checkpoint-kai-1700574655

coilysiren · coilysiren · commit 59fae72d064e · 2023-11-21T08:50:55.000-05:00
diff --git a/README.md b/README.md
@@ -86,9 +86,44 @@ $ make upgrade
 
 ## Deployment
 
-This deployment command assumes you are locally authenticated to both gcloud and kubectl. Directions on how to do so are out of scope for this documentation. Please consult your team's local deployment tooling and instructions!
+This deployment command assumes you are locally authenticated to gcloud and kubectl, and have performed all of the above installations.
+
+### 1. Create a new project
+
+Create a new project via https://console.cloud.google.com/, then set its name in `config.yml`
+
+```yaml
+# config.yml
+project: dotted-hope-405813
+```
+
+### 2. Create a terraform state bucket
+
+Create a terraform state bucket via https://console.cloud.google.com/, then set its name in `config.yml`
+
+```yaml
+# config.yml
+bucket: coilysiren-k8s-gpc-tfstate-3
+```
+
+Then import it into terraform.
+
+```bash
+# $SHELL
+cd infrastructure/foundation/
+terraform import google_storage_bucket.default coilysiren-k8s-gpc-tfstate-3
+```
+
+Note that, when you deploy in the next step, you might have to modify the state bucket's region. The goal is to avoid replacing the state bucket.
+
+### 3. Deploy
+
+Run the deploy script
 
 ```bash
+# $SHELL
 source ./venv/bin/activate
 invoke deploy # see tasks.py for source code
 ```
+
+Note that, during the deploy process, you will likely need to enable several google APIs. Do so when prompted, then run the deploy again.
diff --git a/config.yml b/config.yml
@@ -1,10 +1,12 @@
 # Personal configuration
 name: gke-test-2
 domain: gke-test-2.coilysiren.me
+zone: coilysiren.me
 email: coilysiren@gmail.com
 
 # Google Cloud Platform configuration
-project: root-territory-384205
+project: dotted-hope-405813
+statebucket: coilysiren-k8s-gpc-tfstate-3
 region: us-central1
 
 # https://github.com/cert-manager/cert-manager/releases
diff --git a/infrastructure/application/main.tf b/infrastructure/application/main.tf
@@ -1,5 +1,6 @@
 locals {
-  name = yamldecode(file("../../config.yml")).name
+  zone   = yamldecode(file("../../config.yml")).zone
+  domain = yamldecode(file("../../config.yml")).domain
 }
 
 # https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config
@@ -11,17 +12,46 @@ data "kubernetes_service" "service" {
   }
 }
 
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/certificate_manager_dns_authorization
+resource "google_certificate_manager_dns_authorization" "default" {
+  name   = "dns-auth"
+  domain = local.domain
+}
+
 # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone
 data "aws_route53_zone" "zone" {
-  name         = "coilysiren.me."
+  name         = "${local.zone}."
   private_zone = false
 }
 
 # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record
 resource "aws_route53_record" "record" {
   zone_id = data.aws_route53_zone.zone.zone_id
-  name    = "${local.name}.coilysiren.me."
+  name    = "${local.domain}."
   type    = "A"
   ttl     = "300"
   records = [data.kubernetes_service.service.status.0.load_balancer.0.ingress.0.ip]
 }
+
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record
+resource "aws_route53_record" "cert" {
+  zone_id = data.aws_route53_zone.zone.zone_id
+  name    = google_certificate_manager_dns_authorization.default.dns_resource_record.0.name
+  type    = google_certificate_manager_dns_authorization.default.dns_resource_record.0.type
+  ttl     = "300"
+  records = [google_certificate_manager_dns_authorization.default.dns_resource_record.0.data]
+}
+
+# https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/certificate_manager_certificate
+resource "google_certificate_manager_certificate" "default" {
+  name  = "dns-cert"
+  scope = "ALL_REGIONS"
+  managed {
+    domains = [
+      google_certificate_manager_dns_authorization.default.domain,
+    ]
+    dns_authorizations = [
+      google_certificate_manager_dns_authorization.default.id,
+    ]
+  }
+}
diff --git a/infrastructure/application/state.tf b/infrastructure/application/state.tf
@@ -1,3 +1,7 @@
+locals {
+  statebucket = yamldecode(file("../../config.yml")).statebucket
+}
+
 terraform {
   backend "gcs" {
     bucket = "coilysiren-k8s-gpc-tfstate-0"
diff --git a/infrastructure/foundation/state.tf b/infrastructure/foundation/state.tf
@@ -1,6 +1,10 @@
+locals {
+  statebucket = yamldecode(file("../../config.yml")).statebucket
+}
+
 terraform {
   backend "gcs" {
-    bucket = "coilysiren-k8s-gpc-tfstate-0"
+    bucket = local.statebucket
     prefix = "terraform/state"
   }
 }
@@ -20,7 +24,7 @@ data "google_project" "default" {}
 #
 # https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket
 resource "google_storage_bucket" "default" {
-  name          = "coilysiren-k8s-gpc-tfstate-0"
+  name          = statebucket
   location      = "US"
   force_destroy = true
   project       = data.google_project.default.project_id
diff --git a/infrastructure/kubconfig.yml b/infrastructure/kubconfig.yml
@@ -4,9 +4,9 @@ items:
     kind: Ingress
     metadata:
       annotations:
-        cert-manager.io/issuer: letsencrypt-staging
-        kubernetes.io/ingress.allow-http: 'true'
+        kubernetes.io/ingress.allow-http: "true"
         kubernetes.io/ingress.class: gce
+        networking.gke.io/managed-certificates: dns-cert
       name: application
     spec:
       defaultBackend:
@@ -18,21 +18,6 @@ items:
       tls:
         - hosts:
             - gke-test-2.coilysiren.me
-          secretName: tls-secret
-  - apiVersion: cert-manager.io/v1
-    kind: Issuer
-    metadata:
-      name: letsencrypt-staging
-    spec:
-      acme:
-        email: coilysiren@gmail.com
-        privateKeySecretRef:
-          name: letsencrypt-staging
-        server: https://acme-staging-v02.api.letsencrypt.org/directory
-        solvers:
-          - http01:
-              ingress:
-                name: application
   - apiVersion: v1
     kind: Service
     metadata:
@@ -70,10 +55,10 @@ items:
             app: application
         spec:
           containers:
-            - image: us-central1-docker.pkg.dev/root-territory-384205/repository/gke-test-2:certs-8ac23d2-kai
+            - image: us-central1-docker.pkg.dev/root-territory-384205/repository/gke-test-2:certs-6bbf26e-kai
               name: application
               ports:
                 - containerPort: 8080
 kind: List
 metadata:
-  resourceVersion: ''
+  resourceVersion: ""
diff --git a/infrastructure/tls-secret.yml b/infrastructure/tls-secret.yml
diff --git a/tasks.py b/tasks.py
@@ -71,14 +71,6 @@ def domain(self) -> str:
         """get the domain"""
         return self.config["domain"]
 
-    @property
-    def cert_manager(self) -> str:
-        """Format a full URL to a remote cert-manager.yaml file"""
-        return (
-            f"https://github.com/cert-manager/cert-manager/releases/download/"
-            f'{self.config["cert-manager-version"]}/cert-manager.yaml'
-        )
-
     @property
     def project(self) -> str:
         """get the project id"""
@@ -197,7 +189,6 @@ def deploy(ctx: [invoke.Context, Context]):
     kubeconfig = ctx.update_domain(kubeconfig, ctx.domain)
     ctx.write_kubeconfig("infrastructure/kubconfig.yml", kubeconfig)
     ctx.run("kubectl apply -f infrastructure/kubconfig.yml")
-    ctx.run(f"kubectl apply -f {ctx.cert_manager}")
 
     # deploy application infrastructure
     ctx.run("cd infrastructure/application && terraform init")
