murphye · alexproca · Feb 15, 2022 · Feb 15, 2022 · Feb 15, 2022 · Feb 15, 2022
diff --git a/.gitignore b/.gitignore
@@ -17,3 +17,4 @@ credentials.json
 *.pfx
 
 terraform.tfvars
+.certs
diff --git a/docs/Cloudflare.md b/docs/Cloudflare.md
@@ -0,0 +1,18 @@
+# Free https with cloudflare
+
+CloudFlare can provide a forever free https certificate in front of your app.
+
+The requirements are: 
+- Create a free cloudflare account
+- Buy a domain random dotcom is ~$8 (you can buy it directly from coudflare or you buy it externally and then configure dns with cloudflare)
+- Create and Download a cloudflare generated and trusted certificate and key. If you have multiple domains all of them need to be managed in cloudflare and you need to list them all when creating the certificate.
+<img src="cloudflare/first.png">
+
+- Use that certificate while setting up https with terraform
+- Choose end-to end encryption in cloudflare
+<img src="cloudflare/second.png">
+
+- Choose force everything to https
+<img src="cloudflare/third.png">
+
+Enjoy free https 
diff --git a/docs/cloudflare/first.png b/docs/cloudflare/first.png
diff --git a/docs/cloudflare/second.png b/docs/cloudflare/second.png
diff --git a/docs/cloudflare/third.png b/docs/cloudflare/third.png
diff --git a/terraform/gke.tf b/terraform/gke.tf
@@ -19,18 +19,18 @@ resource "google_compute_subnetwork" "default" {
   ip_cidr_range = "10.0.0.0/24"
 }
 
-resource "google_container_cluster" "default" {
-  provider = google-beta
-  project  = var.project_id
-  name     = var.gke_cluster_name
-  location = var.zone
-  initial_node_count = var.num_nodes
-  # More info on the VPC native cluster: https://cloud.google.com/kubernetes-engine/docs/how-to/standalone-neg#create_a-native_cluster
-  networking_mode = "VPC_NATIVE"
-  network    = google_compute_network.default.name
-  subnetwork = google_compute_subnetwork.default.name
-  # Disable the Google Cloud Logging service because you may overrun the Logging free tier allocation, and it may be expensive
-  logging_service = "none"
+# Node pool configuration
+resource "google_container_node_pool" "primary_pool" {
+  name       = "primary-node-pool"
+  cluster    = "${google_container_cluster.default.name}"
+  project    = google_compute_network.default.project
+  location   = var.zone
+  node_count = var.num_nodes
+
+  autoscaling {
+    min_node_count = var.num_nodes
+    max_node_count = 10
+  }
 
   node_config {
     # More info on Spot VMs with GKE https://cloud.google.com/kubernetes-engine/docs/how-to/spot-vms#create_a_cluster_with_enabled
@@ -47,7 +47,27 @@ resource "google_container_cluster" "default" {
       "https://www.googleapis.com/auth/servicecontrol",
     ]
   }
-
+  management {
+    auto_repair  = true
+    auto_upgrade = true
+  }
+}
+
+resource "google_container_cluster" "default" {
+  provider = google-beta
+  project  = var.project_id
+  name     = var.gke_cluster_name
+  location = var.zone
+  # More info on the VPC native cluster: https://cloud.google.com/kubernetes-engine/docs/how-to/standalone-neg#create_a-native_cluster
+  networking_mode = "VPC_NATIVE"
+  network    = google_compute_network.default.name
+  subnetwork = google_compute_subnetwork.default.name
+  # Disable the Google Cloud Logging service because you may overrun the Logging free tier allocation, and it may be expensive
+  logging_service = "none"
+
+  remove_default_node_pool = "true"
+  # initial_node_count = 1
+
   addons_config {
     http_load_balancing {
       # This needs to be enabled for the NEG to be automatically created for the ingress gateway svc

diff --git a/terraform/https.tf b/terraform/https.tf
@@ -1,3 +1,6 @@
+provider "random" {
+  # Configuration options
+}
 resource "google_compute_forwarding_rule" "redirect" {
   depends_on = [google_compute_subnetwork.proxy]
   count      = var.https ? 1 : 0
@@ -47,17 +50,30 @@ resource "google_compute_region_url_map" "redirect" {
   }
 }
 
+resource "random_string" "random_cert_suffix" {
+  length           = 8
+  special          = false
+  lower            = true
+  upper            = false
+}
+
 resource "google_compute_region_ssl_certificate" "default" { 
+  depends_on = [random_string.random_cert_suffix]
   project = google_compute_subnetwork.default.project
   region  = google_compute_subnetwork.default.region
-  name        = var.ssl_cert_name
+  name        = "${var.ssl_cert_name}-${random_string.random_cert_suffix.result}"
   description = "SSL certificate for l7-xlb-proxy-https"
-  private_key = file(var.ssl_cert_key)
-  certificate = file(var.ssl_cert_crt)
+  private_key = file("${var.ssl_cert_path}/${var.ssl_cert_name}.key")
+  certificate = file("${var.ssl_cert_path}/${var.ssl_cert_name}.crt")
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/compute_ssl_certificate#example-usage---ssl-certificate-target-https-proxies
 resource "google_compute_region_target_https_proxy" "default" {
+  depends_on = [google_compute_region_ssl_certificate.default]
   project = google_compute_subnetwork.default.project
   region  = google_compute_subnetwork.default.region
   name    = "l7-xlb-proxy-https"

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -36,20 +36,16 @@ variable "ip_address_name" {
   description = "The name of the static IP Address for the load balancer"
 }
 
-variable "ssl_cert_name" {
-  description = "The name of the SSL certificate for the load balancer"
-}
-
 variable "https" {
   description = "Whether to set up the load balancer with HTTPS or not"
 }
 
-variable "ssl_cert_crt" {
-  description = "Path to the SSL certificate .crt"
+variable "ssl_cert_name" {
+  description = "The name of the files .crt and .key files inside cert_path folder. This will be used as SSL certificate name for the load balancer"
 }
 
-variable "ssl_cert_key" {
-  description = "Path to the SSL certificate private .key"
+variable "ssl_cert_path" {
+  description = "Path to the SSL certificate folder where your .crt and .key files are"
 }
 
 resource "google_compute_network" "default" {

diff --git a/terraform/scripts/install-gloo.sh b/terraform/scripts/install-gloo.sh
@@ -9,3 +9,5 @@ helm install gloo gloo/gloo \
   --create-namespace \
   --namespace gloo-system \
   -f "$DIR/values.yaml"
+
+true
diff --git a/terraform/terraform.tfvars.template b/terraform/terraform.tfvars.template
@@ -41,4 +41,8 @@ ssl_cert_crt     = "certs/self-signed.crt"
 ssl_cert_key     = "certs/self-signed.key"
 
 # Change to true to enable HTTPS and HTTP redirect for the load balancer
-https            = false
+https            = false
+# You need to have the certificate and the key in the same folder.
+# Example self-signed.crt and self-signed.key in certs directory
+# ssl_cert_name    = "self-signed"
+# ssl_cert_path    = "certs"
diff --git a/terraform/versions.tf b/terraform/versions.tf
@@ -4,6 +4,11 @@ terraform {
       source  = "hashicorp/google-beta"
       version = "4.5.0"
     }
+
+    random = {
+      source = "hashicorp/random"
+      version = "3.1.0"
+    }
   }
 
   required_version = ">= 1.0"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -17,3 +17,4 @@ credentials.json
		*.pfx

		terraform.tfvars
		.certs