Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve deployment procedure #2

Open
pieterlange opened this issue Oct 10, 2016 · 8 comments
Open

Improve deployment procedure #2

pieterlange opened this issue Oct 10, 2016 · 8 comments

Comments

@pieterlange
Copy link
Owner

pieterlange commented Oct 10, 2016

I'm currently not happy with the scripts used for deployment but i'm not sure what to do about it yet.

@pieterlange pieterlange changed the title Write helm charts Improve deployment procedure Oct 29, 2016
@cemo
Copy link

cemo commented Feb 17, 2017

helm charts please :) there is already a chart currently. I believe that your approach is superior. It would be better to change it.

@pieterlange
Copy link
Owner Author

For the record, i'm probably going for helm charts but i'd like to support multiple deployment strategies with regards to CA management; right now it's done outside of the cluster. That assumes a lot about proper CA management but at least enables people who know what they're doing to do it correctly :).

What chart did you find?

@cemo
Copy link

cemo commented Feb 17, 2017

@zambien
Copy link

zambien commented Jun 21, 2017

I'm using terraform for infrastructure as code and have recently created a personal VPN project using some of your code and some terraform code all deploying to GCP/GKE:

https://github.com/zambien/terraform-gcp-gke-openvpn

Please feel free to use any of this if you like. I'd welcome any feedback, issues, or PRs.

@pieterlange
Copy link
Owner Author

That looks like a fair amount of work! I haven't (seriously) worked with terraform yet but i'll make an honest effort to review what you've done here in the next week.

@zambien
Copy link

zambien commented Jun 22, 2017

Cool, thanks. High level, it does the following:

  • Create a network in google cloud
  • Create a subnet in that network
  • Provision google API access for services
  • Create a GKE cluster with 1 n1-standard-1 node
  • A custom module to deploy/delete the image and service
  • A custom module for pki
  • Create a kubernetes secret for pki

Looking back at it you are right.. it was more work than I intended! :)

I've been using Terraform for a few months now and really like it. My team has been creating immutable stacks for various technologies mostly around AWS. We have templates for ECS, EC2 clusters, security groups, etc. Unfortunately I can't share most of that because it was done for the company I work for on an internal repo.

This was my first foray into GCP and Kubernetes so the end result is a little rough.. more of a learning/prototyping exercise than anything else. Since the motivation was to create a personal VPN with very low cloud cost (I failed) I'm going to try again with just a plain old GCE f1-micro instance and a docker machine deployment. That repo is a WIP and here:

https://github.com/zambien/terraform-gcp-gce-openvpn

@pieterlange
Copy link
Owner Author

pieterlange commented Jun 22, 2017

Trying to get the ticket back on topic:
The hardest problem at the root of this ticket is still secret management (especially the CA root key).

I will need to define a clear strategy for dealing with this problem before i'll cut a 1.0 release. I'd like to implement a full-fledged kubernetes Operator function that will do automatic key rotation & management all server(cluster)-side out of UX concerns and not being able to trust human operators to do regular key rotation, but at the same time leave the option of managing your own PKI. That last part shouldn't be too hard as it is what we have now.

That first option leaves a huge amount of trust to the cluster and considering the deployment scenarios that trust is not always warranted and should be explicitly kept out of the cluster.

@zambien
Copy link

zambien commented Jun 22, 2017

That sounds like a separate project possibly but I may not be understanding the scope of what needs to be solved.

I've written infrastructure as code similar to what I linked earlier for HashiCorp's Vault. I use that for my internal PKI among other things. Am I on the right track here or off base?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants