when we come across a Serverless solution that requires a private network, one of the biggest challenges begins, that of making the hidden world (Networkless) communicate with the revealed world (The infrastracture).</p> <h1> Cloud computing services </h1> <p>We often group public cloud services into five parts: Infrastructure (IaaS), Container (CaaS), Platform (PaaS), Function (FaaS), and Software as a Service (SaaS).</p> <p>Public cloud services that rely on these cloud computing services always try to stick to the concepts. These concepts are not always understood by customers. Some users try to mirror their legacy to these services and very often find themselves faced with security and network challenges that they did not anticipate.</p> <p>To help customers guarantee this communications between these different levels of cloud computing, cloud providers have developed a specific service to establish this link. For example, Google Cloud provides a <a href="https://cloud.google.com/vpc/docs/configure-serverless-vpc-access" rel="noopener noreferrer">Serverless VPC Connector</a> to allow Google Cloud Functions (FaaS), App Engine (PaaS) and Cloud Run (PaaS) to communicate privately with Kubernetes Engine containers (CaaS) and Compute Engine instances (IaaS). You will find same service for Amazon Web Services with <a href="https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html" rel="noopener noreferrer">VPC Endpoint Services</a> or Microsoft Azure with <a href="https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview" rel="noopener noreferrer">Virtual Network service endpoints</a>.</p> <p>If you are migrating to the cloud to move away from infrastructure management and your business uses only cloud functions but needs to communicate privately with a legacy application deployed in a virtual private network (VPC), you're going to have to maintain, operate and secure a private network over the long term, and it's not that simple. The network is an important part of an infrastructure.</p> <p>If you really want to move away from infrastructure management, you will also need to be Networkless.</p> <h1> Serverless vs Networkless </h1> <p>What is Serverless?</p> <blockquote> <p>Serverless computing is a cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers. [1]</p> </blockquote> <p>Serverless has positive impacts on the software development lifecycle while simplifying the developer experience by eliminating server management. Serverless lets you focus on business development.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6109o4832ifni7nsauw7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6109o4832ifni7nsauw7.png" alt="Serverless has positive impacts on software development life cycle" width="800" height="531"></a></p> <blockquote> <p>Google Cloud’s serverless platform lets you build, develop, and deploy functions and applications, as source code or containers, while simplifying the developer experience <strong><em>by eliminating all infrastructure management</em></strong>. [2]</p> </blockquote> <p>Most <a href="https://cloud.google.com/serverless/whitepaper" rel="noopener noreferrer">Google Cloud serverless services</a> eliminate the infrastructure management like Cloud Functions, App Engine Standard or Cloud Run but not always.</p> <p>Cloud Dataflow as an example is presented as a serverless service.</p> <blockquote> <p>Dataflow: Unified stream and batch data processing that's <strong><em>serverless</em></strong>, fast, and cost-effective. [3]</p> </blockquote> <p>For a new or not yet mature customer on Google Cloud, he will think that all the infrastructure is managed by the cloud provider, this will be the case for server mangement but not always for the network. I see many customers who use serverless for computing (Cloud functions, Cloud Run, etc.) and use Cloud Dataflow for data processing without knowing that they are building their jobs in the <code>default</code> network (which not recommended for production). In Google Cloud, network configuration is always presented as optional.</p> <p>This is also the case for Cloud Composer, Cloud Dataproc, Cloud Kubernetes Engine Autopilot or App Engine flexible. Google Cloud will manage the servers for you, but network management will be your responsibility. Serverless services but not Networkless.</p> <p>We can represent Google Cloud services in 2 categories: </p> <ul> <li>Services deployed on the Google Cloud network (networkless)</li> <li>Services deployed in your private network (infrastructure)</li> </ul> <p>It can be illustrated like that:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs53dsyc82284u8afrsrb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs53dsyc82284u8afrsrb.png" alt="Computing categories" width="800" height="210"></a></p> <center>Compute services</center> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnrd28njkxpd241dgq70n.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnrd28njkxpd241dgq70n.png" alt="Data analytics categories" width="800" height="393"></a></p> <center>Data analytics services</center> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjxtp9f98iqbm3e2irdjq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjxtp9f98iqbm3e2irdjq.png" alt="Databases categories" width="800" height="351"></a></p> <center>Databases services</center> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2kghelax7ntc062iavps.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2kghelax7ntc062iavps.png" alt="Storage categories" width="800" height="216"></a></p> <center>Storage services</center> <br> <p>You notice that a service may move from one location to another depending on the network configuration. Cloud SQL is a good example.</p> <p>In the security overview, it makes no sense to configure a private Cloud SQL instance if you are only using Cloud functions or Cloud Run services. A public Cloud SQL instance already has two strong protections: Cloud IAM permissions and database credentials, in addition to authorized networks.</p> <p>Don't be intimidated by the word <code>private</code>. I remind you that you are on a <code>public</code> cloud... ;-)</p> <h1> Recommendations </h1> <p>If you're moving to the cloud and some apps you depend on need to stay on-premise or in a Google Virtual Private Cloud (VPC), migrate all your apps to Google Compute Engine or Google Kubernetes Engine and use only Serverless services that need a private network. This design ensures an isolated network, which is a network security best practice.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fma6nw44eybkzoasai3ti.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fma6nw44eybkzoasai3ti.png" alt="The cloud migration target" width="800" height="440"></a></p> <center>The cloud migration target</center> <br> <p>So migrate your workloads in the right service with the right network.</p> <p>If you are a new company (no legacy), choose only networkless services. Focus on your business and let Google Cloud manage the infrastructure for you.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ph6jxu0n32c09dn4bn1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ph6jxu0n32c09dn4bn1.png" alt="Compute service choice" width="800" height="266"></a></p> <center>Networkless services</center> <br> <p>I see a lot of new companies, where developers who build a new app in Google Cloud are reusing their existing knowledge of open source tools and frameworks to deploy it on a Google Cloud infrastructure. This strategy is not the best. If you leave the company someone else will have to maintain your infrastructure. The infrastructure is only there for existing companies and it costs!</p> <p>For example, I saw a company set up a standard regional Kubernetes Engine cluster, deploy an Apache Kafka, Elasticsearch, and MongoDB containers in addition to their frontend and backend applications. </p> <blockquote> <p>If they had deployed this to avoid the vendor lock-in (Personally against this motivation), I wouldn't have taken it as an example.</p> </blockquote> <p>For this company's business use case, it could have used Cloud Pub / Sub, BigQuery, Firestore, Cloud Storage, and Cloud Run instead. It would have been less expensive and certainly less complex to maintain and secure!</p> <p>So deploy your workloads in the right service with the right options.</p> <p>That's all folks!</p> <p>Thanks for reading this post :-)</p> <h1> Documentation </h1> <p>[1] <a href="https://en.wikipedia.org/wiki/Serverless_computing" rel="noopener noreferrer">https://en.wikipedia.org/wiki/Serverless_computing</a><br> [2] <a href="https://cloud.google.com/serverless" rel="noopener noreferrer">https://cloud.google.com/serverless</a><br> [3] <a href="https://cloud.google.com/dataflow" rel="noopener noreferrer">https://cloud.google.com/dataflow</a></p> googlecloud serverless infrastructure networkless Chabane R. Thu, 24 Jun 2021 12:51:42 +0000 https://forem.com/stack-labs/securing-the-connectivity-between-a-gke-application-and-a-cloud-sql-database-4d6b https://forem.com/stack-labs/securing-the-connectivity-between-a-gke-application-and-a-cloud-sql-database-4d6b <p>In the <a href="https://dev.to/stack-labs/securing-sensitive-data-in-cloud-sql-23hg">previous part</a> we created our Cloud SQL instance. In this part, we'll put them all together and deploy Wordpress to Kubernetes and connect it to the Cloud SQL database. Our objectives are to:</p> <ul> <li>Create the IAM Service Account to connect to the Cloud SQL instance. It will be associated to the Wordpress Kubernetes service account.</li> <li>Create 2 deployments: One for Wordpress and one for the <a href="https://cloud.google.com/sql/docs/mysql/sql-proxy" rel="noopener noreferrer">Cloud SQL Proxy</a>.</li> <li>Create the Cloud Armor security policy to restrict load balancer traffic to only authorized networks.</li> <li>Configure the OAuth consent screen and credentials to enable Identity Aware Proxy.</li> <li>Create SSL certificates and enable the HTTPs redirection.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvqgikelchb80n4b5qpas.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvqgikelchb80n4b5qpas.png" alt="Architecture" width="800" height="410"></a></p> <h1> IAM Service Account </h1> <p><a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity" rel="noopener noreferrer">Workload Identity</a> is the recommended way to access Google Cloud services from applications running within GKE.</p> <blockquote> <p>With Workload Identity, you can configure a Kubernetes service account to act as a Google service account. Pods running as the Kubernetes service account will automatically authenticate as the Google service account when accessing Google Cloud APIs.</p> </blockquote> <p>Let's create this Google service account. Create the file <code>infra/plan/service-account.tf</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_service_account"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="s2">"cloud-sql-access"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"Service account used to access cloud sql instance"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_project_iam_binding"</span> <span class="s2">"cloudsql_client"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="s2">"roles/cloudsql.client"</span> <span class="nx">members</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"serviceAccount:cloud-sql-access@</span><span class="k">${data</span><span class="p">.</span><span class="nx">google_project</span><span class="p">.</span><span class="nx">project</span><span class="p">.</span><span class="nx">project_id</span><span class="k">}</span><span class="s2">.iam.gserviceaccount.com"</span><span class="p">,</span> <span class="p">]</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"google_project"</span> <span class="s2">"project"</span> <span class="p">{</span> <span class="p">}</span> </code></pre> </div> <p>And the associated Kubernetes service account in <code>infra/k8s/data/service-account.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">iam.gke.io/gcp-service-account</span><span class="pi">:</span> <span class="s">cloud-sql-access@&lt;PROJECT_ID&gt;.iam.gserviceaccount.com</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloud-sql-access</span> </code></pre> </div> <p>Let's run our updated terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/plan terraform apply </code></pre> </div> <p>And create the Kubernetes service account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud container clusters get-credentials private <span class="nt">--region</span> <span class="nv">$REGION</span> <span class="nt">--project</span> <span class="nv">$PROJECT_ID</span> <span class="nv">$ </span>kubectl create namespace wordpress <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/&lt;PROJECT_ID&gt;/</span><span class="nv">$PROJECT_ID</span><span class="s2">/g;"</span> infra/k8s/data/service-account.yaml <span class="nv">$ </span>kubectl create <span class="nt">-f</span> infra/k8s/data/service-account.yaml <span class="nt">-n</span> wordpress </code></pre> </div> <p>The Kubernetes service account will be used by the Cloud SQL Proxy deployment to access the Cloud SQL instance.</p> <p>Allow the Kubernetes service account to impersonate the created Google service account by an IAM policy binding between the two:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud iam service-accounts add-iam-policy-binding <span class="se">\</span> <span class="nt">--role</span> roles/iam.workloadIdentityUser <span class="se">\</span> <span class="nt">--member</span> <span class="s2">"serviceAccount:</span><span class="nv">$PROJECT_ID</span><span class="s2">.svc.id.goog[wordpress/cloud-sql-access]"</span> <span class="se">\</span> cloud-sql-access@<span class="nv">$PROJECT_ID</span>.iam.gserviceaccount.com </code></pre> </div> <h1> Cloud SQL Proxy </h1> <p>We use the Cloud SQL Auth proxy to secure access to our Cloud SQL instance without the need for Authorized networks or for configuring SSL.</p> <p>Let's begin by the deployment resource:</p> <p><code>infra/k8s/data/deployment.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">cloud-sql-proxy</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloud-sql-proxy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">cloud-sql-proxy</span> <span class="na">strategy</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">cloud-sql-proxy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">cloud-sql-access</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloud-sql-proxy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">gcr.io/cloudsql-docker/gce-proxy:1.23.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3306</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloud-sql-instance</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/cloud_sql_proxy"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-ip_address_types=PRIVATE"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">-instances=$(CLOUD_SQL_PROJECT_ID):$(CLOUD_SQL_INSTANCE_REGION):$(CLOUD_SQL_INSTANCE_NAME)=tcp:0.0.0.0:3306"</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">runAsNonRoot</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">2Gi</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">1</span> </code></pre> </div> <p>The deployment resource refers to the service account created earlier. Cloud SQL instance details are retrieved from a Kubernetes config map:</p> <p><code>infra/k8s/data/config-map.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloud-sql-instance</span> <span class="na">data</span><span class="pi">:</span> <span class="na">CLOUD_SQL_INSTANCE_NAME</span><span class="pi">:</span> <span class="s">&lt;CLOUD_SQL_INSTANCE_NAME&gt;</span> <span class="na">CLOUD_SQL_INSTANCE_REGION</span><span class="pi">:</span> <span class="s">&lt;CLOUD_SQL_REGION&gt;</span> <span class="na">CLOUD_SQL_PROJECT_ID</span><span class="pi">:</span> <span class="s">&lt;CLOUD_SQL_PROJECT_ID&gt;</span> </code></pre> </div> <p>We expose the deployment resource using a Kubernetes service:</p> <p><code>infra/k8s/data/service.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">cloud-sql-proxy</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloud-sql-proxy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3306</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloud-sql-proxy</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">3306</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">cloud-sql-proxy</span> </code></pre> </div> <p>Let's create our resources and check if the connection is established:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/plan <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/&lt;CLOUD_SQL_PROJECT_ID&gt;/</span><span class="nv">$PROJECT_ID</span><span class="s2">/g;s/&lt;CLOUD_SQL_INSTANCE_NAME&gt;/</span><span class="si">$(</span>terraform output cloud-sql-instance-name | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'"'</span><span class="si">)</span><span class="s2">/g;s/&lt;CLOUD_SQL_REGION&gt;/</span><span class="nv">$REGION</span><span class="s2">/g;"</span> ../k8s/data/config-map.yaml <span class="nv">$ </span>kubectl create <span class="nt">-f</span> ../k8s/data <span class="nt">-n</span> wordpress <span class="nv">$ </span>kubectl get pods <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>cloud-sql-proxy <span class="nt">-n</span> wordpress NAME READY STATUS RESTARTS AGE cloud-sql-proxy-fb9968d49-hqlwb 1/1 Running 0 4s cloud-sql-proxy-fb9968d49-wj498 1/1 Running 0 5s cloud-sql-proxy-fb9968d49-z95zw 1/1 Running 0 4s <span class="nv">$ </span>kubectl logs cloud-sql-proxy-fb9968d49-hqlwb <span class="nt">-n</span> wordpress 2021/06/23 14:43:21 current FDs rlimit <span class="nb">set </span>to 1048576, wanted limit is 8500. Nothing to <span class="k">do </span>here. 2021/06/23 14:43:25 Listening on 0.0.0.0:3306 <span class="k">for</span> &lt;PROJECT_ID&gt;:&lt;REGION&gt;:&lt;CLOUD_SQL_INSTANCE_NAME&gt; 2021/06/23 14:43:25 Ready <span class="k">for </span>new connections </code></pre> </div> <p>Ok! Let's move on to the Wordpress application</p> <h1> Wordpress application </h1> <p>Let's begin by the deployment resource:</p> <p><code>infra/k8s/web/deployment.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Recreate</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">image</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">WORDPRESS_DB_HOST</span> <span class="na">value</span><span class="pi">:</span> <span class="s">cloud-sql-proxy:3306</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">WORDPRESS_DB_USER</span> <span class="na">value</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">WORDPRESS_DB_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">WORDPRESS_DB_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mysql</span> <span class="na">key</span><span class="pi">:</span> <span class="s">password</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress-persistent-storage</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/var/www/html</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/wp-admin/install.php</span> <span class="c1"># at the very beginning, this is the only accessible page. Don't forget to change to /wp-login.php </span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/wp-admin/install.php</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">1000m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">2Gi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">1200m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">2Gi</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress-persistent-storage</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">wordpress</span> </code></pre> </div> <p><code>infra/k8s/web/service.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">cloud.google.com/neg</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{"ingress":</span><span class="nv"> </span><span class="s">true}'</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">wordpress</span> </code></pre> </div> <blockquote> <p>The <code>cloud.google.com/neg</code> annotation specifies that port 80 will be associated with a <a href="https://cloud.google.com/load-balancing/docs/negs" rel="noopener noreferrer">zonal network endpoint group (NEG)</a>. See <a href="https://cloud.google.com/kubernetes-engine/docs/concepts/container-native-load-balancing" rel="noopener noreferrer">Container-native load balancing</a> for information on the benefits, requirements, and limitations of container-native load balancing.</p> </blockquote> <p>We create a PVC for Wordpress:</p> <p><code>infra/k8s/web/volume-claim.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">5Gi</span> </code></pre> </div> <p>We finish this section by initializing our Kubernetes ingress resource. This resource will allow us to access the Wordpress application from the internet. </p> <p>Create the file <code>infra/k8s/web/ingress.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">kubernetes.io/ingress.global-static-ip-name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">wordpress"</span> <span class="na">kubernetes.io/ingress.class</span><span class="pi">:</span> <span class="s2">"</span><span class="s">gce"</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">defaultBackend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/*</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <blockquote> <p>The <code>kubernetes.io/ingress.global-static-ip-name</code> annotation specifies the name of the global IP address resource to be associated with the HTTP(S) Load Balancer. [2]</p> </blockquote> <p>Let's create our resources and test the Wordpress application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/k8s <span class="nv">$ </span>kubectl create secret generic mysql <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">password</span><span class="o">=</span><span class="si">$(</span>gcloud secrets versions access latest <span class="nt">--secret</span><span class="o">=</span>wordpress-admin-user-password <span class="nt">--project</span> <span class="nv">$PROJECT_ID</span><span class="si">)</span> <span class="nt">-n</span> wordpress gcloud compute addresses create wordpress <span class="nt">--global</span> <span class="nv">$ </span>kubectl create <span class="nt">-f</span> web <span class="nt">-n</span> wordpress <span class="nv">$ </span>kubectl get pods <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>wordpress <span class="nt">-n</span> wordpress NAME READY STATUS RESTARTS AGE wordpress-6d58d85845-2d7x2 1/1 Running 0 10m <span class="nv">$ </span>kubectl get ingress <span class="nt">-n</span> wordpress NAME CLASS HOSTS ADDRESS PORTS AGE wordpress &lt;none&gt; <span class="k">*</span> 34.117.187.51 80 16m </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw14nf107k7smqvnk51f1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw14nf107k7smqvnk51f1.png" alt="Alt Text" width="800" height="1227"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw1yn05rkfzbsxnwmd9hs.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw1yn05rkfzbsxnwmd9hs.png" alt="Alt Text" width="800" height="846"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy1fv3r42e77l8dak1m8h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy1fv3r42e77l8dak1m8h.png" alt="Alt Text" width="800" height="444"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9d6o3aa40jw2taeicgti.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9d6o3aa40jw2taeicgti.png" alt="Alt Text" width="800" height="408"></a></p> <p>Anyone can have access to the application. Let's create a Cloud Armor security policy to restrict traffic to the only authorized network.</p> <h1> Cloud Armor security policy </h1> <p>We use <a href="https://cloud.google.com/armor/docs/configure-security-policies" rel="noopener noreferrer">Cloud Armor security policy</a> to filter incoming traffic that is destined to external HTTP(S) load balancers.</p> <p>Create the <code>ìnfra/plan/cloud-armor.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_compute_security_policy"</span> <span class="s2">"wordpress"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"wordpress"</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="s2">"1000"</span> <span class="nx">match</span> <span class="p">{</span> <span class="nx">versioned_expr</span> <span class="p">=</span> <span class="s2">"SRC_IPS_V1"</span> <span class="nx">config</span> <span class="p">{</span> <span class="nx">src_ip_ranges</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">authorized_source_ranges</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow access to authorized source ranges"</span> <span class="p">}</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"deny(403)"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="s2">"2147483647"</span> <span class="nx">match</span> <span class="p">{</span> <span class="nx">versioned_expr</span> <span class="p">=</span> <span class="s2">"SRC_IPS_V1"</span> <span class="nx">config</span> <span class="p">{</span> <span class="nx">src_ip_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"default rule"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Let's run our updated terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/plan terraform apply </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjysoz40mnt7buovvmhpa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjysoz40mnt7buovvmhpa.png" alt="Cloud Armor Page" width="800" height="475"></a></p> <p>Now, let's create a backend config in Kubernetes and reference the security policy.</p> <blockquote> <p>BackendConfig custom resource definition (CRD) allows us to further customize the load balancer. This CRD allows us to define additional load balancer features hierarchically, in a more structured way than annotations. [3]</p> </blockquote> <p><code>infra/k8s/web/backend.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cloud.google.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">BackendConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityPolicy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create <span class="nt">-f</span> infra/k8s/web/backend.yaml <span class="nt">-n</span> wordpress </code></pre> </div> <p>Add the annotation <code>cloud.google.com/backend-config: '{"default": "wordpress"}'</code> in the wordpress service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infra/k8s/web/service.yaml <span class="nt">-n</span> wordpress </code></pre> </div> <p>Let's check if the HTTP Load balancer has attached the security policy:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq5pfki7gvn65hwtkh573.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq5pfki7gvn65hwtkh573.png" alt="LB Security Policy Check" width="800" height="517"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F37mwli9vfk99ihzpi3bh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F37mwli9vfk99ihzpi3bh.png" alt="Cloud Armor Check" width="800" height="388"></a></p> <p>It looks nice. Let's do a test.</p> <p>Put a bad IP to test if we are rejected<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute security-policies rules update 1000 <span class="se">\</span> <span class="nt">--security-policy</span> wordpress <span class="se">\</span> <span class="nt">--src-ip-ranges</span> <span class="s2">"85.56.40.96"</span> curl http://34.117.187.51/ &lt;<span class="o">!</span>doctype html&gt;&lt;meta <span class="nv">charset</span><span class="o">=</span><span class="s2">"utf-8"</span><span class="o">&gt;</span>&lt;meta <span class="nv">name</span><span class="o">=</span>viewport <span class="nv">content</span><span class="o">=</span><span class="s2">"width=device-width, initial-scale=1"</span><span class="o">&gt;</span>&lt;title&gt;403&lt;/title&gt;403 Forbidden </code></pre> </div> <p>Let's put a correct IP<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud compute security-policies rules update 1000 <span class="se">\</span> <span class="nt">--security-policy</span> wordpress <span class="se">\</span> <span class="nt">--src-ip-ranges</span> <span class="si">$(</span>curl <span class="nt">-s</span> http://checkip.amazonaws.com/<span class="si">)</span> curl http://34.117.187.51/ &lt;<span class="o">!</span>doctype html&gt; &lt;html <span class="nv">lang</span><span class="o">=</span><span class="s2">"en-GB"</span> <span class="o">&gt;</span> &lt;<span class="nb">head</span><span class="o">&gt;</span> &lt;meta <span class="nv">charset</span><span class="o">=</span><span class="s2">"UTF-8"</span> /&gt; &lt;meta <span class="nv">name</span><span class="o">=</span><span class="s2">"viewport"</span> <span class="nv">content</span><span class="o">=</span><span class="s2">"width=device-width, initial-scale=1"</span> /&gt; &lt;title&gt;admin &amp;#8211<span class="p">;</span> Just another WordPress site&lt;/title&gt; </code></pre> </div> <p>Ok!</p> <p>With this Backend configuration, only employees in the same office can have access to the application. Now we want them to be authenticated to access the application as well. We can achieve this by using <a href="https://cloud.google.com/iap/docs/concepts-overview" rel="noopener noreferrer">Identity Aware Proxy (Cloud IAP)</a>.</p> <h1> Enabling Cloud IAP </h1> <p>We use IAP to establish a central authorization layer for our Wordpress application accessed by HTTPS.</p> <blockquote> <p>IAP is integrated through Ingress for GKE. This integration enables you to control resource-level access for employees instead of using a VPN. [1]</p> </blockquote> <p>Follow the instructions described in the GCP documentation to:</p> <ul> <li><a href="https://cloud.google.com/iap/docs/enabling-kubernetes-howto#oauth-configure" rel="noopener noreferrer">Configure the OAuth consent screen</a></li> <li><a href="https://cloud.google.com/iap/docs/enabling-kubernetes-howto#oauth-credentials" rel="noopener noreferrer">Create the OAuth credentials</a></li> <li><a href="https://cloud.google.com/iap/docs/enabling-kubernetes-howto#iap-access" rel="noopener noreferrer">Setting up IAP access</a></li> </ul> <p>Create a Kubernetes secret to wrap the OAuth client you created earlier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">CLIENT_ID_KEY</span><span class="o">=</span>&lt;CLIENT_ID_KEY&gt; <span class="nv">CLIENT_SECRET_KEY</span><span class="o">=</span>&lt;CLIENT_SECRET_KEY&gt; kubectl create secret generic wordpress <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">client_id</span><span class="o">=</span><span class="nv">$CLIENT_ID_KEY</span> <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">client_secret</span><span class="o">=</span><span class="nv">$CLIENT_SECRET_KEY</span> <span class="se">\</span> <span class="nt">-n</span> wordpress </code></pre> </div> <p>Let's update our Backend configuration<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cloud.google.com/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">BackendConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">iap</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">oauthclientCredentials</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">securityPolicy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> </code></pre> </div> <p>Apply the changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> infra/k8s/web/backend-config.yaml <span class="nt">-n</span> wordpress </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05se5hw4siauaff48ws1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05se5hw4siauaff48ws1.png" alt="IAP enabled" width="800" height="497"></a></p> <p>Let's do a test</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzqqt8xzjv70y03a6hr4v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzqqt8xzjv70y03a6hr4v.png" alt="IAP auth page" width="800" height="546"></a></p> <p>Ok!</p> <h1> SSL Certificates </h1> <p>If you have a domain name, you can enable Google-managed SSL certificates using the CRD <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs" rel="noopener noreferrer">ManagedCertificate</a>.</p> <blockquote> <p>Google-managed SSL certificates are Domain Validation (DV) certificates that Google Cloud obtains and manages for your domains. They support multiple hostnames in each certificate, and Google renews the certificates automatically. [4]</p> </blockquote> <p>Create the file <code>infra/k8s/web/ssl.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.gke.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ManagedCertificate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">domains</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">&lt;DOMAIN_NAME&gt;</span> </code></pre> </div> <p>We can create the domain name using Terraform or simply with the gcloud command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">PUBLIC_DNS_NAME</span><span class="o">=</span> <span class="nb">export </span><span class="nv">PUBLIC_DNS_ZONE_NAME</span><span class="o">=</span> gcloud dns record-sets transaction start <span class="nt">--zone</span><span class="o">=</span><span class="nv">$PUBLIC_DNS_ZONE_NAME</span> gcloud dns record-sets transaction add <span class="si">$(</span>gcloud compute addresses list <span class="nt">--filter</span><span class="o">=</span><span class="nv">name</span><span class="o">=</span>wordpress <span class="nt">--format</span><span class="o">=</span><span class="s2">"value(ADDRESS)"</span><span class="si">)</span> <span class="nt">--name</span><span class="o">=</span>wordpress.<span class="nv">$PUBLIC_DNS_NAME</span><span class="nb">.</span> <span class="nt">--ttl</span><span class="o">=</span>300 <span class="nt">--type</span><span class="o">=</span>A <span class="nt">--zone</span><span class="o">=</span><span class="nv">$PUBLIC_DNS_ZONE_NAME</span> gcloud dns record-sets transaction execute <span class="nt">--zone</span><span class="o">=</span><span class="nv">$PUBLIC_DNS_ZONE_NAME</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/&lt;DOMAIN_NAME&gt;/wordpress.</span><span class="nv">$PUBLIC_DNS_NAME</span><span class="s2">/g;"</span> infra/k8s/web/ssl.yaml kubectl create <span class="nt">-f</span> infra/k8s/web/ssl.yaml <span class="nt">-n</span> wordpress </code></pre> </div> <p>Add the annotation <code>networking.gke.io/managed-certificates: "wordpress"</code> in your ingress resource.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Favfha3ym6tkwx3dojji7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Favfha3ym6tkwx3dojji7.png" alt="LB with SSL certificate" width="800" height="284"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4jtwchk6f9wmhhqwl4qd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4jtwchk6f9wmhhqwl4qd.png" alt="SSL certificate" width="800" height="652"></a></p> <p>Let's do a test</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwmxlmascy0qpdqe4we0c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwmxlmascy0qpdqe4we0c.png" alt="SSL certificates" width="800" height="723"></a></p> <p>Ok!</p> <p>To redirect all HTTP traffic to HTTPS, we need to create a <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#associating_frontendconfig_with_your_ingress" rel="noopener noreferrer">FrontendConfig</a>.</p> <p>Create the file <code>infra/k8s/web/frontend-config.yaml</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.gke.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">FrontendConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">wordpress</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">redirectToHttps</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">responseCodeName</span><span class="pi">:</span> <span class="s">MOVED_PERMANENTLY_DEFAULT</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create <span class="nt">-f</span> infra/k8s/web/frontend-config.yaml <span class="nt">-n</span> wordpress </code></pre> </div> <p>Add the annotation <code>networking.gke.io/v1beta1.FrontendConfig: "wordpress"</code> in your ingress resource.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F97omlg0qkar89i7dw9in.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F97omlg0qkar89i7dw9in.png" alt="HTTP LB" width="800" height="98"></a></p> <p>Let's do a test<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-s</span> http://wordpress.&lt;HIDDEN&gt;.stack-labs.com/ &lt;HTML&gt;&lt;HEAD&gt;&lt;meta http-equiv<span class="o">=</span><span class="s2">"content-type"</span> <span class="nv">content</span><span class="o">=</span><span class="s2">"text/html;charset=utf-8"</span><span class="o">&gt;</span> &lt;TITLE&gt;301 Moved&lt;/TITLE&gt;&lt;/HEAD&gt;&lt;BODY&gt; &lt;H1&gt;301 Moved&lt;/H1&gt; The document has moved &lt;A <span class="nv">HREF</span><span class="o">=</span><span class="s2">"https://wordpress.&lt;HIDDEN&gt;.stack-labs.com/"</span><span class="o">&gt;</span>here&lt;/A&gt;. &lt;/BODY&gt;&lt;/HTML&gt; </code></pre> </div> <p>Ok then!</p> <h1> Conclusion </h1> <p>Congratulations! You have completed this long workshop. In this series we have:</p> <ul> <li>Created an isolated network to host our Cloud SQL instance</li> <li>Configured an Google Kubernetes Engine Autopilot cluster with fine-grained access control to Cloud SQL instance</li> <li>Tested the connectivity between a Kubernetes container and a Cloud SQL instance database.</li> <li>Secured the access to the Wordpress application</li> </ul> <p>That's it!</p> <h1> Clean </h1> <p>Remove the NEG resources. You will find them in <code>Compute Engine &gt; Network Endpoint Group</code>.</p> <p>Run the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy gcloud dns record-sets transaction remove <span class="si">$(</span>gcloud compute addresses list <span class="nt">--filter</span><span class="o">=</span><span class="nv">name</span><span class="o">=</span>wordpress <span class="nt">--format</span><span class="o">=</span><span class="s2">"value(ADDRESS)"</span><span class="si">)</span> <span class="nt">--name</span><span class="o">=</span>wordpress.<span class="nv">$PUBLIC_DNS_NAME</span><span class="nb">.</span> <span class="nt">--ttl</span><span class="o">=</span>300 <span class="nt">--type</span><span class="o">=</span>A <span class="nt">--zone</span><span class="o">=</span><span class="nv">$PUBLIC_DNS_ZONE_NAME</span> gcloud dns record-sets transaction execute <span class="nt">--zone</span><span class="o">=</span><span class="nv">$PUBLIC_DNS_ZONE_NAME</span> gcloud compute addresses delete wordpress gcloud secrets delete wordpress-admin-user-password </code></pre> </div> <h1> Final Words </h1> <p><a href="https://gitlab.com/Chabane87/securing-the-connectivity-between-gke-and-cloud-sql" rel="noopener noreferrer">The source code is available on Gitlab</a>.</p> <p>If you have any questions or feedback, please feel free to leave a comment.</p> <p>Otherwise, I hope I have helped you answer some of the hard questions about connecting GKE Autopilot to Cloud SQL and providing a pod level defense in depth security strategy at both the networking and authentication layers.</p> <p>By the way, do not hesitate to share with peers 😊</p> <p>Thanks for reading!</p> <h1> Documentation </h1> <p>[1] <a href="https://cloud.google.com/iap/docs/enabling-kubernetes-howto" rel="noopener noreferrer">https://cloud.google.com/iap/docs/enabling-kubernetes-howto</a><br> [2] <a href="https://cloud.google.com/kubernetes-engine/docs/tutorials/configuring-domain-name-static-ip" rel="noopener noreferrer">https://cloud.google.com/kubernetes-engine/docs/tutorials/configuring-domain-name-static-ip</a><br> [3] <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features" rel="noopener noreferrer">https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features</a><br> [4] <a href="https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs" rel="noopener noreferrer">https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs</a></p> googlecloud kubernetes terraform mysql Chabane R. Wed, 23 Jun 2021 12:07:29 +0000 https://forem.com/stack-labs/securing-sensitive-data-in-cloud-sql-23hg https://forem.com/stack-labs/securing-sensitive-data-in-cloud-sql-23hg <p>In the <a href="https://dev.to/stack-labs/creating-a-google-kubernetes-engine-autopilot-cluster-using-terraform-1l22">previous part</a> we created our GKE Autopilot cluster. In this part we will configure the Cloud SQL Instance.</p> <p>The following resources will be created:</p> <ul> <li>A highly available private Cloud SQL MySQL Instance</li> <li>A database and a user</li> <li>An automatic internal IP range for private connection</li> <li>A private connection to GCP services</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffgba1px5olb9on4tplm6.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffgba1px5olb9on4tplm6.png" alt="Cloud SQL" width="800" height="405"></a></p> <h1> Cloud SQL </h1> <ul> <li>The Cloud SQL Instance used is a MySQL database server </li> <li>The <code>Multiples zones</code> option is enabled to ensure high-availability</li> <li>The Instance is not publicly accessible and it's reachable only using its private IP</li> <li>The authentication is done via IAM</li> <li>Automated backup is enabled</li> <li>We create a database and a user for later</li> </ul> <p>Create a terraform file <code>infra/plan/cloud-sql.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"random_string"</span> <span class="s2">"db_name_suffix"</span> <span class="p">{</span> <span class="nx">length</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">special</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">upper</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_sql_database_instance"</span> <span class="s2">"mysql"</span> <span class="p">{</span> <span class="c1"># Instance info</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"mysql-private-</span><span class="k">${</span><span class="nx">random_string</span><span class="p">.</span><span class="nx">db_name_suffix</span><span class="p">.</span><span class="nx">result</span><span class="k">}</span><span class="s2">"</span> <span class="nx">region</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">database_version</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">mysql_database_version</span> <span class="nx">settings</span> <span class="p">{</span> <span class="c1"># Region and zonal availability</span> <span class="nx">availability_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">mysql_availability_type</span> <span class="nx">location_preference</span> <span class="p">{</span> <span class="nx">zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">mysql_location_preference</span> <span class="p">}</span> <span class="c1"># Machine Type</span> <span class="nx">tier</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">mysql_machine_type</span> <span class="c1"># Storage</span> <span class="nx">disk_size</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">mysql_default_disk_size</span> <span class="c1"># Connections</span> <span class="nx">ip_configuration</span> <span class="p">{</span> <span class="nx">ipv4_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">private_network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># Backups</span> <span class="nx">backup_configuration</span> <span class="p">{</span> <span class="nx">binary_log_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">start_time</span> <span class="p">=</span> <span class="s2">"06:00"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">google_service_networking_connection</span><span class="p">.</span><span class="nx">private-vpc-connection</span> <span class="p">]</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"google_secret_manager_secret_version"</span> <span class="s2">"wordpress-admin-user-password"</span> <span class="p">{</span> <span class="nx">secret</span> <span class="p">=</span> <span class="s2">"wordpress-admin-user-password"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_sql_database"</span> <span class="s2">"wordpress"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"wordpress"</span> <span class="nx">instance</span> <span class="p">=</span> <span class="nx">google_sql_database_instance</span><span class="p">.</span><span class="nx">mysql</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_sql_user"</span> <span class="s2">"wordpress"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"wordpress"</span> <span class="nx">instance</span> <span class="p">=</span> <span class="nx">google_sql_database_instance</span><span class="p">.</span><span class="nx">mysql</span><span class="p">.</span><span class="nx">name</span> <span class="nx">password</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">google_secret_manager_secret_version</span><span class="p">.</span><span class="nx">wordpress-admin-user-password</span><span class="p">.</span><span class="nx">secret_data</span> <span class="p">}</span> </code></pre> </div> <p>Add the following outputs<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"cloud-sql-connection-name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">google_sql_database_instance</span><span class="p">.</span><span class="nx">mysql</span><span class="p">.</span><span class="nx">connection_name</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"cloud-sql-instance-name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"mysql-private-</span><span class="k">${</span><span class="nx">random_string</span><span class="p">.</span><span class="nx">db_name_suffix</span><span class="p">.</span><span class="nx">result</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> </code></pre> </div> <h2> Private connection </h2> <p>We need to configure private services access to allocate an IP address range and create a private service connection. This will allow resources in the Web subnet to connect to the Cloud SQL instance.</p> <p>Complete the file <code>infra/plan/vpc.tf</code> with the following resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_compute_global_address"</span> <span class="s2">"private-ip-peering"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"google-managed-services-custom"</span> <span class="nx">purpose</span> <span class="p">=</span> <span class="s2">"VPC_PEERING"</span> <span class="nx">address_type</span> <span class="p">=</span> <span class="s2">"INTERNAL"</span> <span class="nx">prefix_length</span> <span class="p">=</span> <span class="mi">24</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_service_networking_connection"</span> <span class="s2">"private-vpc-connection"</span> <span class="p">{</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">id</span> <span class="nx">service</span> <span class="p">=</span> <span class="s2">"servicenetworking.googleapis.com"</span> <span class="nx">reserved_peering_ranges</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">google_compute_global_address</span><span class="p">.</span><span class="nx">private-ip-peering</span><span class="p">.</span><span class="nx">name</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Complete the file <code>infra/plan/variable.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"europe-west1"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"mysql_location_preference"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"europe-west1-b"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"mysql_machine_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"db-n1-standard-2"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"mysql_database_version"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"MYSQL_8_0"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"mysql_default_disk_size"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"100"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"mysql_availability_type"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"REGIONAL"</span> <span class="p">}</span> </code></pre> </div> <p>Before applying the changes, we need to create the secret of the user password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gcloud services <span class="nb">enable </span>secretmanager.googleapis.com <span class="nt">--project</span> <span class="nv">$PROJECT_ID</span> gcloud beta secrets create wordpress-admin-user-password <span class="nt">--locations</span> <span class="nv">$REGION</span> <span class="nt">--replication-policy</span> user-managed <span class="nb">echo</span> <span class="nt">-n</span> <span class="s2">"changeme"</span> | gcloud beta secrets versions add wordpress-admin-user-password <span class="nt">--data-file</span><span class="o">=</span>- </code></pre> </div> <p>Let's deploy our Cloud SQL instance<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/plan gcloud services <span class="nb">enable </span>sqladmin.googleapis.com <span class="nt">--project</span> <span class="nv">$PROJECT_ID</span> terraform apply </code></pre> </div> <p>Let's check if all the resources have been created and are working correctly:</p> <p>Cloud SQL instance</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgn657kl2amg849voshft.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgn657kl2amg849voshft.png" alt="Cloud SQL Overview" width="800" height="409"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnwl71aoyobx06g3s3y7h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnwl71aoyobx06g3s3y7h.png" alt="Cloud SQL Connection" width="800" height="740"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ieb6o439ijjl7xe5d7q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ieb6o439ijjl7xe5d7q.png" alt="Cloud SQL User" width="800" height="395"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2cm8z5d774d8b765tlo9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2cm8z5d774d8b765tlo9.png" alt="Cloud SQL Database" width="800" height="395"></a></p> <p>Peering connection</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcmfnl2zcso7w3kyc3h2l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcmfnl2zcso7w3kyc3h2l.png" alt="Peering connection" width="800" height="476"></a></p> <p>Private connection</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbzqwrnnel4649dnzfpnr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbzqwrnnel4649dnzfpnr.png" alt="Allocated IP ranges for services" width="800" height="207"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feom3xqwjknmkdfszlq2p.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feom3xqwjknmkdfszlq2p.png" alt="Private connection to services" width="800" height="197"></a></p> <h1> Conclusion </h1> <p>Our Cloud SQL instance is now available. In the <a href="https://dev.to/stack-labs/securing-the-connectivity-between-a-gke-application-and-a-cloud-sql-database-4d6b">last part</a>, we'll establish a connection between a container deployed in GKE cluster and a database created in an Cloud SQL instance.</p> googlecloud cloudsql terraform mysql Chabane R. Wed, 23 Jun 2021 09:29:01 +0000 https://forem.com/stack-labs/creating-a-google-kubernetes-engine-autopilot-cluster-using-terraform-1l22 https://forem.com/stack-labs/creating-a-google-kubernetes-engine-autopilot-cluster-using-terraform-1l22 <p>In the <a href="https://dev.to/stack-labs/configuring-an-isolated-network-in-google-cloud-5cib">previous part</a> we created our network stack. In this part we will configure the GKE Autopilot cluster.</p> <p>The following resources will be created:</p> <ul> <li>GKE Autopilot Cluster </li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fspfjljzha4zfxddqquo7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fspfjljzha4zfxddqquo7.png" alt="GKE autopilot" width="800" height="599"></a></p> <h1> GKE Autopilot Cluster </h1> <p>Our GKE Autopilot Cluster is hosted in the Web subnet. The public API server endpoint can only be accessed from a specific range of IP addresses.</p> <p>Create the terraform file <code>infra/plan/gke.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_container_cluster"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="k">provider</span> <span class="p">=</span> <span class="nx">google-beta</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">location</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">name</span> <span class="nx">subnetwork</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">id</span> <span class="nx">private_cluster_config</span> <span class="p">{</span> <span class="nx">enable_private_endpoint</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">enable_private_nodes</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">master_ipv4_cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">gke_master_ipv4_cidr_block</span> <span class="p">}</span> <span class="nx">master_authorized_networks_config</span> <span class="p">{</span> <span class="nx">dynamic</span> <span class="s2">"cidr_blocks"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">authorized_source_ranges</span> <span class="nx">content</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">cidr_blocks</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">maintenance_policy</span> <span class="p">{</span> <span class="nx">recurring_window</span> <span class="p">{</span> <span class="nx">start_time</span> <span class="p">=</span> <span class="s2">"2021-06-18T00:00:00Z"</span> <span class="nx">end_time</span> <span class="p">=</span> <span class="s2">"2050-01-01T04:00:00Z"</span> <span class="nx">recurrence</span> <span class="p">=</span> <span class="s2">"FREQ=WEEKLY"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Enable Autopilot for this cluster</span> <span class="nx">enable_autopilot</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Configuration of cluster IP allocation for VPC-native clusters</span> <span class="nx">ip_allocation_policy</span> <span class="p">{</span> <span class="nx">cluster_secondary_range_name</span> <span class="p">=</span> <span class="s2">"pods"</span> <span class="nx">services_secondary_range_name</span> <span class="p">=</span> <span class="s2">"services"</span> <span class="p">}</span> <span class="c1"># Configuration options for the Release channel feature, which provide more control over automatic upgrades of your GKE clusters.</span> <span class="nx">release_channel</span> <span class="p">{</span> <span class="nx">channel</span> <span class="p">=</span> <span class="s2">"REGULAR"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Complete the file <code>infra/plan/variable.tf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"gke_master_ipv4_cidr_block"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"172.23.0.0/28"</span> <span class="p">}</span> </code></pre> </div> <p>Let's deploy our cluster<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/plan gcloud services <span class="nb">enable </span>container.googleapis.com <span class="nt">--project</span> <span class="nv">$PROJECT_ID</span> terraform apply </code></pre> </div> <p>Let's check if the cluster has been created and is working correctly:</p> <p>GKE Autopilot cluster</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2mmkyw49jcfd7dfwx5cq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2mmkyw49jcfd7dfwx5cq.png" alt="Cluster basics" width="800" height="498"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1loocxelilxwr8pflak0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1loocxelilxwr8pflak0.png" alt="Automation" width="800" height="277"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhb72ootiyxocpnw5foof.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhb72ootiyxocpnw5foof.png" alt="Networking" width="800" height="655"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffn2dwv45vsnuz40pd6vi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffn2dwv45vsnuz40pd6vi.png" alt="Security" width="800" height="413"></a><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs5ajj1t3n1vx6fvdj86j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs5ajj1t3n1vx6fvdj86j.png" alt="Metadata &amp; Features" width="800" height="542"></a></p> <h1> Conclusion </h1> <p>Our GKE cluster is now active. In the <a href="https://dev.to/stack-labs/securing-sensitive-data-in-cloud-sql-23hg">next part</a>, we will focus on setting up the Cloud SQL instance.</p> googlecloud kubernetes terraform Chabane R. Wed, 23 Jun 2021 08:54:36 +0000 https://forem.com/stack-labs/configuring-an-isolated-network-in-google-cloud-5cib https://forem.com/stack-labs/configuring-an-isolated-network-in-google-cloud-5cib <p>In the <a href="https://dev.to/stack-labs/designing-a-defense-in-depth-network-security-model-between-gke-autopilot-and-cloud-sql-187d">first part</a> we introduced the security patterns that could be implemented to secure the connectivity between Google Kubernetes Engine and Cloud SQL. In this part we will implement the network isolation by deploying the following GCP resources:</p> <ul> <li>VPC with 2 subnets <ul> <li>1 web subnet for GKE.</li> <li>1 data subnet.</li> </ul> </li> <li>Cloud NAT attached to the web subnet.</li> <li>Firewall rules to restrict access to subnets to only authorized networks.</li> </ul> <blockquote> <p>It is recommended to group similar applications into fewer, more manageable and larger subnets.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgdtn3ync0z8mpvpaxbkj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgdtn3ync0z8mpvpaxbkj.png" alt="VPC isolated network" width="800" height="597"></a></p> <blockquote> <p>If you have multiples GKE clusters per environment, Google Cloud recommends to use <a href="https://cloud.google.com/vpc/docs/shared-vpc" rel="noopener noreferrer">Shared VPC</a> to reduce management and topology complexity.</p> </blockquote> <h1> VPC </h1> <p>Let's start with the <code>Virtual Private Cloud</code>. </p> <p>Create a terraform file <code>infra/plan/vpc.tf</code>:</p> <ul> <li>A simple VPC resource</li> <li>The web subnet. It will host our Google Kubernetes Engine</li> <li>The data subnet. It could host your Cloud Dataflow jobs, Cloud Composer environments, etc. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_compute_network"</span> <span class="s2">"custom"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"custom"</span> <span class="nx">auto_create_subnetworks</span> <span class="p">=</span> <span class="s2">"false"</span> <span class="nx">routing_mode</span> <span class="p">=</span> <span class="s2">"GLOBAL"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"web"</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="s2">"10.10.10.0/24"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">id</span> <span class="nx">region</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">secondary_ip_range</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">range_name</span> <span class="p">=</span> <span class="s2">"services"</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="s2">"10.10.11.0/24"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">range_name</span> <span class="p">=</span> <span class="s2">"pods"</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="s2">"10.1.0.0/20"</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">private_ip_google_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_subnetwork"</span> <span class="s2">"data"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"data"</span> <span class="nx">ip_cidr_range</span> <span class="p">=</span> <span class="s2">"10.20.10.0/24"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">id</span> <span class="nx">region</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="nx">private_ip_google_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <h1> Cloud NAT </h1> <p>In order to allow our web subnet used by GKE to access the internet, we need to create a Cloud NAT. We associate Cloud NAT with the subnet using Cloud Router.</p> <p>Create a terraform file <code>infra/plan/nat.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_compute_address"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"web"</span> <span class="nx">region</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_router"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"web"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_router_nat"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"web"</span> <span class="nx">router</span> <span class="p">=</span> <span class="nx">google_compute_router</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">name</span> <span class="nx">nat_ip_allocate_option</span> <span class="p">=</span> <span class="s2">"MANUAL_ONLY"</span> <span class="nx">nat_ips</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">google_compute_address</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">self_link</span> <span class="p">]</span> <span class="nx">source_subnetwork_ip_ranges_to_nat</span> <span class="p">=</span> <span class="s2">"LIST_OF_SUBNETWORKS"</span> <span class="nx">subnetwork</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">google_compute_subnetwork</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">id</span> <span class="nx">source_ip_ranges_to_nat</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ALL_IP_RANGES"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">google_compute_address</span><span class="p">.</span><span class="nx">web</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h1> Firewall </h1> <p>Firewall allows us to restrict the inbound and outbound network traffic to and from a VM instance, a network tag or a service account. In our case, we can implement the following rules:</p> <ul> <li>A rule to restrict access to the Cloud SQL MySQL instance port to only GKE nodes.</li> <li>A rule to restrict network access to only authorized networks.</li> </ul> <p>Create a terraform file <code>infra/plan/firewall.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"mysql"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"allow-only-gke-cluster"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">name</span> <span class="nx">allow</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"3306"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.10.10.0/24"</span><span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"google_compute_firewall"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"allow-only-authorized-networks"</span> <span class="nx">network</span> <span class="p">=</span> <span class="nx">google_compute_network</span><span class="p">.</span><span class="nx">custom</span><span class="p">.</span><span class="nx">name</span> <span class="nx">allow</span> <span class="p">{</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="p">}</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">source_ranges</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">authorized_source_ranges</span> <span class="p">}</span> </code></pre> </div> <p>Let's configure our terraform.</p> <p>Create a terraform file <code>infra/plan/variable.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"europe-west1"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"authorized_source_ranges"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Addresses or CIDR blocks which are allowed to connect to GKE API Server."</span> <span class="p">}</span> </code></pre> </div> <p>Add a <code>infra/plan/version.tf</code> file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">google</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/google"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"3.71.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Add a <code>infra/plan/provider.tf</code> file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"google"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"europe-west1"</span> <span class="p">}</span> </code></pre> </div> <p>And a <code>infra/plan/backend.tf</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"gcs"</span> <span class="p">{</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now, export the following variables and create a bucket to save your terraform states.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">PROJECT_ID</span><span class="o">=</span>&lt;PROJECT_ID&gt; <span class="nb">export </span><span class="nv">REGION</span><span class="o">=</span>&lt;REGION&gt; <span class="nb">export </span><span class="nv">TERRAFORM_BUCKET_NAME</span><span class="o">=</span>&lt;BUCKET_NAME&gt; gcloud config <span class="nb">set </span>project <span class="k">${</span><span class="nv">PROJECT_ID</span><span class="k">}</span> gsutil mb <span class="nt">-c</span> standard <span class="nt">-l</span> <span class="k">${</span><span class="nv">REGION</span><span class="k">}</span> gs://<span class="k">${</span><span class="nv">TERRAFORM_BUCKET_NAME</span><span class="k">}</span> gsutil versioning <span class="nb">set </span>on gs://<span class="k">${</span><span class="nv">TERRAFORM_BUCKET_NAME</span><span class="k">}</span> </code></pre> </div> <p>Create a <code>infra/plan/terraform.tfvars</code> and deploy the infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>authorized_source_ranges <span class="o">=</span> <span class="o">[</span><span class="s2">"&lt;AUTHORIZED_NETWORK&gt;"</span><span class="o">]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>infra/plan <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s,&lt;AUTHORIZED_NETWORK&gt;,</span><span class="nv">$AUTHORIZED_NETWORK</span><span class="s2">,g"</span> terraform.tfvars terraform init <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"bucket=</span><span class="k">${</span><span class="nv">TERRAFORM_BUCKET_NAME</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"prefix=state"</span> terraform apply </code></pre> </div> <p>Let's check if all the resources have been created and are working correctly</p> <p>VPC &amp; Subnets</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdssddjvca0chr9ch6lvm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdssddjvca0chr9ch6lvm.png" alt="VPC &amp; Subnets" width="800" height="484"></a></p> <p>Cloud NAT</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F439grkh3b2kpg4ein5vy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F439grkh3b2kpg4ein5vy.png" alt="Cloud NAT" width="800" height="919"></a></p> <p>Firewalls</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6esgcjxqflsiixhaytxl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6esgcjxqflsiixhaytxl.png" alt="Firewall rules" width="800" height="99"></a></p> <h1> Conclusion </h1> <p>Our network is now ready to host our GCP resources. In the <a href="https://dev.to/stack-labs/creating-a-google-kubernetes-engine-autopilot-cluster-using-terraform-1l22">next part</a>, we will focus on setting up GKE Autopilot.</p> googlecloud terraform networking Chabane R. Tue, 15 Jun 2021 14:57:28 +0000 https://forem.com/stack-labs/designing-a-defense-in-depth-network-security-model-between-gke-autopilot-and-cloud-sql-187d https://forem.com/stack-labs/designing-a-defense-in-depth-network-security-model-between-gke-autopilot-and-cloud-sql-187d <p>It is very easy today to establish a connection between a container in Kubernetes and a relational database server, just create a SQL user and open a TCP connection. In cloud computing, in the case of Google Cloud Platform, the equivalent is connecting a container in a Google Kubernetes Engineer cluster to a Cloud SQL instance.</p> <p>Important points should be taken into account in setting up this connectivity.</p> <p>Which network topology to choose? How to authenticate and authorize the connection to the Cloud SQL instance? Can I publicly expose a private Cloud SQL instance?</p> <p>Which architecture could be the most efficient, maintainable and scalable?</p> <h1> Scenarios </h1> <p>Cloud SQL supports the following scenarios for accessing a DB instance in a VPC:</p> <ul> <li>A Compute Engine instance in the same VPC</li> <li>A Compute Engine in a different VPC</li> <li>A client application through the internet</li> <li>A private network</li> </ul> <p>The scenarios that concern us are the first two:</p> <ul> <li>GKE and Cloud SQL in the same VPC.</li> <li>GKE and Cloud SQL in different VPCs.</li> </ul> <p>In the first one, there is a direct communication between Kubernetes workloads and Cloud SQL instances.</p> <p>In the second scenario, if private communication is required, a VPN connection between the two VPCs must be established.</p> <p>Let's discover the possible architectures that could be used to implement each scenario.</p> <h2> Direct communication with public IP and authorized networks </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffyvq4o5j1wywm4nlc162.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffyvq4o5j1wywm4nlc162.png" alt="GKE and Cloud SQL Direction communication with public IP and authorized networks" width="800" height="490"></a></p> <p>In this architecture [2], our Cloud SQL instance is isolated on its own subnet and accessible through public IP address to only GKE Autopilot that requires access to it. Pods have access to Cloud SQL using Cloud SQL Proxy.</p> <h2> Direct communication with private IP </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft0m48ps5dkky49g4rmrj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft0m48ps5dkky49g4rmrj.png" alt="GKE and Cloud SQL Direction communication with private IP" width="800" height="410"></a></p> <p>In this architecture [3], our Cloud SQL instance is isolated on its own subnet and accessible with a private IP to only GKE Autopilot that requires access to it. Pods have access to Cloud SQL using Cloud SQL Proxy.</p> <h2> Communication using VPN </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnaa9h524xhhdryj2monk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnaa9h524xhhdryj2monk.png" alt="GKE and Cloud SQL Communication using VPN" width="800" height="415"></a></p> <p>In this architecture, our Cloud SQL instance is isolated on its own VPC. The two VPCs communicate using Cloud VPN. Pods have access to Cloud SQL using Cloud SQL Proxy.</p> <p>Each architecture has its own advantages and disadvantages but all apply network isolation best practices for securing sensitive data in Cloud SQL.</p> <p>Let's explore scenario 2.</p> <h1> Scenario 2 in detail </h1> <p>In the scenario 2 architecture, the network isolation is achieved using <a href="https://cloud.google.com/vpc/docs/private-services-access" rel="noopener noreferrer">Private services access</a>. We can go more deeply using <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity" rel="noopener noreferrer">GKE Workload Identity</a> add-on to provide a pod level defense in depth security strategy at both the networking and authentication layers.</p> <ul> <li>We associate a Google Service Account with a Kubernetes service account. This service account can then provide IAM permissions to the containers in any pod that uses that service account. </li> <li>Network policies to define rules that allow inbound and outbound network traffic to and from pods.</li> </ul> <p>We could implement the same security pattern with the scenario of Cloud VPN.</p> <p>Now that we have a clear idea of the concepts, let's implement this architecture.</p> <h1> Prerequisites </h1> <ul> <li>Download, install, and configure the <a href="https://cloud.google.com/sdk" rel="noopener noreferrer">Google Cloud SDK</a>.</li> <li><a href="https://www.terraform.io/downloads.html" rel="noopener noreferrer">Terraform</a></li> <li><a href="https://kubernetes.io/docs/tasks/tools/" rel="noopener noreferrer">Kubectl</a></li> </ul> <h1> Architecture </h1> <p>The overall architecture that we will implement during this series of articles is as follows:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbzoq93d85vdlxc7jb578.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbzoq93d85vdlxc7jb578.png" alt="Alt Text" width="800" height="417"></a></p> <h1> Objectives </h1> <p>During this section of the workshop:</p> <p>With Terraform</p> <ul> <li>We will create a VPC with 2 subnets <ul> <li>web subnet for GKE Autopilot.</li> <li>data subnet for the Cloud SQL instance.</li> </ul> </li> <li>NAT gateway attached to web subnet, but not on data subnet as Cloud SQL doesn't need to access the public internet.</li> <li>GKE Autopilot.</li> <li>A highly available Cloud SQL MySQL Instance.</li> </ul> <p>With Kubectl</p> <ul> <li>We will create an annotated Kubernetes service account with Google Service Account that has the necessary permission to connect to the Cloud SQL instance.</li> <li> <a href="https://cloud.google.com/sql/docs/mysql/sql-proxy" rel="noopener noreferrer">Cloud SQL proxy</a>.</li> <li>A Web application. A Kubernetes deployment to connect with our MySQL database with: <ul> <li>A <a href="https://cloud.google.com/kubernetes-engine/docs/concepts/ingress" rel="noopener noreferrer">GKE ingress</a>, to create an external HTTPS Load balancer</li> <li>A <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs" rel="noopener noreferrer">managed SSL certificate</a>.</li> <li>A backend config with <a href="https://cloud.google.com/iap/docs/enabling-kubernetes-howto" rel="noopener noreferrer">IAP</a> and Cloud Armor <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#cloud_armor" rel="noopener noreferrer">security policy</a> enabled.</li> <li>A <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#https_redirect" rel="noopener noreferrer">frontend config</a> to redirect http requests to https.</li> </ul> </li> </ul> <p>The series is divided into five parts:</p> <ul> <li>Configuring an isolated network in Google Cloud</li> <li>Creating a GKE Autopilot cluster using Terraform</li> <li>Securing sensitive data in Cloud SQL</li> <li>Securing the connectivity between a GKE application and a Cloud SQL database</li> </ul> <h1> Conclusion </h1> <p>In this first part, we discussed possible scenarios for securing communication between GKE workloads and Cloud SQL databases. In the <a href="https://dev.to/stack-labs/configuring-an-isolated-network-in-google-cloud-5cib">next section</a>, we'll implement our network stack using Terraform.</p> <h1> Documentation </h1> <p>[1] <a href="https://medium.com/google-cloud/cloud-sql-with-private-ip-only-the-good-the-bad-and-the-ugly-de4ac23ce98a" rel="noopener noreferrer">https://medium.com/google-cloud/cloud-sql-with-private-ip-only-the-good-the-bad-and-the-ugly-de4ac23ce98a</a><br> [2] <a href="https://cloud.google.com/sql/docs/mysql/configure-ip" rel="noopener noreferrer">https://cloud.google.com/sql/docs/mysql/configure-ip</a><br> [3] <a href="https://cloud.google.com/sql/docs/mysql/private-ip" rel="noopener noreferrer">https://cloud.google.com/sql/docs/mysql/private-ip</a></p> googlecloud kubernetes terraform Chabane R. Mon, 03 May 2021 08:50:40 +0000 https://forem.com/stack-labs/deploying-production-ready-gitlab-on-amazon-eks-with-terraform-3coh https://forem.com/stack-labs/deploying-production-ready-gitlab-on-amazon-eks-with-terraform-3coh <p><a href="https://about.gitlab.com/" rel="noopener noreferrer">Gitlab</a> is an open DevOps platform. You can use the SaaS version where there is no technical setup required or you can download, install and maintain your own GitLab self-managed, on your own infrastructure or in the public cloud environment. <a href="https://about.gitlab.com/handbook/marketing/strategic-marketing/dot-com-vs-self-managed/" rel="noopener noreferrer">See the key differences between GitLab SaaS &amp; self-managed</a></p> <p>In this blog post we will choose the GitLab self-managed version and deploy the instance using <a href="https://docs.gitlab.com/charts/" rel="noopener noreferrer">the official Helm chart</a>. This chart is the recommended, and supported method to install GitLab on a cloud native environment.</p> <blockquote> <p>The <code>gitlab/gitlab</code> chart is the best way to operate GitLab on Kubernetes. This chart contains all the required components to get started, and can scale to large deployments.</p> </blockquote> <p>By default, the helm chart deploys all components on Kubernetes. In a cloud native environment, to be production ready, we need to use cloud provided solution to outsource the dependencies.</p> <ul> <li>PostgreSQL on Amazon RDS,</li> <li>Redis on Amazon Elasticache,</li> <li>Object storages with Amazon S3,</li> <li>Use an external volume for Gitaly.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbfoes12ivkz4tzhtbqt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbfoes12ivkz4tzhtbqt.png" alt="Alt Text" width="800" height="437"></a></p> <h1> Prerequisites </h1> <ul> <li> <a href="https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html" rel="noopener noreferrer">Installing</a> and <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html" rel="noopener noreferrer">configuring</a> AWS CLI</li> <li><a href="https://www.terraform.io/downloads.html" rel="noopener noreferrer">Terraform</a></li> <li><a href="https://kubernetes.io/docs/tasks/tools/" rel="noopener noreferrer">Kubectl</a></li> <li><a href="https://helm.sh/docs/intro/install/" rel="noopener noreferrer">Helm cli</a></li> <li>Create a public hosted zone in Route 53. <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html" rel="noopener noreferrer">See tutorial</a> </li> <li>Request a public certificate with AWS Certificate Manager. <a href="https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html" rel="noopener noreferrer">See tutorial</a> </li> </ul> <h1> Network </h1> <p>In this section, we create a VPC, 2 private and public subnets, 2 NAT Gateways and an internet gateway.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcwfdp5onxz4um6i6ix0g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcwfdp5onxz4um6i6ix0g.png" alt="Alt Text" width="800" height="652"></a></p> <p>plan/vpc.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"devops"</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">vpc_cidr_block</span> <span class="nx">instance_tenancy</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="nx">enable_dns_support</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">enable_dns_hostnames</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"devops"</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">tags</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_default_security_group"</span> <span class="s2">"defaul"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>plan/subnet.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">private_nested_config</span> <span class="err">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">subnet</span> <span class="p">}</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_block</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">az</span><span class="p">[</span><span class="nx">index</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">private_nested_config</span><span class="p">,</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">)]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"devops"</span> <span class="nx">Name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">tags</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_subnet"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">public_nested_config</span> <span class="err">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">subnet</span> <span class="p">}</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">cidr_block</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">az</span><span class="p">[</span><span class="nx">index</span><span class="p">(</span><span class="kd">local</span><span class="p">.</span><span class="nx">public_nested_config</span><span class="p">,</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">)]</span> <span class="nx">map_public_ip_on_launch</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"devops"</span> <span class="nx">Name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span> <span class="s2">"kubernetes.io/role/elb"</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">tags</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>plan/nat.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eip"</span> <span class="s2">"nat"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">public_nested_config</span> <span class="err">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">subnet</span> <span class="p">}</span> <span class="nx">vpc</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"eip-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_nat_gateway"</span> <span class="s2">"nat-gw"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">public_nested_config</span> <span class="err">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">subnet</span> <span class="p">}</span> <span class="nx">allocation_id</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">nat</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="p">].</span><span class="nx">id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="p">].</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"nat-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">public_nested_config</span> <span class="err">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">subnet</span> <span class="p">}</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">nat_gateway_id</span> <span class="p">=</span> <span class="nx">aws_nat_gateway</span><span class="p">.</span><span class="nx">nat-gw</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"rt-</span><span class="k">${</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">private_nested_config</span> <span class="err">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">subnet</span> <span class="p">}</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">private</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">associated_public_subnet</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>plan/igw.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_internet_gateway"</span> <span class="s2">"igw"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"igw-security"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="nx">route</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="nx">gateway_id</span> <span class="p">=</span> <span class="nx">aws_internet_gateway</span><span class="p">.</span><span class="nx">igw</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"rt-public-security"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route_table_association"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">subnet</span> <span class="nx">in</span> <span class="kd">local</span><span class="p">.</span><span class="nx">public_nested_config</span> <span class="err">:</span> <span class="nx">subnet</span><span class="p">.</span><span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">subnet</span> <span class="p">}</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">name</span><span class="p">].</span><span class="nx">id</span> <span class="nx">route_table_id</span> <span class="p">=</span> <span class="nx">aws_route_table</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h1> Amazon EKS </h1> <p>In this section we create our Kubernetes cluster with the following settings:</p> <ul> <li>restrict access to a specific IP (it could be your office range IPs) and to the NAT gateways IPs (to use gitlab runners)</li> <li>enable all logs</li> <li>enable <a href="https://docs.aws.amazon.com/fr_fr/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-enable-IAM.html" rel="noopener noreferrer">IAM roles for service accounts</a> </li> <li>security groups for the cluster</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fglrh0k1ladwmtfjf1fjv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fglrh0k1ladwmtfjf1fjv.png" alt="Alt Text" width="800" height="659"></a></p> <p>plan/eks-cluster.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eks_cluster"</span> <span class="s2">"devops"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">eks_cluster_name</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.18"</span> <span class="nx">vpc_config</span> <span class="p">{</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_cluster</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">endpoint_private_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">endpoint_public_access</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">public_access_cidrs</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">([</span><span class="kd">var</span><span class="p">.</span><span class="nx">authorized_source_ranges</span><span class="p">],</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">n</span> <span class="nx">in</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">nat</span> <span class="err">:</span> <span class="s2">"</span><span class="k">${</span><span class="nx">n</span><span class="p">.</span><span class="nx">public_ip</span><span class="k">}</span><span class="s2">/32"</span><span class="p">])</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">([</span><span class="nx">for</span> <span class="nx">s</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span> <span class="err">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">id</span><span class="p">],</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">s</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span> <span class="err">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">id</span><span class="p">])</span> <span class="p">}</span> <span class="nx">enabled_cluster_log_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"api"</span><span class="p">,</span> <span class="s2">"audit"</span><span class="p">,</span> <span class="s2">"authenticator"</span><span class="p">,</span> <span class="s2">"controllerManager"</span><span class="p">,</span> <span class="s2">"scheduler"</span><span class="p">]</span> <span class="c1"># Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.</span> <span class="c1"># Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">eks-AmazonEKSClusterPolicy</span><span class="p">,</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">eks-AmazonEKSVPCResourceController</span><span class="p">,</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">eks-AmazonEKSServicePolicy</span> <span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">eks_cluster_name</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } </span><span class="no"> EOF </span><span class="p">}</span> <span class="k">data</span> <span class="s2">"tls_certificate"</span> <span class="s2">"cert"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"openid"</span> <span class="p">{</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts.amazonaws.com"</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="k">data</span><span class="p">.</span><span class="nx">tls_certificate</span><span class="p">.</span><span class="nx">cert</span><span class="p">.</span><span class="nx">certificates</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">sha1_fingerprint</span><span class="p">]</span> <span class="nx">url</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">identity</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">oidc</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">issuer</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks-AmazonEKSClusterPolicy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks-AmazonEKSServicePolicy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSServicePolicy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1"># Enable Security Groups for Pods</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"eks-AmazonEKSVPCResourceController"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"eks_cluster"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">eks_cluster_name</span><span class="k">}</span><span class="s2">/ControlPlaneSecurityGroup"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Communication between the control plane and worker nodegroups"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">eks_cluster_name</span><span class="k">}</span><span class="s2">/ControlPlaneSecurityGroup"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"cluster_inbound"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow unmanaged nodes to communicate with control plane (all ports)"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">vpc_config</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cluster_security_group_id</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">eks_nodes</span><span class="p">.</span><span class="nx">id</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="p">}</span> </code></pre> </div> <p>Here we create two nodegroups, one private and one public.</p> <p>plan/eks-nodegroup.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eks_node_group"</span> <span class="s2">"private"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">name</span> <span class="nx">node_group_name</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">node_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node-group</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">s</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span> <span class="err">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"type"</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="p">}</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"m5.xlarge"</span><span class="p">]</span> <span class="nx">scaling_config</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="p">}</span> <span class="c1"># Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.</span> <span class="c1"># Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">node-group-AmazonEKSWorkerNodePolicy</span><span class="p">,</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">node-group-AmazonEKS_CNI_Policy</span><span class="p">,</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">node-group-AmazonEC2ContainerRegistryReadOnly</span> <span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_eks_node_group"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">name</span> <span class="nx">node_group_name</span> <span class="p">=</span> <span class="s2">"public"</span> <span class="nx">node_role_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node-group</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">s</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">public</span> <span class="err">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"type"</span> <span class="p">=</span> <span class="s2">"public"</span> <span class="p">}</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.medium"</span><span class="p">]</span> <span class="nx">scaling_config</span> <span class="p">{</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">node-group-AmazonEKSWorkerNodePolicy</span><span class="p">,</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">node-group-AmazonEKS_CNI_Policy</span><span class="p">,</span> <span class="nx">aws_iam_role_policy_attachment</span><span class="p">.</span><span class="nx">node-group-AmazonEC2ContainerRegistryReadOnly</span><span class="p">,</span> <span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"node-group"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"eks-node-group-role-devops"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"sts:AssumeRole"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Principal</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Service</span> <span class="p">=</span> <span class="s2">"ec2.amazonaws.com"</span> <span class="p">}</span> <span class="p">}]</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"node-group-AmazonEKSWorkerNodePolicy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node-group</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"node-group-AmazonEKS_CNI_Policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node-group</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"node-group-AmazonEC2ContainerRegistryReadOnly"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node-group</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"node-group-ClusterAutoscalerPolicy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"eks-cluster-auto-scaler"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node-group</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"autoscaling:DescribeAutoScalingGroups"</span><span class="p">,</span> <span class="s2">"autoscaling:DescribeAutoScalingInstances"</span><span class="p">,</span> <span class="s2">"autoscaling:DescribeLaunchConfigurations"</span><span class="p">,</span> <span class="s2">"autoscaling:DescribeTags"</span><span class="p">,</span> <span class="s2">"autoscaling:SetDesiredCapacity"</span><span class="p">,</span> <span class="s2">"autoscaling:TerminateInstanceInAutoScalingGroup"</span> <span class="p">]</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"node-group-AmazonEKS_EBS_CSI_DriverPolicy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AmazonEKS_EBS_CSI_Driver_Policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">node-group</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:AttachVolume"</span><span class="p">,</span> <span class="s2">"ec2:CreateSnapshot"</span><span class="p">,</span> <span class="s2">"ec2:CreateTags"</span><span class="p">,</span> <span class="s2">"ec2:CreateVolume"</span><span class="p">,</span> <span class="s2">"ec2:DeleteSnapshot"</span><span class="p">,</span> <span class="s2">"ec2:DeleteTags"</span><span class="p">,</span> <span class="s2">"ec2:DeleteVolume"</span><span class="p">,</span> <span class="s2">"ec2:DescribeAvailabilityZones"</span><span class="p">,</span> <span class="s2">"ec2:DescribeInstances"</span><span class="p">,</span> <span class="s2">"ec2:DescribeSnapshots"</span><span class="p">,</span> <span class="s2">"ec2:DescribeTags"</span><span class="p">,</span> <span class="s2">"ec2:DescribeVolumes"</span><span class="p">,</span> <span class="s2">"ec2:DescribeVolumesModifications"</span><span class="p">,</span> <span class="s2">"ec2:DetachVolume"</span><span class="p">,</span> <span class="s2">"ec2:ModifyVolume"</span> <span class="p">]</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"ebs-csi-controller"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AmazonEKS_EBS_CSI_DriverRole"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="s2">"Version"</span><span class="err">:</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="s2">"Statement"</span><span class="err">:</span> <span class="p">[</span> <span class="p">{</span> <span class="s2">"Effect"</span><span class="err">:</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="s2">"Principal"</span><span class="err">:</span> <span class="p">{</span> <span class="s2">"Federated"</span><span class="err">:</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">openid</span><span class="p">.</span><span class="nx">arn</span> <span class="p">},</span> <span class="s2">"Action"</span><span class="err">:</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span> <span class="s2">"Condition"</span><span class="err">:</span> <span class="p">{</span> <span class="s2">"StringEquals"</span><span class="err">:</span> <span class="p">{</span> <span class="s2">"</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span><span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">openid</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="k">}</span><span class="s2">:sub"</span><span class="err">:</span> <span class="s2">"system:serviceaccount:kube-system:ebs-csi-controller-sa"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"eks_nodes"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">eks_cluster_name</span><span class="k">}</span><span class="s2">/ClusterSharedNodeSecurityGroup"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Communication between all nodes in the cluster"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">self</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">vpc_config</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cluster_security_group_id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">eks_cluster_name</span><span class="k">}</span><span class="s2">/ClusterSharedNodeSecurityGroup"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h1> Gitlab </h1> <p>Let's start by outsourcing object storages.</p> <h2> External object storage </h2> <p>GitLab relies on object storage for highly-available persistent data in Kubernetes. For production quality deployments, Gitlab recommends using a hosted object storage like Amazon S3. [1]</p> <p>In the following terraform we outsource:</p> <ul> <li>Docker registry images,</li> <li>Long file storage, artifacts, uploads, packages, external pseudonymizer,</li> <li>Backups.</li> </ul> <p>plan/s3.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"gitlab"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab.</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">public_dns_name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CNAME"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="s2">"300"</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="k">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">gitlab-webservice</span><span class="p">.</span><span class="nx">status</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">ingress</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">hostname</span><span class="p">]</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">helm_release</span><span class="p">.</span><span class="nx">gitlab</span><span class="p">,</span> <span class="k">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">gitlab-webservice</span> <span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"gitlab-registry"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">-gitlab-registry"</span> <span class="nx">acl</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">server_side_encryption_configuration</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Gitlab Registry"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"gitlab-runner-cache"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">-runner-cache"</span> <span class="nx">acl</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">server_side_encryption_configuration</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Gitlab Runner Cache"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"gitlab-backups"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">-gitlab-backups"</span> <span class="nx">acl</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">server_side_encryption_configuration</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Gitlab Backups"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"gitlab-pseudo"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">-gitlab-pseudo"</span> <span class="nx">acl</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">server_side_encryption_configuration</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Gitlab Pseudo"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"git-lfs"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">-git-lfs"</span> <span class="nx">acl</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">server_side_encryption_configuration</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Git Large File Storage"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"gitlab-artifacts"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">-gitlab-artifacts"</span> <span class="nx">acl</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">server_side_encryption_configuration</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Gitlab Artifacts"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"gitlab-uploads"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">-gitlab-uploads"</span> <span class="nx">acl</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">server_side_encryption_configuration</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Gitlab Uploads"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"gitlab-packages"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${data</span><span class="p">.</span><span class="nx">aws_caller_identity</span><span class="p">.</span><span class="nx">current</span><span class="p">.</span><span class="nx">account_id</span><span class="k">}</span><span class="s2">-</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">region</span><span class="k">}</span><span class="s2">-gitlab-packages"</span> <span class="nx">acl</span> <span class="p">=</span> <span class="s2">"private"</span> <span class="nx">server_side_encryption_configuration</span> <span class="p">{</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">apply_server_side_encryption_by_default</span> <span class="p">{</span> <span class="nx">sse_algorithm</span> <span class="p">=</span> <span class="s2">"AES256"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"Gitlab Packages"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>We used <code>Server-Side Encryption</code> with <code>Amazon S3-Managed Keys (SSE-S3)</code>. You can easily replace this encryption by <code>Server-Side Encryption</code> with <code>Customer Master Keys (CMKs)</code> Stored in <code>AWS Key Management Service (SSE-KMS)</code> [2]</p> </blockquote> <h3> IAM permissions </h3> <p>To authorize Gitlab to access the object storages, we need to create an IAM role.</p> <p>plan/iam.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"gitlab-access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab-access"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="s2">"Version"</span><span class="err">:</span> <span class="s2">"2012-10-17"</span><span class="p">,</span> <span class="s2">"Statement"</span><span class="err">:</span> <span class="p">[</span> <span class="p">{</span> <span class="s2">"Effect"</span><span class="err">:</span> <span class="s2">"Allow"</span><span class="p">,</span> <span class="s2">"Principal"</span><span class="err">:</span> <span class="p">{</span> <span class="s2">"Federated"</span><span class="err">:</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">openid</span><span class="p">.</span><span class="nx">arn</span> <span class="p">},</span> <span class="s2">"Action"</span><span class="err">:</span> <span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span> <span class="s2">"Condition"</span><span class="err">:</span> <span class="p">{</span> <span class="s2">"StringEquals"</span><span class="err">:</span> <span class="p">{</span> <span class="s2">"</span><span class="k">${</span><span class="nx">replace</span><span class="p">(</span><span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">openid</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="s2">"https://"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span><span class="k">}</span><span class="s2">:sub"</span><span class="err">:</span> <span class="s2">"system:serviceaccount:gitlab:aws-access"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"gitlab-access"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab-access"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">gitlab-access</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:ListBucket"</span><span class="p">,</span> <span class="s2">"s3:GetBucketLocation"</span><span class="p">,</span> <span class="s2">"s3:ListBucketMultipartUploads"</span> <span class="p">]</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-backups</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-registry</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-runner-cache</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-pseudo</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">git-lfs</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-artifacts</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-uploads</span><span class="p">.</span><span class="nx">arn</span><span class="p">,</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-packages</span><span class="p">.</span><span class="nx">arn</span> <span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"s3:PutObject"</span><span class="p">,</span> <span class="s2">"s3:GetObject"</span><span class="p">,</span> <span class="s2">"s3:DeleteObject"</span><span class="p">,</span> <span class="s2">"s3:ListMultipartUploadParts"</span><span class="p">,</span> <span class="s2">"s3:AbortMultipartUpload"</span> <span class="p">]</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-backups</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">/*"</span><span class="p">,</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-registry</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">/*"</span><span class="p">,</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-runner-cache</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">/*"</span><span class="p">,</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-pseudo</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">/*"</span><span class="p">,</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">git-lfs</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">/*"</span><span class="p">,</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-artifacts</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">/*"</span><span class="p">,</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-uploads</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">/*"</span><span class="p">,</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">gitlab-packages</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">/*"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> External PostgreSQL database </h2> <p>PostgreSQL persists the GitLab database data. We create the RDS instance with two read replicas to load balance the traffic. We restrict incoming network traffic only from private subnets.</p> <p>plan/rds.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"random_string"</span> <span class="s2">"db_suffix"</span> <span class="p">{</span> <span class="nx">length</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">special</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">upper</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"random_password"</span> <span class="s2">"db_password"</span> <span class="p">{</span> <span class="nx">length</span> <span class="p">=</span> <span class="mi">12</span> <span class="nx">special</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">upper</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"gitlab-primary"</span> <span class="p">{</span> <span class="c1"># Engine options</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="s2">"12.5"</span> <span class="c1"># Settings</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlabhq_production"</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"gitlab-primary"</span> <span class="c1"># Credentials Settings</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="nx">password</span> <span class="p">=</span> <span class="s2">"p</span><span class="k">${</span><span class="nx">random_password</span><span class="p">.</span><span class="nx">db_password</span><span class="p">.</span><span class="nx">result</span><span class="k">}</span><span class="s2">"</span> <span class="c1"># DB instance size</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.m5.xlarge"</span> <span class="c1"># Storage</span> <span class="nx">storage_type</span> <span class="p">=</span> <span class="s2">"gp2"</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">max_allocated_storage</span> <span class="p">=</span> <span class="mi">2000</span> <span class="c1"># Availability &amp; durability</span> <span class="nx">multi_az</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Connectivity</span> <span class="nx">db_subnet_group_name</span> <span class="p">=</span> <span class="nx">aws_db_subnet_group</span><span class="p">.</span><span class="nx">sg</span><span class="p">.</span><span class="nx">id</span> <span class="nx">publicly_accessible</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">port</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rds_port</span> <span class="c1"># Database authentication</span> <span class="nx">iam_database_authentication_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Additional configuration</span> <span class="nx">parameter_group_name</span> <span class="p">=</span> <span class="s2">"default.postgres12"</span> <span class="c1"># Backup</span> <span class="nx">backup_retention_period</span> <span class="p">=</span> <span class="mi">14</span> <span class="nx">backup_window</span> <span class="p">=</span> <span class="s2">"03:00-04:00"</span> <span class="nx">final_snapshot_identifier</span> <span class="p">=</span> <span class="s2">"gitlab-postgresql-final-snapshot-</span><span class="k">${</span><span class="nx">random_string</span><span class="p">.</span><span class="nx">db_suffix</span><span class="p">.</span><span class="nx">result</span><span class="k">}</span><span class="s2">"</span> <span class="nx">delete_automated_backups</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Encryption</span> <span class="nx">storage_encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Maintenance</span> <span class="nx">auto_minor_version_upgrade</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">maintenance_window</span> <span class="p">=</span> <span class="s2">"Sat:00:00-Sat:02:00"</span> <span class="c1"># Deletion protection</span> <span class="nx">deletion_protection</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"gitlab-replica"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">2</span> <span class="c1"># Engine options</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"postgres"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="s2">"12.5"</span> <span class="c1"># Settings</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlabhq_production"</span> <span class="nx">identifier</span> <span class="p">=</span> <span class="s2">"gitlab-replica-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="k">}</span><span class="s2">"</span> <span class="nx">replicate_source_db</span> <span class="p">=</span> <span class="s2">"gitlab-primary"</span> <span class="nx">skip_final_snapshot</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">final_snapshot_identifier</span> <span class="p">=</span> <span class="kc">null</span> <span class="c1"># DB instance size</span> <span class="nx">instance_class</span> <span class="p">=</span> <span class="s2">"db.m5.xlarge"</span> <span class="c1"># Storage</span> <span class="nx">storage_type</span> <span class="p">=</span> <span class="s2">"gp2"</span> <span class="nx">allocated_storage</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">max_allocated_storage</span> <span class="p">=</span> <span class="mi">2000</span> <span class="nx">publicly_accessible</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">vpc_security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">sg</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">port</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rds_port</span> <span class="c1"># Database authentication</span> <span class="nx">iam_database_authentication_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="c1"># Additional configuration</span> <span class="nx">parameter_group_name</span> <span class="p">=</span> <span class="s2">"default.postgres12"</span> <span class="c1"># Encryption</span> <span class="nx">storage_encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Deletion protection</span> <span class="nx">deletion_protection</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_db_instance</span><span class="p">.</span><span class="nx">gitlab-primary</span> <span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_db_subnet_group"</span> <span class="s2">"sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">s</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span> <span class="err">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"sg"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow inbound/outbound traffic"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rds_port</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">rds_port</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">s</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span> <span class="err">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">]</span> <span class="p">}</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">65535</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">s</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span> <span class="err">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">cidr_block</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="s2">"core"</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Also here, you can encrypt the RDS instance with Amazon KMS [3]</p> </blockquote> <h2> External Redis </h2> <p>Redis persists GitLab job data. We use Amazon Elasticache to create the redis cluster. Only EKS worker nodegroups are authorized to access the redis nodes.</p> <p>plan/elasticache.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_elasticache_cluster"</span> <span class="s2">"gitlab"</span> <span class="p">{</span> <span class="nx">cluster_id</span> <span class="p">=</span> <span class="s2">"cluster-gitlab"</span> <span class="nx">engine</span> <span class="p">=</span> <span class="s2">"redis"</span> <span class="nx">node_type</span> <span class="p">=</span> <span class="s2">"cache.m4.xlarge"</span> <span class="nx">num_cache_nodes</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">parameter_group_name</span> <span class="p">=</span> <span class="s2">"default.redis3.2"</span> <span class="nx">engine_version</span> <span class="p">=</span> <span class="s2">"3.2.10"</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">6379</span> <span class="nx">subnet_group_name</span> <span class="p">=</span> <span class="nx">aws_elasticache_subnet_group</span><span class="p">.</span><span class="nx">gitlab</span><span class="p">.</span><span class="nx">name</span> <span class="nx">security_group_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">redis</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_elasticache_subnet_group"</span> <span class="s2">"gitlab"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab-cache-subnet"</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">s</span> <span class="nx">in</span> <span class="nx">aws_subnet</span><span class="p">.</span><span class="nx">private</span> <span class="err">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"redis"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ElasticacheRedisSecurityGroup"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Communication between the redis and eks worker nodegroups"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">id</span> <span class="nx">egress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"-1"</span> <span class="nx">cidr_blocks</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"0.0.0.0/0"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"ElasticacheRedisSecurityGroup"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"redis_inbound"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Allow eks nodes to communicate with Redis"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">6379</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">redis</span><span class="p">.</span><span class="nx">id</span> <span class="nx">source_security_group_id</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">vpc_config</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">cluster_security_group_id</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">6379</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="p">}</span> </code></pre> </div> <h2> External persistent volume </h2> <p><a href="https://docs.gitlab.com/ee/administration/gitaly/" rel="noopener noreferrer">Gitaly</a> persists the Git repositories and requires persistent storage, configured through persistent volumes that specify which disks the cluster has access to. </p> <blockquote> <p>Gitlab currently recommends using manual provisioning of persistent volumes. Amazon EKS clusters default to spanning multiple zones. Dynamic provisioning, if not configured to use a storage class locked to a particular zone leads to a scenario where pods may exist in a different zone from storage volumes and be unable to access data. [5]</p> </blockquote> <p>plan/ebs.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_ebs_volume"</span> <span class="s2">"gitaly"</span> <span class="p">{</span> <span class="nx">availability_zone</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">az</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="nx">size</span> <span class="p">=</span> <span class="mi">200</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"gp2"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"gitaly"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Also here, you can encrypt the EBS resource with Amazon KMS [4]</p> </blockquote> <p>We have completed creating the necessary AWS resources for Gitlab. We are now starting to create the Kubernetes resources.</p> <h2> Kubernetes resources </h2> <p>In this section we create:</p> <ul> <li> <code>gitlab</code> namespace,</li> <li> <code>aws-access</code> service account needed to access the S3 object storages,</li> <li> <code>gitlab-postgres</code> secret to store the db password,</li> <li> <code>s3-storage-credentials</code> and <code>s3-registry-storage-credentials</code> secrets to access the S3 object storages,</li> <li> <code>shell-secret</code> for gitlab shell,</li> <li>The storage class, persistent volume and the persistent volume claim used by gitaly.</li> </ul> <p>plan/k8s.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">esource</span> <span class="s2">"kubernetes_namespace"</span> <span class="s2">"gitlab"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"kubernetes_service_account"</span> <span class="s2">"gitlab"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"aws-access"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"app.kubernetes.io/name"</span> <span class="p">=</span> <span class="s2">"aws-access"</span> <span class="p">}</span> <span class="nx">annotations</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"eks.amazonaws.com/role-arn"</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">gitlab-access</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"gitlab-postgres"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab-postgres"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="p">}</span> <span class="k">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">psql-password</span> <span class="p">=</span> <span class="s2">"p</span><span class="k">${</span><span class="nx">random_password</span><span class="p">.</span><span class="nx">db_password</span><span class="p">.</span><span class="nx">result</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"s3-storage-credentials"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"s3-storage-credentials"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="p">}</span> <span class="k">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">connection</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">template_file</span><span class="p">.</span><span class="nx">rails-s3-yaml</span><span class="p">.</span><span class="nx">rendered</span> <span class="p">}</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"template_file"</span> <span class="s2">"rails-s3-yaml"</span> <span class="p">{</span> <span class="nx">template</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> provider: AWS region: ${var.region} </span><span class="no"> EOF </span><span class="p">}</span> <span class="k">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"s3-registry-storage-credentials"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"s3-registry-storage-credentials"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="p">}</span> <span class="k">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">config</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">template_file</span><span class="p">.</span><span class="nx">registry-s3-yaml</span><span class="p">.</span><span class="nx">rendered</span> <span class="p">}</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"template_file"</span> <span class="s2">"registry-s3-yaml"</span> <span class="p">{</span> <span class="nx">template</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> s3: bucket: ${aws_s3_bucket.gitlab-registry.id} region: ${var.region} v4auth: true </span><span class="no">EOF </span><span class="p">}</span> <span class="k">resource</span> <span class="s2">"random_password"</span> <span class="s2">"shell-secret"</span> <span class="p">{</span> <span class="nx">length</span> <span class="p">=</span> <span class="mi">12</span> <span class="nx">special</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">upper</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"kubernetes_secret"</span> <span class="s2">"shell-secret"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"shell-secret"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="p">}</span> <span class="k">data</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">random_password</span><span class="p">.</span><span class="nx">shell-secret</span><span class="p">.</span><span class="nx">result</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"kubernetes_persistent_volume"</span> <span class="s2">"gitaly"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitaly-pv"</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">capacity</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">storage</span> <span class="p">=</span> <span class="s2">"200Gi"</span> <span class="p">}</span> <span class="nx">access_modes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ReadWriteOnce"</span><span class="p">]</span> <span class="nx">storage_class_name</span> <span class="p">=</span> <span class="s2">"ebs-gp2"</span> <span class="nx">persistent_volume_source</span> <span class="p">{</span> <span class="nx">aws_elastic_block_store</span> <span class="p">{</span> <span class="nx">fs_type</span> <span class="p">=</span> <span class="s2">"ext4"</span> <span class="nx">volume_id</span> <span class="p">=</span> <span class="nx">aws_ebs_volume</span><span class="p">.</span><span class="nx">gitaly</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"kubernetes_persistent_volume_claim"</span> <span class="s2">"gitaly"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"repo-data-gitlab-gitaly-0"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">access_modes</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"ReadWriteOnce"</span><span class="p">]</span> <span class="nx">storage_class_name</span> <span class="p">=</span> <span class="s2">"ebs-gp2"</span> <span class="nx">resources</span> <span class="p">{</span> <span class="nx">requests</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">storage</span> <span class="p">=</span> <span class="s2">"200Gi"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">volume_name</span> <span class="p">=</span> <span class="nx">kubernetes_persistent_volume</span><span class="p">.</span><span class="nx">gitaly</span><span class="p">.</span><span class="nx">metadata</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"kubernetes_storage_class"</span> <span class="s2">"gitaly"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ebs-gp2"</span> <span class="p">}</span> <span class="nx">storage_provisioner</span> <span class="p">=</span> <span class="s2">"kubernetes.io/aws-ebs"</span> <span class="nx">reclaim_policy</span> <span class="p">=</span> <span class="s2">"Retain"</span> <span class="nx">parameters</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"gp2"</span> <span class="p">}</span> <span class="nx">allowed_topologies</span> <span class="p">{</span> <span class="nx">match_label_expressions</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"failure-domain.beta.kubernetes.io/zone"</span> <span class="nx">values</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">az</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Helm </h2> <p>We finish by configuring the helm chart.</p> <p>plan/gitlab.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"template_file"</span> <span class="s2">"gitlab-values"</span> <span class="p">{</span> <span class="nx">template</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> # Values for gitlab/gitlab chart on EKS global: serviceAccount: enabled: true create: false name: aws-access platform: eksRoleArn: ${aws_iam_role.gitlab-access.arn} nodeSelector: eks.amazonaws.com/nodegroup: private shell: authToken: secret: ${kubernetes_secret.shell-secret.metadata.0.name} key: password edition: ce hosts: domain: ${var.public_dns_name} https: true gitlab: name: gitlab.${var.public_dns_name} https: true ssh: ~ ## doc/charts/globals.md#configure-ingress-settings ingress: tls: enabled: false ## doc/charts/globals.md#configure-postgresql-settings psql: password: secret: ${kubernetes_secret.gitlab-postgres.metadata.0.name} key: psql-password host: ${aws_db_instance.gitlab-primary.address} port: ${var.rds_port} username: gitlab database: gitlabhq_production load_balancing: hosts: - ${aws_db_instance.gitlab-replica[0].address} - ${aws_db_instance.gitlab-replica[1].address} redis: password: enabled: false host: ${aws_elasticache_cluster.gitlab.cache_nodes[0].address} ## doc/charts/globals.md#configure-minio-settings minio: enabled: false ## doc/charts/globals.md#configure-appconfig-settings ## Rails based portions of this chart share many settings appConfig: ## doc/charts/globals.md#general-application-settings enableUsagePing: false ## doc/charts/globals.md#lfs-artifacts-uploads-packages backups: bucket: ${aws_s3_bucket.gitlab-backups.id} lfs: bucket: ${aws_s3_bucket.git-lfs.id} connection: secret: ${kubernetes_secret.s3-storage-credentials.metadata.0.name} key: connection artifacts: bucket: ${aws_s3_bucket.gitlab-artifacts.id} connection: secret: ${kubernetes_secret.s3-storage-credentials.metadata.0.name} key: connection uploads: bucket: ${aws_s3_bucket.gitlab-uploads.id} connection: secret: ${kubernetes_secret.s3-storage-credentials.metadata.0.name} key: connection packages: bucket: ${aws_s3_bucket.gitlab-packages.id} connection: secret: ${kubernetes_secret.s3-storage-credentials.metadata.0.name} key: connection ## doc/charts/globals.md#pseudonymizer-settings pseudonymizer: bucket: ${aws_s3_bucket.gitlab-pseudo.id} connection: secret: ${kubernetes_secret.s3-storage-credentials.metadata.0.name} key: connection nginx-ingress: controller: config: use-forwarded-headers: "true" service: annotations: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600" service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${var.acm_gitlab_arn} service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https targetPorts: https: http # the ELB will send HTTP to 443 certmanager-issuer: email: ${var.certmanager_issuer_email} prometheus: install: false redis: install: false # https://docs.gitlab.com/ee/ci/runners/#configuring-runners-in-gitlab gitlab-runner: install: false gitlab: gitaly: persistence: volumeName: ${kubernetes_persistent_volume_claim.gitaly.metadata.0.name} nodeSelector: topology.kubernetes.io/zone: ${var.az[0]} task-runner: backups: objectStorage: backend: s3 config: secret: ${kubernetes_secret.s3-storage-credentials.metadata.0.name} key: connection annotations: eks.amazonaws.com/role-arn: ${aws_iam_role.gitlab-access.arn} webservice: annotations: eks.amazonaws.com/role-arn: ${aws_iam_role.gitlab-access.arn} sidekiq: annotations: eks.amazonaws.com/role-arn: ${aws_iam_role.gitlab-access.arn} migrations: # Migrations pod must point directly to PostgreSQL primary psql: password: secret: ${kubernetes_secret.gitlab-postgres.metadata.0.name} key: psql-password host: ${aws_db_instance.gitlab-primary.address} port: ${var.rds_port} postgresql: install: false gitlab-runner: install: true rbac: create: true runners: locked: false registry: enabled: true annotations: eks.amazonaws.com/role-arn: aws_iam_role.gitlab-access.arn storage: secret: ${kubernetes_secret.s3-registry-storage-credentials.metadata.0.name} key: config </span><span class="no"> EOF </span><span class="p">}</span> <span class="k">resource</span> <span class="s2">"helm_release"</span> <span class="s2">"gitlab"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="nx">timeout</span> <span class="p">=</span> <span class="mi">600</span> <span class="nx">chart</span> <span class="p">=</span> <span class="s2">"gitlab/gitlab"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"4.11.3"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="k">data</span><span class="p">.</span><span class="nx">template_file</span><span class="p">.</span><span class="nx">gitlab-values</span><span class="p">.</span><span class="nx">rendered</span><span class="p">]</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">aws_eks_node_group</span><span class="p">.</span><span class="nx">private</span><span class="p">,</span> <span class="nx">aws_eks_node_group</span><span class="p">.</span><span class="nx">public</span><span class="p">,</span> <span class="nx">aws_db_instance</span><span class="p">.</span><span class="nx">gitlab-primary</span><span class="p">,</span> <span class="nx">aws_db_instance</span><span class="p">.</span><span class="nx">gitlab-replica</span><span class="p">,</span> <span class="nx">aws_elasticache_cluster</span><span class="p">.</span><span class="nx">gitlab</span><span class="p">,</span> <span class="nx">aws_iam_role_policy</span><span class="p">.</span><span class="nx">gitlab-access</span><span class="p">,</span> <span class="nx">kubernetes_namespace</span><span class="p">.</span><span class="nx">gitlab</span><span class="p">,</span> <span class="nx">kubernetes_secret</span><span class="p">.</span><span class="nx">gitlab-postgres</span><span class="p">,</span> <span class="nx">kubernetes_secret</span><span class="p">.</span><span class="nx">s3-storage-credentials</span><span class="p">,</span> <span class="nx">kubernetes_secret</span><span class="p">.</span><span class="nx">s3-registry-storage-credentials</span><span class="p">,</span> <span class="nx">kubernetes_persistent_volume_claim</span><span class="p">.</span><span class="nx">gitaly</span> <span class="p">]</span> <span class="p">}</span> <span class="k">data</span> <span class="s2">"kubernetes_service"</span> <span class="s2">"gitlab-webservice"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab-nginx-ingress-controller"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"gitlab"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">helm_release</span><span class="p">.</span><span class="nx">gitlab</span> <span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_route53_record"</span> <span class="s2">"gitlab"</span> <span class="p">{</span> <span class="nx">zone_id</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_route53_zone</span><span class="p">.</span><span class="nx">public</span><span class="p">.</span><span class="nx">zone_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"gitlab.</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">public_dns_name</span><span class="k">}</span><span class="s2">"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"CNAME"</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="s2">"300"</span> <span class="nx">records</span> <span class="p">=</span> <span class="p">[</span><span class="k">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">gitlab-webservice</span><span class="p">.</span><span class="nx">status</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">load_balancer</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">ingress</span><span class="p">.</span><span class="mi">0</span><span class="p">.</span><span class="nx">hostname</span><span class="p">]</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">helm_release</span><span class="p">.</span><span class="nx">gitlab</span><span class="p">,</span> <span class="k">data</span><span class="p">.</span><span class="nx">kubernetes_service</span><span class="p">.</span><span class="nx">gitlab-webservice</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h1> Deployment </h1> <p>We've finished creating our terraform files, let's get ready for deployment!</p> <p>plan/main.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="k">data</span> <span class="s2">"aws_route53_zone"</span> <span class="s2">"public"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">public_dns_name</span><span class="k">}</span><span class="s2">."</span> <span class="p">}</span> </code></pre> </div> <p>plan/output.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">output</span> <span class="s2">"eks-endpoint"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">endpoint</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"kubeconfig-certificate-authority-data"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">certificate_authority</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="k">data</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"eks_issuer_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">openid</span><span class="p">.</span><span class="nx">url</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"nat1_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">nat</span><span class="p">[</span><span class="s2">"public-devops-1"</span><span class="p">].</span><span class="nx">public_ip</span> <span class="p">}</span> <span class="k">output</span> <span class="s2">"nat2_ip"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_eip</span><span class="p">.</span><span class="nx">nat</span><span class="p">[</span><span class="s2">"public-devops-2"</span><span class="p">].</span><span class="nx">public_ip</span> <span class="p">}</span> </code></pre> </div> <p>plan/variables.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"region"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"az"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eu-west-1a"</span><span class="p">,</span> <span class="s2">"eu-west-1b"</span><span class="p">]</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"certmanager_issuer_email"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"vpc_cidr_block"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"eks_cluster_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"devops"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"rds_port"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">5432</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"acm_gitlab_arn"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"private_network_config"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">associated_public_subnet</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"private-devops-1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/23"</span> <span class="nx">associated_public_subnet</span> <span class="p">=</span> <span class="s2">"public-devops-1"</span> <span class="p">},</span> <span class="s2">"private-devops-2"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.2.0/23"</span> <span class="nx">associated_public_subnet</span> <span class="p">=</span> <span class="s2">"public-devops-2"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">private_nested_config</span> <span class="p">=</span> <span class="nx">flatten</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">config</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">private_network_config</span> <span class="err">:</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">name</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">config</span><span class="p">.</span><span class="nx">cidr_block</span> <span class="nx">associated_public_subnet</span> <span class="p">=</span> <span class="nx">config</span><span class="p">.</span><span class="nx">associated_public_subnet</span> <span class="p">}</span> <span class="p">]</span> <span class="p">])</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"public_network_config"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"public-devops-1"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.8.0/23"</span> <span class="p">},</span> <span class="s2">"public-devops-2"</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.10.0/23"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">public_nested_config</span> <span class="p">=</span> <span class="nx">flatten</span><span class="p">([</span> <span class="nx">for</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">config</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">public_network_config</span> <span class="err">:</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">name</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="nx">config</span><span class="p">.</span><span class="nx">cidr_block</span> <span class="p">}</span> <span class="p">]</span> <span class="p">])</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"public_dns_name"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"authorized_source_ranges"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Addresses or CIDR blocks which are allowed to connect to the Gitlab IP address. The default behavior is to allow anyone (0.0.0.0/0) access. You should restrict access to external IPs that need to access the Gitlab cluster."</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"0.0.0.0/0"</span> <span class="p">}</span> </code></pre> </div> <p>plan/backend.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>plan/versions.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 0.13"</span> <span class="p">}</span> </code></pre> </div> <p>plan/provider.tf<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">region</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">certificate_authority</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="k">data</span> <span class="p">)</span> <span class="nx">exec</span> <span class="p">{</span> <span class="nx">api_version</span> <span class="p">=</span> <span class="s2">"client.authentication.k8s.io/v1alpha1"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks"</span><span class="p">,</span> <span class="s2">"get-token"</span><span class="p">,</span> <span class="s2">"--cluster-name"</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">eks_cluster_name</span><span class="p">]</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws"</span> <span class="p">}</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"helm"</span> <span class="p">{</span> <span class="nx">kubernetes</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">endpoint</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span> <span class="nx">aws_eks_cluster</span><span class="p">.</span><span class="nx">devops</span><span class="p">.</span><span class="nx">certificate_authority</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="k">data</span> <span class="p">)</span> <span class="nx">exec</span> <span class="p">{</span> <span class="nx">api_version</span> <span class="p">=</span> <span class="s2">"client.authentication.k8s.io/v1alpha1"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks"</span><span class="p">,</span> <span class="s2">"get-token"</span><span class="p">,</span> <span class="s2">"--cluster-name"</span><span class="p">,</span> <span class="kd">var</span><span class="p">.</span><span class="nx">eks_cluster_name</span><span class="p">]</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>plan/terraform.tfvars<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">az</span> <span class="err">=</span> <span class="p">[</span><span class="s2">"&lt;AWS_REGION&gt;a"</span><span class="p">,</span> <span class="s2">"&lt;AWS_REGION&gt;b"</span><span class="p">,</span> <span class="s2">"&lt;AWS_REGION&gt;c"</span><span class="p">]</span> <span class="nx">region</span> <span class="err">=</span> <span class="s2">"&lt;AWS_REGION&gt;"</span> <span class="nx">acm_gitlab_arn</span> <span class="err">=</span> <span class="s2">"&lt;ACM_GITLAB_ARN&gt;"</span> <span class="nx">vpc_cidr_block</span> <span class="err">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">public_dns_name</span> <span class="err">=</span> <span class="s2">"&lt;PUBLIC_DNS_NAME&gt;"</span> <span class="nx">authorized_source_ranges</span> <span class="err">=</span> <span class="s2">"&lt;LOCAL_IP_RANGES&gt;"</span> <span class="nx">certmanager_issuer_email</span> <span class="err">=</span> <span class="s2">"&lt;CERTMANAGER_ISSUER_EMAIL&gt;"</span> </code></pre> </div> <p>Initialize AWS devops infrastructure. The states will be saved in AWS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">AWS_PROFILE</span><span class="o">=</span>&lt;MY_PROFILE&gt; <span class="nb">export </span><span class="nv">AWS_ACCOUNT_ID</span><span class="o">=</span><span class="si">$(</span>aws sts get-caller-identity <span class="nt">--query</span> Account <span class="nt">--output</span> text<span class="si">)</span> <span class="nb">export </span><span class="nv">AWS_REGION</span><span class="o">=</span>eu-west-1 <span class="nb">export </span><span class="nv">EKS_CLUSTER_NAME</span><span class="o">=</span><span class="s2">"devops"</span> <span class="nb">export </span><span class="nv">R53_HOSTED_ZONE_ID</span><span class="o">=</span>&lt;R53_HOSTED_ZONE_ID&gt; <span class="nb">export </span><span class="nv">ACM_GITLAB_ARN</span><span class="o">=</span>&lt;ACM_GITLAB_ARN&gt; <span class="nb">export </span><span class="nv">CERTMANAGER_ISSUER_EMAIL</span><span class="o">=</span>&lt;CERTMANAGER_ISSUER_EMAIL&gt; <span class="nb">export </span><span class="nv">PUBLIC_DNS_NAME</span><span class="o">=</span>&lt;PUBLIC_DNS_NAME&gt; <span class="nb">export </span><span class="nv">TERRAFORM_BUCKET_NAME</span><span class="o">=</span>bucket-<span class="k">${</span><span class="nv">AWS_ACCOUNT_ID</span><span class="k">}</span>-<span class="k">${</span><span class="nv">AWS_REGION</span><span class="k">}</span><span class="nt">-terraform-backend</span> <span class="c"># Create bucket</span> aws s3api create-bucket <span class="se">\</span> <span class="nt">--bucket</span> <span class="nv">$TERRAFORM_BUCKET_NAME</span> <span class="se">\</span> <span class="nt">--region</span> <span class="nv">$AWS_REGION</span> <span class="se">\</span> <span class="nt">--create-bucket-configuration</span> <span class="nv">LocationConstraint</span><span class="o">=</span><span class="nv">$AWS_REGION</span> <span class="c"># Make it not public </span> aws s3api put-public-access-block <span class="se">\</span> <span class="nt">--bucket</span> <span class="nv">$TERRAFORM_BUCKET_NAME</span> <span class="se">\</span> <span class="nt">--public-access-block-configuration</span> <span class="s2">"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"</span> <span class="c"># Enable versioning</span> aws s3api put-bucket-versioning <span class="se">\</span> <span class="nt">--bucket</span> <span class="nv">$TERRAFORM_BUCKET_NAME</span> <span class="se">\</span> <span class="nt">--versioning-configuration</span> <span class="nv">Status</span><span class="o">=</span>Enabled <span class="nb">cd </span>plan terraform init <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"bucket=</span><span class="nv">$TERRAFORM_BUCKET_NAME</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"key=devops/gitlab/terraform-state"</span> <span class="se">\</span> <span class="nt">-backend-config</span><span class="o">=</span><span class="s2">"region=</span><span class="nv">$AWS_REGION</span><span class="s2">"</span> </code></pre> </div> <p>Complete <code>plan/terraform.tfvars</code> and run<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/&lt;LOCAL_IP_RANGES&gt;/</span><span class="si">$(</span>curl <span class="nt">-s</span> http://checkip.amazonaws.com/<span class="si">)</span><span class="se">\/</span><span class="s2">32/g; s/&lt;PUBLIC_DNS_NAME&gt;/</span><span class="k">${</span><span class="nv">PUBLIC_DNS_NAME</span><span class="k">}</span><span class="s2">/g; s/&lt;AWS_ACCOUNT_ID&gt;/</span><span class="k">${</span><span class="nv">AWS_ACCOUNT_ID</span><span class="k">}</span><span class="s2">/g; s/&lt;AWS_REGION&gt;/</span><span class="k">${</span><span class="nv">AWS_REGION</span><span class="k">}</span><span class="s2">/g; s/&lt;EKS_CLUSTER_NAME&gt;/</span><span class="k">${</span><span class="nv">EKS_CLUSTER_NAME</span><span class="k">}</span><span class="s2">/g; s,&lt;ACM_GITLAB_ARN&gt;,</span><span class="k">${</span><span class="nv">ACM_GITLAB_ARN</span><span class="k">}</span><span class="s2">,g; s/&lt;CERTMANAGER_ISSUER_EMAIL&gt;/</span><span class="k">${</span><span class="nv">CERTMANAGER_ISSUER_EMAIL</span><span class="k">}</span><span class="s2">/g;"</span> terraform.tfvars terraform apply </code></pre> </div> <p>Access the EKS Cluster using<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws eks <span class="nt">--region</span> <span class="nv">$AWS_REGION</span> update-kubeconfig <span class="nt">--name</span> <span class="nv">$EKS_CLUSTER_NAME</span> </code></pre> </div> <p>To deploy the Amazon EBS CSI driver, run one of the following commands based on your AWS Region:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-k</span> <span class="s2">"github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=master"</span> </code></pre> </div> <p>Annotate the ebs-csi-controller-sa Kubernetes service account with the ARN of the IAM role that you created in terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl annotate serviceaccount ebs-csi-controller-sa <span class="se">\</span> <span class="nt">-n</span> kube-system <span class="se">\</span> eks.amazonaws.com/role-arn<span class="o">=</span>arn:aws:iam::<span class="nv">$AWS_ACCOUNT_ID</span>:role/AmazonEKS_EBS_CSI_DriverRole </code></pre> </div> <p>Delete the driver pods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete pods <span class="se">\</span> <span class="nt">-n</span> kube-system <span class="se">\</span> <span class="nt">-l</span><span class="o">=</span><span class="nv">app</span><span class="o">=</span>ebs-csi-controller </code></pre> </div> <blockquote> <p>Note: The driver pods are automatically redeployed with the IAM permissions from the IAM policy assigned to the role. For more information, see <a href="https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html" rel="noopener noreferrer">Amazon EBS CSI driver</a>.</p> </blockquote> <p>Check if all resources have been created properly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl config set-context <span class="nt">--current</span> <span class="nt">--namespace</span><span class="o">=</span>gitlab <span class="nv">$ </span>kubectl get all NAME READY STATUS RESTARTS AGE pod/gitlab-cainjector-67dbdcc896-trv82 1/1 Running 0 12m pod/gitlab-cert-manager-69bd6d746f-gllsw 1/1 Running 0 12m pod/gitlab-gitaly-0 1/1 Running 0 12m pod/gitlab-gitlab-exporter-7f84659548-pdgg7 1/1 Running 0 12m pod/gitlab-gitlab-runner-78f9779cc5-ln8jv 1/1 Running 3 12m pod/gitlab-gitlab-shell-79587877cf-k9cms 1/1 Running 0 12m pod/gitlab-gitlab-shell-79587877cf-sp7qd 1/1 Running 0 12m pod/gitlab-issuer-1-kmmlf 0/1 Completed 0 12m pod/gitlab-migrations-1-kzwbw 0/1 Completed 0 12m pod/gitlab-nginx-ingress-controller-d6cfd66cb-pwqw9 1/1 Running 0 12m pod/gitlab-nginx-ingress-controller-d6cfd66cb-q2vqs 1/1 Running 0 12m pod/gitlab-nginx-ingress-default-backend-658cc89589-tbn4f 1/1 Running 0 12m pod/gitlab-registry-86d9c8f9cd-m6f9b 1/1 Running 0 12m pod/gitlab-registry-86d9c8f9cd-t99dn 1/1 Running 0 12m pod/gitlab-sidekiq-all-in-1-v1-5c5dcd6dbb-k9mpr 1/1 Running 0 12m pod/gitlab-task-runner-5dff588987-z59k8 1/1 Running 0 12m pod/gitlab-webservice-default-79dc48bcd4-8zc7t 2/2 Running 0 12m pod/gitlab-webservice-default-79dc48bcd4-lq2j9 2/2 Running 0 12m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT<span class="o">(</span>S<span class="o">)</span> AGE service/gitlab-cert-manager ClusterIP 172.20.21.34 &lt;none&gt; 9402/TCP 12m service/gitlab-gitaly ClusterIP None &lt;none&gt; 8075/TCP,9236/TCP 12m service/gitlab-gitlab-exporter ClusterIP 172.20.183.92 &lt;none&gt; 9168/TCP 12m service/gitlab-gitlab-shell ClusterIP 172.20.207.85 &lt;none&gt; 22/TCP 12m service/gitlab-nginx-ingress-controller LoadBalancer 172.20.113.153 ae030366025b247398e8230174fbc4d3-1830148250.eu-west-1.elb.amazonaws.com 80:30698/TCP,443:31788/TCP,22:32155/TCP 12m service/gitlab-nginx-ingress-controller-metrics ClusterIP 172.20.82.7 &lt;none&gt; 9913/TCP 12m service/gitlab-nginx-ingress-default-backend ClusterIP 172.20.166.82 &lt;none&gt; 80/TCP 12m service/gitlab-registry ClusterIP 172.20.47.110 &lt;none&gt; 5000/TCP 12m service/gitlab-webservice-default ClusterIP 172.20.70.7 &lt;none&gt; 8080/TCP,8181/TCP 12m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/gitlab-cainjector 1/1 1 1 13m deployment.apps/gitlab-cert-manager 1/1 1 1 13m deployment.apps/gitlab-gitlab-exporter 1/1 1 1 13m deployment.apps/gitlab-gitlab-runner 1/1 1 1 13m deployment.apps/gitlab-gitlab-shell 2/2 2 2 13m deployment.apps/gitlab-nginx-ingress-controller 2/2 2 2 13m deployment.apps/gitlab-nginx-ingress-default-backend 1/1 1 1 13m deployment.apps/gitlab-registry 2/2 2 2 13m deployment.apps/gitlab-sidekiq-all-in-1-v1 1/1 1 1 13m deployment.apps/gitlab-task-runner 1/1 1 1 13m deployment.apps/gitlab-webservice-default 2/2 2 2 13m NAME DESIRED CURRENT READY AGE replicaset.apps/gitlab-cainjector-67dbdcc896 1 1 1 13m replicaset.apps/gitlab-cert-manager-69bd6d746f 1 1 1 13m replicaset.apps/gitlab-gitlab-exporter-7f84659548 1 1 1 13m replicaset.apps/gitlab-gitlab-runner-78f9779cc5 1 1 1 13m replicaset.apps/gitlab-gitlab-shell-79587877cf 2 2 2 13m replicaset.apps/gitlab-nginx-ingress-controller-d6cfd66cb 2 2 2 13m replicaset.apps/gitlab-nginx-ingress-default-backend-658cc89589 1 1 1 13m replicaset.apps/gitlab-registry-86d9c8f9cd 2 2 2 13m replicaset.apps/gitlab-sidekiq-all-in-1-v1-5c5dcd6dbb 1 1 1 13m replicaset.apps/gitlab-task-runner-5dff588987 1 1 1 13m replicaset.apps/gitlab-webservice-default-79dc48bcd4 2 2 2 13m NAME READY AGE statefulset.apps/gitlab-gitaly 1/1 13m NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE horizontalpodautoscaler.autoscaling/gitlab-gitlab-shell Deployment/gitlab-gitlab-shell &lt;unknown&gt;/100m 2 10 2 13m horizontalpodautoscaler.autoscaling/gitlab-registry Deployment/gitlab-registry &lt;unknown&gt;/75% 2 10 2 13m horizontalpodautoscaler.autoscaling/gitlab-sidekiq-all-in-1-v1 Deployment/gitlab-sidekiq-all-in-1-v1 &lt;unknown&gt;/350m 1 10 1 13m horizontalpodautoscaler.autoscaling/gitlab-webservice-default Deployment/gitlab-webservice-default &lt;unknown&gt;/1 2 10 2 13m NAME COMPLETIONS DURATION AGE job.batch/gitlab-issuer-1 1/1 10s 13m job.batch/gitlab-migrations-1 1/1 3m1s 13m </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hharntquufeiyfpjzam.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hharntquufeiyfpjzam.png" alt="Alt Text" width="800" height="337"></a></p> <p>Connect to the Gitlab Web application with the <code>root</code> user and the initial root password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get secret gitlab-gitlab-initial-root-password <span class="se">\</span> <span class="nt">-o</span> go-template<span class="o">=</span><span class="s1">'{{.data.password}}'</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8mvzkb8w5cam6hducugv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8mvzkb8w5cam6hducugv.png" alt="Alt Text" width="800" height="304"></a></p> <p>That's it!</p> <p><a href="https://gitlab.com/Chabane87/article-gitlab-eks" rel="noopener noreferrer">The source code is available on Gitlab</a>.</p> <h1> Conclusion </h1> <p>We discovered in this article how to configure and deploy a production ready Gitlab on Amazon EKS.</p> <p>Hope you enjoyed reading this blog post.</p> <p>If you have any questions or feedback, please feel free to leave a comment.</p> <p>Thanks for reading!</p> <h1> Documentation </h1> <p>[1] <a href="https://docs.gitlab.com/charts/advanced/external-object-storage/#docker-registry-images" rel="noopener noreferrer">https://docs.gitlab.com/charts/advanced/external-object-storage/#docker-registry-images</a><br> [2] <a href="https://docs.gitlab.com/charts/advanced/external-object-storage/#s3-encryption" rel="noopener noreferrer">https://docs.gitlab.com/charts/advanced/external-object-storage/#s3-encryption</a><br> [3] <br> <a href="https://docs.aws.amazon.com/kms/latest/developerguide/services-rds.html" rel="noopener noreferrer">https://docs.aws.amazon.com/kms/latest/developerguide/services-rds.html</a><br> [4] <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html" rel="noopener noreferrer">https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html</a><br> [5] <a href="https://docs.gitlab.com/charts/installation/cloud/eks.html#persistent-volume-management" rel="noopener noreferrer">https://docs.gitlab.com/charts/installation/cloud/eks.html#persistent-volume-management</a></p> aws kubernetes gitlab terraform