mirror of
https://github.com/funkypenguin/geek-cookbook/
synced 2025-12-13 09:46:23 +00:00
Design / speed tweaks
* Test updating CTA, using insiders version of mkdocs-material * Dark mode, baby! Signed-off-by: David Young <davidy@funkypenguin.co.nz> * What will netlify do if I remove requirements.txt? Signed-off-by: David Young <davidy@funkypenguin.co.nz> * What will netlify do if I remove requirements.txt? Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Only build the insiders version Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Remove some broken links Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Fix dead link Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Remove twitter embed Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Fix dead links Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Mooar dead links Signed-off-by: David Young <davidy@funkypenguin.co.nz> * Final dead link Signed-off-by: David Young <davidy@funkypenguin.co.nz>
This commit is contained in:
David Young
@@ -1,192 +0,0 @@
|
||||
## Terraform
|
||||
|
||||
We _could_ describe the manual gcloud/ssh steps required to deploy a Kubernetes cluster to Google Kubernetes Engine, but using Terraform allows us to abstract ourself from the provider, and focus on just the infrastructure we need built.
|
||||
|
||||
The terraform config we produce is theoretically reusabel across AWS, Azure, OpenStack, as well as GCE.
|
||||
|
||||
Install terraform locally - on OSX, I used ```brew install terraform```
|
||||
|
||||
Confirm it's correctly installed by running ```terraform -v```. My output looks like this:
|
||||
|
||||
```
|
||||
[davidy:~] % terraform -v
|
||||
Terraform v0.11.8
|
||||
|
||||
[davidy:~] %
|
||||
```
|
||||
|
||||
## Google Cloud SDK
|
||||
|
||||
I can't remember how I installed gcloud, but I don't think I used homebrew. Run ```curl https://sdk.cloud.google.com | bash``` for a standard install, followed by ```gcloud init``` for the first-time setup.
|
||||
|
||||
This works:
|
||||
|
||||
```
|
||||
cat <<-"BREWFILE" > Brewfile
|
||||
cask 'google-cloud-sdk'
|
||||
brew 'kubectl'
|
||||
brew 'terraform'
|
||||
BREWFILE
|
||||
brew bundle --verbose
|
||||
```
|
||||
|
||||
|
||||
### Prepare for terraform
|
||||
|
||||
I followed [this guide](https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform) to setup the following in the "best" way:
|
||||
|
||||
Run ```gcloud beta billing accounts list``` to get your billing account
|
||||
|
||||
```
|
||||
|
||||
export TF_ADMIN=tf-admin-funkypenguin
|
||||
export TF_CREDS=serviceaccount.json
|
||||
export TF_VAR_org_id=250566349101
|
||||
export TF_VAR_billing_account=0156AE-7AE048-1DA888
|
||||
export TF_VAR_region=australia-southeast1
|
||||
export GOOGLE_APPLICATION_CREDENTIALS=${TF_CREDS}
|
||||
|
||||
gcloud projects create ${TF_ADMIN} --set-as-default
|
||||
gcloud beta billing projects link ${TF_ADMIN} \
|
||||
--billing-account ${TF_VAR_billing_account}
|
||||
|
||||
gcloud iam service-accounts create terraform \
|
||||
--display-name "Terraform admin account"
|
||||
Created service account [terraform].
|
||||
|
||||
gcloud iam service-accounts keys create ${TF_CREDS} \
|
||||
--iam-account terraform@${TF_ADMIN}.iam.gserviceaccount.com
|
||||
created key [c0a49832c94aa0e23278165e2d316ee3d5bad438] of type [json] as [serviceaccount.json] for [terraform@funkypenguin-terraform-admin.iam.gserviceaccount.com]
|
||||
|
||||
gcloud projects add-iam-policy-binding ${TF_ADMIN} \
|
||||
> --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \
|
||||
> --role roles/viewer
|
||||
bindings:
|
||||
- members:
|
||||
- user:googlecloud2018@funkypenguin.co.nz
|
||||
role: roles/owner
|
||||
- members:
|
||||
- serviceAccount:terraform@funkypenguin-terraform-admin.iam.gserviceaccount.com
|
||||
role: roles/viewer
|
||||
etag: BwV0VGSzYSU=
|
||||
version: 1gcloud projects add-iam-policy-binding ${TF_ADMIN} \
|
||||
> --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \
|
||||
> --role roles/viewer
|
||||
bindings:
|
||||
- members:
|
||||
- user:googlecloud2018@funkypenguin.co.nz
|
||||
role: roles/owner
|
||||
- members:
|
||||
- serviceAccount:terraform@funkypenguin-terraform-admin.iam.gserviceaccount.com
|
||||
role: roles/viewer
|
||||
etag: BwV0VGSzYSU=
|
||||
version: 1
|
||||
|
||||
gcloud projects add-iam-policy-binding ${TF_ADMIN} \
|
||||
> --member serviceAccount:terraform@${TF_ADMIN}.iam.gserviceaccount.com \
|
||||
> --role roles/storage.admin
|
||||
bindings:
|
||||
- members:
|
||||
- user:googlecloud2018@funkypenguin.co.nz
|
||||
role: roles/owner
|
||||
- members:
|
||||
- serviceAccount:terraform@funkypenguin-terraform-admin.iam.gserviceaccount.com
|
||||
role: roles/storage.admin
|
||||
- members:
|
||||
- serviceAccount:terraform@funkypenguin-terraform-admin.iam.gserviceaccount.com
|
||||
role: roles/viewer
|
||||
etag: BwV0VGZwXfM=
|
||||
version: 1
|
||||
|
||||
|
||||
gcloud services enable cloudresourcemanager.googleapis.com
|
||||
gcloud services enable cloudbilling.googleapis.com
|
||||
gcloud services enable iam.googleapis.com
|
||||
gcloud services enable compute.googleapis.com
|
||||
|
||||
## FIXME
|
||||
Enabled Kubernetes Engine API in the tf-admin project, so that terraform can actually compute versions of the engine available
|
||||
|
||||
## FIXME
|
||||
|
||||
I had to add compute admin, service admin, and kubernetes engine admin to my org-level account, in order to use gcloud get-cluster-credentilals
|
||||
|
||||
|
||||
|
||||
gsutil mb -p ${TF_ADMIN} gs://${TF_ADMIN}
|
||||
Creating gs://funkypenguin-terraform-admin/...
|
||||
[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ±
|
||||
[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± cat > backend.tf <<EOF
|
||||
heredoc> terraform {
|
||||
heredoc> backend "gcs" {
|
||||
heredoc> bucket = "${TF_ADMIN}"
|
||||
heredoc> path = "/terraform.tfstate"
|
||||
heredoc> project = "${TF_ADMIN}"
|
||||
heredoc> }
|
||||
heredoc> }
|
||||
heredoc> EOF
|
||||
[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± gsutil versioning set on gs://${TF_ADMIN}
|
||||
Enabling versioning for gs://funkypenguin-terraform-admin/...
|
||||
[davidy:~/Documents … remix/kubernetes/terraform] master(+1/-0)* ± export GOOGLE_APPLICATION_CREDENTIALS=${TF_CREDS}
|
||||
export GOOGLE_PROJECT=${TF_ADMIN}
|
||||
|
||||
|
||||
```
|
||||
|
||||
### Create Service Account
|
||||
|
||||
Since it's probably not a great idea to associate your own, master Google Cloud account with your automation process (after all, you can't easily revoke your own credentials if they leak), create a Service Account for terraform under GCE, and grant it the "Compute Admin" role.
|
||||
|
||||
Download the resulting JSON, and save it wherever you're saving your code. Remember to protect this .json file like a password, so add it to .gitignore if you're checking your code into git (_and if you're not checking your code into git, what's wrong with you, just do it now!_)
|
||||
|
||||
### Setup provider.tf
|
||||
|
||||
I setup my provider like this, noting that the project name (which must already be created) came from the output of ```gloud projects list```, and region/zone came from https://cloud.google.com/compute/docs/regions-zones/
|
||||
|
||||
```
|
||||
# Specify the provider (GCP, AWS, Azure)
|
||||
provider "google" {
|
||||
credentials = "${file("serviceaccount.json")}"
|
||||
project = "funkypenguin-mining-pools"
|
||||
region = "australia-southeast1"
|
||||
}
|
||||
```
|
||||
|
||||
### Setup compute.tf
|
||||
|
||||
Just playing, I setup this:
|
||||
|
||||
```
|
||||
# Create a new instance
|
||||
resource "google_compute_instance" "ubuntu-xenial" {
|
||||
name = "ubuntu-xenial"
|
||||
machine_type = "f1-micro"
|
||||
zone = "us-west1-a"
|
||||
boot_disk {
|
||||
initialize_params {
|
||||
image = "ubuntu-1604-lts"
|
||||
}
|
||||
}
|
||||
network_interface {
|
||||
network = "default"
|
||||
access_config {}
|
||||
}
|
||||
service_account {
|
||||
scopes = ["userinfo-email", "compute-ro", "storage-ro"]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Initialize and plan (it's free)
|
||||
|
||||
Run ```terraform init``` to initialize Terraform
|
||||
|
||||
Then run ```terrafor plan``` to check that the plan looks good.
|
||||
|
||||
### Apply (not necessarily free)
|
||||
|
||||
Once your plan (above) is good, run ```terraform apply``` to put it into motion. This is the point where you may start incurring costs.
|
||||
|
||||
### Setup kubectl
|
||||
|
||||
gcloud container clusters get-credentials $(terraform output cluster_name) --zone $(terraform output cluster_zone) --project $(terraform output project_id)
|
||||
@@ -9,10 +9,8 @@ In order to avoid IP addressing conflicts as we bring swarm networks up/down, we
|
||||
| [Mail Server](https://geek-cookbook.funkypenguin.co.nz/recipes/mail/) | 172.16.1.0/24 |
|
||||
| [Gitlab](https://geek-cookbook.funkypenguin.co.nz/recipes/gitlab/) | 172.16.2.0/24 |
|
||||
| [Wekan](https://geek-cookbook.funkypenguin.co.nz/recipes/wekan/) | 172.16.3.0/24 |
|
||||
| [Piwik](https://geek-cookbook.funkypenguin.co.nz/recipes/piwik/) | 172.16.4.0/24 |
|
||||
| [Tiny Tiny RSS](https://geek-cookbook.funkypenguin.co.nz/recipes/tiny-tiny-rss/) | 172.16.5.0/24 |
|
||||
| [Huginn](https://geek-cookbook.funkypenguin.co.nz/recipes/huginn/) | 172.16.6.0/24 |
|
||||
| [Unifi](https://geek-cookbook.funkypenguin.co.nz/recipes/unifi/) | 172.16.7.0/24 |
|
||||
| [Kanboard](https://geek-cookbook.funkypenguin.co.nz/recipes/kanboard/) | 172.16.8.0/24 |
|
||||
| [Gollum](https://geek-cookbook.funkypenguin.co.nz/recipes/gollum/) | 172.16.9.0/24 |
|
||||
| [Duplicity](https://geek-cookbook.funkypenguin.co.nz/recipes/duplicity/) | 172.16.10.0/24 |
|
||||
@@ -26,7 +24,6 @@ In order to avoid IP addressing conflicts as we bring swarm networks up/down, we
|
||||
| [Calibre-Web](https://geek-cookbook.funkypenguin.co.nz/recipes/calibre-web/) | 172.16.18.0/24 |
|
||||
| [Wallabag](https://geek-cookbook.funkypenguin.co.nz/recipes/wallabag/) | 172.16.19.0/24 |
|
||||
| [InstaPy](https://geek-cookbook.funkypenguin.co.nz/recipes/instapy/) | 172.16.20.0/24 |
|
||||
| [Turtle Pool](https://geek-cookbook.funkypenguin.co.nz/recipes/turtle-pool/) | 172.16.21.0/24 |
|
||||
| [MiniFlux](https://geek-cookbook.funkypenguin.co.nz/recipes/miniflux/) | 172.16.22.0/24 |
|
||||
| [Gitlab Runner](https://geek-cookbook.funkypenguin.co.nz/recipes/gitlab-runner/) | 172.16.23.0/24 |
|
||||
| [Munin](https://geek-cookbook.funkypenguin.co.nz/recipes/munin/) | 172.16.24.0/24 |
|
||||
@@ -34,24 +31,11 @@ In order to avoid IP addressing conflicts as we bring swarm networks up/down, we
|
||||
| [Swarmprom](https://geek-cookbook.funkypenguin.co.nz/recipes/swarmprom/) | 172.16.34.0/24 |
|
||||
| [Realms](https://geek-cookbook.funkypenguin.co.nz/recipes/realms/) | 172.16.35.0/24 |
|
||||
| [ElkarBackup](https://geek-cookbook.funkypenguin.co.nz/recipes/elkarbackup/) | 172.16.36.0/24 |
|
||||
| [Mayan EDMS](https://geek-cookbook.funkypenguin.co.nz/recipes/realms/) | 172.16.37.0/24 |
|
||||
| [Shaarli](https://geek-cookbook.funkypenguin.co.nz/recipes/shaarli/) | 172.16.38.0/24 |
|
||||
| [OpenLDAP](https://geek-cookbook.funkypenguin.co.nz/recipes/openldap/) | 172.16.39.0/24 |
|
||||
| [MatterMost](https://geek-cookbook.funkypenguin.co.nz/recipes/mattermost/) | 172.16.40.0/24 |
|
||||
| [PrivateBin](https://geek-cookbook.funkypenguin.co.nz/recipes/privatebin/) | 172.16.41.0/24 |
|
||||
| [Mayan EDMS](https://geek-cookbook.funkypenguin.co.nz/recipes/mayan-edms/) | 172.16.42.0/24 |
|
||||
| [Hack MD](https://geek-cookbook.funkypenguin.co.nz/recipes/hackmd/) | 172.16.43.0/24 |
|
||||
| [FlightAirMap](https://geek-cookbook.funkypenguin.co.nz/recipes/flightairmap/) | 172.16.44.0/24 |
|
||||
| [Wetty](https://geek-cookbook.funkypenguin.co.nz/recipes/wetty/) | 172.16.45.0/24 |
|
||||
| [FileBrowser](https://geek-cookbook.funkypenguin.co.nz/recipes/filebrowser/) | 172.16.46.0/24 |
|
||||
| [phpIPAM](https://geek-cookbook.funkypenguin.co.nz/recipes/phpipam/) | 172.16.47.0/24 |
|
||||
| [Dozzle](https://geek-cookbook.funkypenguin.co.nz/recipes/dozzle/) | 172.16.48.0/24 |
|
||||
| [KeyCloak](https://geek-cookbook.funkypenguin.co.nz/recipes/keycloak/) | 172.16.49.0/24 |
|
||||
| [Sensu](https://geek-cookbook.funkypenguin.co.nz/recipes/sensu/) | 172.16.50.0/24 |
|
||||
| [Magento](https://geek-cookbook.funkypenguin.co.nz/recipes/magento/) | 172.16.51.0/24 |
|
||||
| [Graylog](https://geek-cookbook.funkypenguin.co.nz/recipes/graylog/) | 172.16.52.0/24 |
|
||||
| [Harbor](https://geek-cookbook.funkypenguin.co.nz/recipes/graylog/) | 172.16.53.0/24 |
|
||||
| [Harbor-Clair](https://geek-cookbook.funkypenguin.co.nz/recipes/graylog/) | 172.16.54.0/24 |
|
||||
| [Duplicati](https://geek-cookbook.funkypenguin.co.nz/recipes/duplicati/) | 172.16.55.0/24 |
|
||||
| [Restic](https://geek-cookbook.funkypenguin.co.nz/recipes/restic/) | 172.16.56.0/24 |
|
||||
| [Jellyfin](https://geek-cookbook.funkypenguin.co.nz/recipes/jellyfin/) | 172.16.57.0/24 |
|
||||
Reference in New Issue
Block a user