chmoder
diff --git a/‎README.md‎
Lines changed: 41 additions & 1 deletion b/‎README.md‎
Lines changed: 41 additions & 1 deletion
diff --git a/‎apis.tf‎
Lines changed: 28 additions & 0 deletions b/‎apis.tf‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎clusters.tf‎
Lines changed: 43 additions & 0 deletions b/‎clusters.tf‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎deployments.tf‎
Lines changed: 209 additions & 0 deletions b/‎deployments.tf‎
Lines changed: 209 additions & 0 deletions
diff --git a/‎iam.tf‎
Lines changed: 29 additions & 0 deletions b/‎iam.tf‎
Lines changed: 29 additions & 0 deletions
@@ -1 +1,41 @@
-# ftp
+# Kubernetes Bootstrap
+
+### Features
+
+- Dynamic name for the product
+- Dynamic domain names for ingress and certificates
+- Automatic SSL Cert generation
+- NodePort LoadBalancer service for deployments
+- GCE Ingress tls setup
+- Frontend LB HTTP -> HTTPS redirect
+
+### TODO
+
+- Automatic dns record (set A record to new static IP)
+
+### Notes
+
+- You have to update your `ingress_hosts` A records in order to get traffic to your site. And to generate the SSL certificate.
+
+### Usage
+
+- set variables (`terraform.tfvars` for example)
+- terraform init
+- terraform apply
+
+### Variables
+
+```SHELL
+project_id                             = "project-id"
+project_region                         = "us-central1"
+credentials_file_path                  = "/path/to/sa/creds.json"
+sa_email                               = "terraform-admin@project-id.iam.gserviceaccount.com"
+cluster_issuer_private_key_secret_name = "cert-manager-private-key"
+ingress_hosts = {
+  ftp_svc = "some-svc.example.com"
+}
+cluster_issuer_email = "your.email@gmail.com"
+cloudflare_email     = "your.email@gmail.com"
+name_prefix_kebab    = "some-svc"
+cloudflare_api_key   = "XXX"
+```
@@ -0,0 +1,28 @@
+resource "google_project_service" "serviceusage_api" {
+  project = var.project_id
+  service = "serviceusage.googleapis.com"
+
+  disable_on_destroy = false
+}
+
+resource "google_project_service" "certificatemanager" {
+  project = var.project_id
+  service = "certificatemanager.googleapis.com"
+
+  disable_on_destroy = false
+
+  depends_on = [
+    google_project_service.serviceusage_api
+  ]
+}
+
+resource "google_project_service" "servicenetworking_api" {
+  project = var.project_id
+  service = "servicenetworking.googleapis.com"
+
+  disable_on_destroy = false
+
+  depends_on = [
+    google_project_service.serviceusage_api
+  ]
+}
@@ -0,0 +1,43 @@
+# Cluster
+resource "google_container_cluster" "primary" {
+  name           = "${var.name_prefix_kebab}-gke-cluster"
+  location       = var.project_region
+  node_locations = ["${var.project_region}-f"]
+
+  network = google_compute_network.example.id
+
+
+  remove_default_node_pool = true
+  initial_node_count       = 1
+  deletion_protection      = false
+
+  depends_on = [google_project_iam_binding.cluster_admin]
+}
+
+# Node Pool
+resource "google_container_node_pool" "primary_nodes" {
+  name           = "${var.name_prefix_kebab}-node-pool"
+  location       = google_container_cluster.primary.location
+  cluster        = google_container_cluster.primary.name
+  node_count     = 1
+  node_locations = ["${var.project_region}-f"]
+
+  node_config {
+    preemptible  = false
+    machine_type = "e2-standard-2"
+
+    tags = [var.firewall_allow_http, var.firewall_allow_https]
+
+    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
+    service_account = var.sa_email
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/cloud-platform"
+    ]
+  }
+
+  lifecycle {
+    ignore_changes = [node_config]
+  }
+
+  depends_on = [google_project_iam_binding.cluster_admin]
+}
@@ -0,0 +1,209 @@
+# hello world deployment
+resource "kubernetes_deployment_v1" "example" {
+  metadata {
+    name = "${var.name_prefix_kebab}-deployment"
+  }
+
+  spec {
+    selector {
+      match_labels = {
+        app = "${var.name_prefix_kebab}-deployment"
+      }
+    }
+
+    template {
+      metadata {
+        labels = {
+          app = "${var.name_prefix_kebab}-deployment"
+        }
+      }
+
+      spec {
+        container {
+          image = "us-docker.pkg.dev/google-samples/containers/gke/hello-app:2.0"
+          name  = "${var.name_prefix_kebab}-container"
+
+          port {
+            container_port = 8080
+            name           = "${var.name_prefix_kebab}-port"
+          }
+
+          liveness_probe {
+            http_get {
+              path = "/"
+              port = "${var.name_prefix_kebab}-port"
+            }
+
+            initial_delay_seconds = 3
+            period_seconds        = 3
+          }
+        }
+      }
+    }
+  }
+
+  timeouts {
+    create = "3m"
+    update = "3m"
+  }
+
+  depends_on = [google_container_node_pool.primary_nodes]
+}
+
+
+# Service - NodePort to pod
+resource "kubernetes_service_v1" "example" {
+  metadata {
+    name = "${var.name_prefix_kebab}-loadbalancer"
+  }
+
+  spec {
+    selector = {
+      app = kubernetes_deployment_v1.example.spec[0].selector[0].match_labels.app
+    }
+
+    # load_balancer_ip = google_compute_address.ftp_svc.address
+
+    port {
+      port        = 8443
+      target_port = kubernetes_deployment_v1.example.spec[0].template[0].spec[0].container[0].port[0].name
+      protocol    = "TCP"
+    }
+
+    type = "NodePort"
+  }
+
+  timeouts {
+    create = "3m"
+  }
+
+  depends_on = [google_compute_global_address.ingress, module.cert_manager]
+}
+
+# GCE ingress with SSL
+# Configure your routes here
+resource "kubernetes_ingress_v1" "example" {
+  wait_for_load_balancer = true
+  metadata {
+    name = "${var.name_prefix_kebab}-ingress"
+
+
+    annotations = {
+      "kubernetes.io/ingress.class"                 = "gce"
+      "kubernetes.io/ingress.global-static-ip-name" = google_compute_global_address.ingress.name
+      "cert-manager.io/cluster-issuer"              = module.cert_manager.cluster_issuer_name
+      "networking.gke.io/v1beta1.FrontendConfig"    = kubectl_manifest.app_frontend_config.name
+    }
+  }
+
+  spec {
+    ingress_class_name = "gce"
+    tls {
+      # hosts       = [var.ingress_hosts.ftp_svc]
+      hosts       = values(var.ingress_hosts)
+      secret_name = var.cluster_issuer_private_key_secret_name
+    }
+
+    default_backend {
+      service {
+        name = kubernetes_service_v1.example.metadata.0.name
+        port {
+          number = kubernetes_service_v1.example.spec[0].port[0].port
+        }
+      }
+
+    }
+
+    rule {
+      host = var.ingress_hosts.ftp_svc
+      http {
+        path {
+          path = "/*"
+          backend {
+            service {
+              name = kubernetes_service_v1.example.metadata.0.name
+              port {
+                number = kubernetes_service_v1.example.spec[0].port[0].port
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+
+  depends_on = [kubernetes_service_v1.example, module.cert_manager]
+
+  timeouts {
+    create = "2m"
+  }
+}
+
+# namespcae for cert manager
+resource "kubernetes_namespace_v1" "cert_manager_namespace" {
+  metadata {
+    name = "cert-manager"
+  }
+
+  depends_on = [google_container_node_pool.primary_nodes]
+}
+
+# cert-manager dns01 secret
+resource "kubernetes_secret_v1" "cloudflare_api_token" {
+  metadata {
+    name      = "cloudflare-token"
+    namespace = "cert-manager"
+  }
+
+  data = {
+    api_key = var.cloudflare_api_key
+  }
+
+  depends_on = [kubernetes_namespace_v1.cert_manager_namespace]
+}
+
+# cert manager module
+# you may need to edit this for your particular needs http01 / dns01 / ...
+module "cert_manager" {
+  source = "terraform-iaac/cert-manager/kubernetes"
+
+  cluster_issuer_email                   = var.cluster_issuer_email
+  cluster_issuer_private_key_secret_name = var.cluster_issuer_private_key_secret_name
+  namespace_name                         = "cert-manager"
+  create_namespace                       = "false"
+
+  solvers = [
+    {
+      dns01 = {
+        cloudflare = {
+          email = var.cloudflare_email
+          apiKeySecretRef = {
+            name = "cloudflare-token"
+            key  = "api_key"
+          }
+        },
+      },
+      selector = {
+        dnsZones = [
+          var.ingress_hosts.ftp_svc
+        ]
+      }
+    },
+    {
+      http01 = {
+        ingress = {
+          class = "nginx"
+        }
+      }
+    }
+  ]
+
+  certificates = {
+    #  "${replace(var.ingress_hosts.ftp_svc, ".", "_")}" = {
+    "${var.ingress_hosts.ftp_svc}" = {
+      dns_names = [var.ingress_hosts.ftp_svc]
+    }
+  }
+
+  depends_on = [google_container_node_pool.primary_nodes, kubernetes_secret_v1.cloudflare_api_token]
+}
@@ -0,0 +1,29 @@
+# add roles to the terraform admin service account
+
+resource "google_project_iam_binding" "cluster_admin" {
+  project = var.project_id
+  role    = "roles/container.clusterAdmin"
+
+  members = [
+    "serviceAccount:terraform-admin@chmoder.iam.gserviceaccount.com",
+  ]
+}
+
+resource "google_project_iam_binding" "container-admin" {
+  project = var.project_id
+  role    = "roles/container.admin"
+
+  members = [
+    "serviceAccount:terraform-admin@chmoder.iam.gserviceaccount.com",
+  ]
+}
+
+# could also use k8 RBAC
+resource "google_project_iam_binding" "sa" {
+  project = var.project_id
+  role    = "roles/iam.serviceAccountUser"
+
+  members = [
+    "serviceAccount:terraform-admin@chmoder.iam.gserviceaccount.com",
+  ]
+}