Initial GCP deployment notes

create_gcp_env.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+# Create the Kubernetes cluster
+gcloud container clusters create invoicer --scopes "cloud-platform" --num-nodes 2 --zone us-east1
+
+# Create the database instance
+gcloud sql instances create invoicerdb --tier db-f1-micro --region us-east1 --database-version=POSTGRES_9_6
+gcloud sql databases create invoicer --instance=invoicerdb
+
+# Create a database user on the instance
+gcloud sql users create invoicerapp --instance=invoicerdb --password=cariboumaurice
+
+# Upload database user to kubernetes secret
+kubectl create secret generic cloudsql-db-credentials --from-literal=username=invoicerapp --from-literal=password=cariboumaurice
+
+# Create a service account
+gcloud iam service-accounts create invoicer
+
+# Grant editor role to service account
+gcloud projects add-iam-policy-binding ulfr-test20180906 --member serviceAccount:invoicer@ulfr-test20180906.iam.gserviceaccount.com --role roles/editor
+
+# Download service account key
+gcloud iam service-accounts keys create /tmp/invoicer-sa.json --iam-account invoicer@ulfr-test20180906.iam.gserviceaccount.com
+
+# Upload service account key to kubernetes secret
+kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json=/tmp/invoicer-sa.json
+
+# Create the Kubernetes Workload
+kubectl create -f invoicer-gcp-kube.yaml
+
+# Expose the service
+kubectl apply -f invoicer-https-service.yaml
+
+# Get a cert from LE
+GANDIV5_API_KEY=************* lego -a --email="julien@securing-devops.com" --domains="invoicer-gcp.securing-devops.com" --dns="gandiv5" --key-type ec256 run
+
+# Upload letsencrypt certs to kubernetes secret
+kubectl create secret tls invoicer-tls --key .lego/certificates/invoicer-gcp.securing-devops.com.key --cert invoicer-gcp.securing-devops.com.crt
+
+# Create the HTTPS ingress
+kubectl apply -f invoicer-https-ingress.yaml

invoicer-gcp-kube.yaml

@@ -0,0 +1,60 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: invoicer
+  labels:
+    app: invoicer
+    tier: frontend
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: invoicer
+        tier: frontend
+    spec:
+      containers:
+      - name: invoicer-app
+        image: securingdevops/invoicer:latest
+        command: ["/app/invoicer"]
+        imagePullPolicy: Always
+        ports:
+        - name: http-server
+          containerPort: 8080
+        env:
+          - name: INVOICER_USE_POSTGRES
+            value: "true"
+          - name: INVOICER_POSTGRES_HOST
+            value: "127.0.0.1:5432"
+          - name: INVOICER_POSTGRES_DB
+            value: "invoicer"
+          - name: INVOICER_POSTGRES_SSLMODE
+            value: "disable"
+          - name: INVOICER_POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                name: cloudsql-db-credentials
+                key: username
+          - name: INVOICER_POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: cloudsql-db-credentials
+                key: password
+
+      # cloudsql to access the postgres database
+      - image: b.gcr.io/cloudsql-docker/gce-proxy:1.11
+        name: cloudsql-proxy
+        command: ["/cloud_sql_proxy",
+                  "-instances=ulfr-test20180906:us-east1:invoicerdb=tcp:5432",
+                  "-credential_file=/secrets/cloudsql/credentials.json"]
+        volumeMounts:
+          - name: cloudsql-instance-credentials
+            mountPath: /secrets/cloudsql
+            readOnly: true
+        securityContext:
+            runAsUser: 2  # non-root user
+            allowPrivilegeEscalation: false
+      volumes:
+        - name: cloudsql-instance-credentials
+          secret:
+            secretName: cloudsql-instance-credentials

invoicer-https-ingress.yaml

@@ -0,0 +1,10 @@
+kind: Ingress
+apiVersion: extensions/v1beta1
+metadata:
+  name: invoicer-https-ingress
+spec:
+  tls:
+  - secretName: invoicer-tls
+  backend:
+    serviceName: invoicer
+    servicePort: 8080

invoicer-https-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: invoicer
+spec:
+  selector:
+    app: invoicer
+    tier: frontend
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8080
+      targetPort: 8080
+  type: NodePort