diff --git a/.gitignore b/.gitignore
index a2e906c..41e7a53 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,4 @@ credentials.json
*.pfx
terraform.tfvars
+.certs
diff --git a/docs/Cloudflare.md b/docs/Cloudflare.md
new file mode 100644
index 0000000..1bc94eb
--- /dev/null
+++ b/docs/Cloudflare.md
@@ -0,0 +1,18 @@
+# Free https with cloudflare
+
+CloudFlare can provide a forever free https certificate in front of your app.
+
+The requirements are:
+- Create a free cloudflare account
+- Buy a domain random dotcom is ~$8 (you can buy it directly from coudflare or you buy it externally and then configure dns with cloudflare)
+- Create and Download a cloudflare generated and trusted certificate and key. If you have multiple domains all of them need to be managed in cloudflare and you need to list them all when creating the certificate.
+
+
+- Use that certificate while setting up https with terraform
+- Choose end-to end encryption in cloudflare
+
+
+- Choose force everything to https
+
+
+Enjoy free https
\ No newline at end of file
diff --git a/docs/cloudflare/first.png b/docs/cloudflare/first.png
new file mode 100644
index 0000000..17d766f
Binary files /dev/null and b/docs/cloudflare/first.png differ
diff --git a/docs/cloudflare/second.png b/docs/cloudflare/second.png
new file mode 100644
index 0000000..2e7c9c9
Binary files /dev/null and b/docs/cloudflare/second.png differ
diff --git a/docs/cloudflare/third.png b/docs/cloudflare/third.png
new file mode 100644
index 0000000..183177a
Binary files /dev/null and b/docs/cloudflare/third.png differ
diff --git a/terraform/gke.tf b/terraform/gke.tf
index 55d5696..36482a8 100644
--- a/terraform/gke.tf
+++ b/terraform/gke.tf
@@ -19,18 +19,18 @@ resource "google_compute_subnetwork" "default" {
ip_cidr_range = "10.0.0.0/24"
}
-resource "google_container_cluster" "default" {
- provider = google-beta
- project = var.project_id
- name = var.gke_cluster_name
- location = var.zone
- initial_node_count = var.num_nodes
- # More info on the VPC native cluster: https://cloud.google.com/kubernetes-engine/docs/how-to/standalone-neg#create_a-native_cluster
- networking_mode = "VPC_NATIVE"
- network = google_compute_network.default.name
- subnetwork = google_compute_subnetwork.default.name
- # Disable the Google Cloud Logging service because you may overrun the Logging free tier allocation, and it may be expensive
- logging_service = "none"
+# Node pool configuration
+resource "google_container_node_pool" "primary_pool" {
+ name = "primary-node-pool"
+ cluster = "${google_container_cluster.default.name}"
+ project = google_compute_network.default.project
+ location = var.zone
+ node_count = var.num_nodes
+
+ autoscaling {
+ min_node_count = var.num_nodes
+ max_node_count = 10
+ }
node_config {
# More info on Spot VMs with GKE https://cloud.google.com/kubernetes-engine/docs/how-to/spot-vms#create_a_cluster_with_enabled
@@ -47,7 +47,27 @@ resource "google_container_cluster" "default" {
"https://www.googleapis.com/auth/servicecontrol",
]
}
-
+ management {
+ auto_repair = true
+ auto_upgrade = true
+ }
+}
+
+resource "google_container_cluster" "default" {
+ provider = google-beta
+ project = var.project_id
+ name = var.gke_cluster_name
+ location = var.zone
+ # More info on the VPC native cluster: https://cloud.google.com/kubernetes-engine/docs/how-to/standalone-neg#create_a-native_cluster
+ networking_mode = "VPC_NATIVE"
+ network = google_compute_network.default.name
+ subnetwork = google_compute_subnetwork.default.name
+ # Disable the Google Cloud Logging service because you may overrun the Logging free tier allocation, and it may be expensive
+ logging_service = "none"
+
+ remove_default_node_pool = "true"
+ # initial_node_count = 1
+
addons_config {
http_load_balancing {
# This needs to be enabled for the NEG to be automatically created for the ingress gateway svc
diff --git a/terraform/https.tf b/terraform/https.tf
index ce9d43b..e5b63f8 100644
--- a/terraform/https.tf
+++ b/terraform/https.tf
@@ -1,3 +1,6 @@
+provider "random" {
+ # Configuration options
+}
resource "google_compute_forwarding_rule" "redirect" {
depends_on = [google_compute_subnetwork.proxy]
count = var.https ? 1 : 0
@@ -47,17 +50,30 @@ resource "google_compute_region_url_map" "redirect" {
}
}
+resource "random_string" "random_cert_suffix" {
+ length = 8
+ special = false
+ lower = true
+ upper = false
+}
+
resource "google_compute_region_ssl_certificate" "default" {
+ depends_on = [random_string.random_cert_suffix]
project = google_compute_subnetwork.default.project
region = google_compute_subnetwork.default.region
- name = var.ssl_cert_name
+ name = "${var.ssl_cert_name}-${random_string.random_cert_suffix.result}"
description = "SSL certificate for l7-xlb-proxy-https"
- private_key = file(var.ssl_cert_key)
- certificate = file(var.ssl_cert_crt)
+ private_key = file("${var.ssl_cert_path}/${var.ssl_cert_name}.key")
+ certificate = file("${var.ssl_cert_path}/${var.ssl_cert_name}.crt")
+
+ lifecycle {
+ create_before_destroy = true
+ }
}
# https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/compute_ssl_certificate#example-usage---ssl-certificate-target-https-proxies
resource "google_compute_region_target_https_proxy" "default" {
+ depends_on = [google_compute_region_ssl_certificate.default]
project = google_compute_subnetwork.default.project
region = google_compute_subnetwork.default.region
name = "l7-xlb-proxy-https"
diff --git a/terraform/main.tf b/terraform/main.tf
index 3498fdf..1f721af 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -36,20 +36,16 @@ variable "ip_address_name" {
description = "The name of the static IP Address for the load balancer"
}
-variable "ssl_cert_name" {
- description = "The name of the SSL certificate for the load balancer"
-}
-
variable "https" {
description = "Whether to set up the load balancer with HTTPS or not"
}
-variable "ssl_cert_crt" {
- description = "Path to the SSL certificate .crt"
+variable "ssl_cert_name" {
+ description = "The name of the files .crt and .key files inside cert_path folder. This will be used as SSL certificate name for the load balancer"
}
-variable "ssl_cert_key" {
- description = "Path to the SSL certificate private .key"
+variable "ssl_cert_path" {
+ description = "Path to the SSL certificate folder where your .crt and .key files are"
}
resource "google_compute_network" "default" {
diff --git a/terraform/scripts/install-gloo.sh b/terraform/scripts/install-gloo.sh
index bf0ff03..8acf365 100755
--- a/terraform/scripts/install-gloo.sh
+++ b/terraform/scripts/install-gloo.sh
@@ -9,3 +9,5 @@ helm install gloo gloo/gloo \
--create-namespace \
--namespace gloo-system \
-f "$DIR/values.yaml"
+
+true
\ No newline at end of file
diff --git a/terraform/terraform.tfvars.template b/terraform/terraform.tfvars.template
index 14f81e3..a77004a 100644
--- a/terraform/terraform.tfvars.template
+++ b/terraform/terraform.tfvars.template
@@ -41,4 +41,8 @@ ssl_cert_crt = "certs/self-signed.crt"
ssl_cert_key = "certs/self-signed.key"
# Change to true to enable HTTPS and HTTP redirect for the load balancer
-https = false
\ No newline at end of file
+https = false
+# You need to have the certificate and the key in the same folder.
+# Example self-signed.crt and self-signed.key in certs directory
+# ssl_cert_name = "self-signed"
+# ssl_cert_path = "certs"
\ No newline at end of file
diff --git a/terraform/versions.tf b/terraform/versions.tf
index 268bded..173cbc5 100644
--- a/terraform/versions.tf
+++ b/terraform/versions.tf
@@ -4,6 +4,11 @@ terraform {
source = "hashicorp/google-beta"
version = "4.5.0"
}
+
+ random = {
+ source = "hashicorp/random"
+ version = "3.1.0"
+ }
}
required_version = ">= 1.0"