Skip to content

geantrevisan/gcp-gke

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.github/workflows
.github/workflows
 
 
app
app
 
 
screenshots
screenshots
 
 
terraform
terraform
 
 
README.md
README.md
 
 

Repository files navigation

Caso Google Cloud - Monks.

O que usamos? :

  • Nginx base para hello world
  • Nginx Ingress helm
  • Docker
  • Kubernetes
  • Helm
  • Terraform
  • GitHub Actions
  • GKE (Google Kubernetes Engine)
  • GCR (Google Container Registry)

Sobre caso

Utilizamos codigo terraform para codar toda arquitetura, abaixo está cada ingrediente utiliza. Rs

  • Criado IAM´s para utilizarmos CI/CD e permissoes de dono para testes de deploys.
  • Criado bucket para terraform via github action.
  • Criado uma VPC com Subnet.
  • Criado rota com NAT para saidas de subnets VPC.
  • Criado uma Instancia para utiliza IAP para fazer um tunel de acesso caso necessite. (OBS: Pois não criamos uma VPN.)
  • Criado um Cluster GKE com Nodes com rede privada.
  • Deploy via terraform, kubernetes, helm.
  • Criado modulo para fazer deploy com helm do nginx ingress e do app que criamos. (Voce pode encontrar na pasta terraform/modules/).

Passo a Passo

  • Iniciar gcloud.
gcloud init
  • Criando IAM
gcloud iam service-accounts create servicemonks
  • GCP Project
gcloud projects describe project-monks

name: monks projectId: project-monks projectNumber: '534232678406'

  • Criando bucket
gcloud storage buckets create gs://monks-gk
  • Adicionando police
gcloud projects add-iam-policy-binding 534232678406 --member="serviceAccount:servicemonks@project-monks.iam.gserviceaccount.com" --role="roles/owner"

Acima criamos iam com permissões de dono. (OBS: intuito aqui é uma breve demonstração então não focaremos em segurança com IAM.)

  • Criando credencials para utilizar localmente.
gcloud iam service-accounts keys create cred.json --iam-account=servicemonks@project-monks.iam.gserviceaccount.com
O comando abaixo iremos adicionar export com as credencias para poder utilizar em nosso terminal.
export GOOGLE_APPLICATION_CREDENTIALS="cred.json"

Abaixo iremo criar IAM para utilizar CI/CD do github action.

Source

  • Ativa iam
gcloud services enable iamcredentials.googleapis.com --project "project-monks"
  • Criar um workload identity pools
gcloud iam workload-identity-pools create "k8s-git" --project="project-monks" --location="global" --display-name="k8s"
gcloud iam workload-identity-pools create "k8s-git" --project="project-monks" --location="global" --display-name="k8s"
  • Obter Workload Identity Pool
gcloud iam workload-identity-pools describe "k8s-git" --project="project-monks" --location="global" --format="value(name)"
  • Criar IAM k8s-git para pools
gcloud iam workload-identity-pools providers create-oidc "k8s-provider" --project="project-monks" --location="global" --workload-identity-pool="k8s-git" --display-name="k8s provider" --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" --issuer-uri="https://token.actions.githubusercontent.com"
  • Relação com IAM servicemonks e k8s IAM.
gcloud iam service-accounts add-iam-policy-binding "servicemonks@project-monks.iam.gserviceaccount.com" --project="project-monks" --role="roles/iam.workloadIdentityUser" --member="principalSet://iam.googleapis.com/projects/534232678406/locations/global/workloadIdentityPools/k8s-git/attribute.repository/geantrevisan/gcp-gke"
  • Adicionar permisssão token
gcloud iam service-accounts add-iam-policy-binding "servicemonks@project-monks.iam.gserviceaccount.com" --project="project-monks" --role="roles/iam.serviceAccountTokenCreator" --member=serviceAccount:servicemonks@project-monks.iam.gserviceaccount.com

  • Acessar repositorio e crie sua secrets. Repo > Settings > Secrets and variables > Action. Iremo clicar no botão New repository secret Primeiro iremos colocar o nome de GCP_PROJECT_ID e no campo Secret o id do projeto da GCP. O mesmo para GCP_TF_STATE_BUCKET so que no campo secret colocaremos o bucket criado anteriormente.

  • Workflows

name: Deploy to kubernetes
on:
  push:
    branches:
      - "main"

env:
  GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
  TF_STATE_BUCKET_NAME: ${{ secrets.GCP_TF_STATE_BUCKET }}

jobs:
  deploy:
    runs-on: ubuntu-latest
    env:
      IMAGE_TAG: ${{ github.sha }}

    permissions:
      contents: 'read'
      id-token: 'write'
    
    steps:
    - uses: 'actions/checkout@v3'

    # Login com GCP.
    - id: 'auth'
      name: 'Login na Google Cloud'
      uses: 'google-github-actions/auth@v1'
      with:
        token_format: 'access_token'
        workload_identity_provider: 'projects/534232678406/locations/global/workloadIdentityPools/k8s-git/providers/k8s-provider'
        service_account: 'servicemonks@project-monks.iam.gserviceaccount.com'
        
    # Instalar gcloud SDK
    - name: 'Intalling GCloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'

    # Login GCP para enviar docker image.
    - name: docker auth
      run: gcloud auth configure-docker
    
    # Mostra conta autenticada.
    - run: gcloud auth list

    # Build image e envia.
    - name: Build e push docker image
      run: |
        docker build -t us.gcr.io/$GCP_PROJECT_ID/appimage:$IMAGE_TAG .
        docker push us.gcr.io/$GCP_PROJECT_ID/appimage:$IMAGE_TAG
      working-directory: ./app

      # Configura Terraform
    - name: Setup Terraform
      uses: hashicorp/setup-terraform@v2

      # Terraform Init
    - name: Terraform init
      run: terraform init -backend-config="bucket=$TF_STATE_BUCKET_NAME" -backend-config="prefix=test"
      working-directory: ./terraform

      # Terraform Plan
    - name: Terraform Plan
      run: |
        terraform plan \
        -var="region=us-central1" \
        -var="project=$GCP_PROJECT_ID" \
        -var="container_image=us.gcr.io/$GCP_PROJECT_ID/appimage:$IMAGE_TAG" \
        -out=PLAN
      working-directory: ./terraform

      # Terraform Apply
    - name: Terraform Apply
      run: terraform apply PLAN
      working-directory: ./terraform
  • Após rodar o workflow Podemos ver que deu erro conforme a print abaixo.

Iremos acessar via IAP a maquina que criamos, para podermos finalizar o terraform apply. La iremos rodar um novo apply na maquina, basta acessar.

  • Install terraform (OPS: Esqueci de colocar no script para instalar no apply.)
git clone https://github.com/tfutils/tfenv.git ~/.tfenv;echo 'export PATH="$HOME/.tfenv/bin:$PATH"' >> ~/.bash_profile;sudo ln -s ~/.tfenv/bin/* /usr/local/bin;sudo tfenv install 1.5.3;sudo tfenv use 1.5.3
  • Install Rodar gcloud init

gcloud auth application-default login

git clone https://github.com/geantrevisan/gcp-gke.git

cd gcp-gke/terraform/ terraform init

terraform plan -var="region=us-central1" -var="project=project-monks" -var="container_image=gean22/appimage:latest"

terraform apply -var="region=us-central1" -var="project=project-monks" -var="container_image=gean22/appimage:latest"

Segundo

Para acessar o app https://monks.tigkf.tech/

FIM

Terraform

Criei todo codigo do terraforma com comentarios nos .tf. creio que ficou claro para entendimento.

Links de referencias.

Criar IAM para repo github Terraform node Terraform script instancia Terraform instancia Terraform modules Terraform provider Terraform vpc Terraform subnet Terraform GKE Terraform anddress Terraform nat/firewall Terraform nat route Terraform nat gateway

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages