k8s-si-phosphore stands for Kubernetes IS (SI in French) for PHOSPHORE.
Deploy as infraascode kubernetes cluster(s)
This project deploy:
- k8s cluster
- Helm
Purpose of this cluster is to host PHOSPHORE.si SI apps (Gitlab, AWX, Prometheus, ...)
Currently cluster is deployed:
- Google Cloud platform
- Helm v
Main tools used are Terraform and Ansible AWX
K8s is deployed in GCP (Google Cloud Platform)
We need to create manually:
- For k8s
- project for Test env
- project for Prod env
- compute service account for Test project
- compute service account for Prod project
For terraform backend - bucket for Test in test project - bucket for Prod in prod project - storage service account for Test - storage service account for Prod
You need to manually create a GCP Project for Test and Prod env. You can set this up in the Google Cloud Console
Set properly Gitlab variables GKE_PROJECT_*
and GKE_REGION_*
We need to set up a few things to have access via the API. First, enable the GKE API in the Google Developer’s Console. Then, we’ll need service account credentials to use the API. Create a new key in Google Cloud service account file You should then be asked to select which account to use. If GKE API access is setup correctly, you’ll see “Compute Engine default service account”. That’ll do fine for our requirements, so select that and “JSON” as the type.
Next we need to add role to manage k8s cluster and terraform bucket.
In IAM
menu your service account must have roles:
- Editor
- Kubernetes Engine Admin
You need to copy the content of the file to Gitlab project variable GOOGLE_CREDENTIALS_TEST
or GOOGLE_CREDENTIALS_PROD
We use GCS bucket as backend in order that terraform store its state
Create the buckets and set GCS service account as Storage Object Admin
.
Put details of bucket in GCS_TERRAFORM_BUCKET_*
We need to update OVH DNS, then we need to create manually:
- Credential to connect to OVH API
We want to restrict the token to the domain we will update.
In lastpass there are already tokens to update phosphoresi.net
and phosphore.si
domain
You need to put details in OVH_DNS_*
variables
If not created onnect to https://api.ovh.com/createToken/index.cgi?GET=/*&POST=/*&PUT=/*&DELETE=/* to create the token
TODO: Token creation need to be in another doc. Screenshot [OVH_API_createtoken.png]
Below variables need to be defined for CI/CD.
Normally the shoud be defined in Gitlab infrascode/si
group
DOMAIN_PROD
: DNS domain used for Prodphosphore.si
DOMAIN_TEST
: DNS domain used for Testphosphoresi.net
OVH_DNS_KEY_TEST
: Key to update Test domainOVH_DNS_SECRET_TEST
: Secret to update Test domainOVH_DNS_CONSUMER_KEY_TEST
: Consumer key to update Test domainOVH_DNS_CONSUMER_KEY_PROD
: Consumer key to update Prod domainOVH_DNS_KEY_PROD
: Key to update Prod domainOVH_DNS_SECRET_PROD
: Secret to update Prod domainGKE_PROJECT_TEST
: GKE project where k8s Test is deployedGKE_PROJECT_PROD
: GKE project where k8s Prod is deployedGKE_REGION_TEST
: GKE Region where k8s Test is deployedGKE_REGION_PROD
: GKE Region where k8s Prod is deployedGKE_CREDENTIALS_TEST
: Service account json private key downloaded from Google Cloud for TestGKE_CREDENTIALS_PROD
: Service account json private key downloaded from Google Cloud for Prod
GOOGLE_CREDENTIALS_TEST
: Service account json private key downloaded from Google Cloud for TestGOOGLE_CREDENTIALS_PROD
: Service account json private key downloaded from Google Cloud for ProdGCS_TERRAFORM_BUCKET_TEST
: Bucket for terraform backend TestGCS_TERRAFORM_BUCKET_PROD
: Bucket for terraform backend Prod