From 012defac5839b76bceee33190ac3a9f04922b53a Mon Sep 17 00:00:00 2001 From: Siddharth Rawat Date: Thu, 23 Nov 2023 09:32:19 -0500 Subject: [PATCH] fix: update startup script to install packages successfully Added IAM role binding to add the role "container admin" to the service account created and attached the cluster node pool. Fixes issue #30 --- modules/bastion/startup.sh | 71 +++++++++----------------------------- modules/k8s/main.tf | 31 +++++++++++------ root/variables.tf | 7 ++-- 3 files changed, 41 insertions(+), 68 deletions(-) diff --git a/modules/bastion/startup.sh b/modules/bastion/startup.sh index 2277829..b741919 100644 --- a/modules/bastion/startup.sh +++ b/modules/bastion/startup.sh @@ -1,56 +1,19 @@ #!/bin/bash -# Kubectl Setup: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-using-native-package-management -echo "+-----------------------------------------------------------------------------------------------------------------------------------------+" -echo "| |" -echo "| INSTALL KUBECTL |" -echo "| |" -echo "+-----------------------------------------------------------------------------------------------------------------------------------------+" - -sudo apt-get update -curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | - sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg -# This overwrites any existing configuration in /etc/apt/sources.list.d/kubernetes.list -echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /' | - sudo tee /etc/apt/sources.list.d/kubernetes.list -sudo apt-get update && sudo apt-get install kubectl -y - -# Helm Setup: https://helm.sh/docs/intro/install/#from-apt-debianubuntu -echo "+-----------------------------------------------------------------------------------------------------------------------------------------+" -echo "| |" -echo "| INSTALL HELM |" -echo "| |" -echo "+-----------------------------------------------------------------------------------------------------------------------------------------+" - -sudo apt-get update -curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg >/dev/null -sudo apt-get install apt-transport-https -y -echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | - sudo tee /etc/apt/sources.list.d/helm-stable-debian.list -sudo apt-get update && sudo apt-get install helm -y - -# GCloud Setup: https://cloud.google.com/sdk/docs/install#deb -echo "+-----------------------------------------------------------------------------------------------------------------------------------------+" -echo "| |" -echo "| INSTALL GCLOUD PLUGINS |" -echo "| |" -echo "+-----------------------------------------------------------------------------------------------------------------------------------------+" - -sudo apt-get update -sudo apt-get install apt-transport-https ca-certificates gnupg curl sudo -y -curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg -echo \ - "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | - sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list -sudo apt-get update -sudo apt-get install google-cloud-cli -y -sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin -y - -# Install tinyproxy for tunneling -echo "+-----------------------------------------------------------------------------------------------------------------------------------------+" -echo "| |" -echo "| INSTALL TINYPROXY |" -echo "| |" -echo "+-----------------------------------------------------------------------------------------------------------------------------------------+" - -sudo apt-get update && sudo apt-get install tinyproxy -y +sudo apt-get update -y +curl -LO https://dl.k8s.io/release/v1.28.3/bin/linux/amd64/kubectl +echo "$(cat kubectl.sha256) kubectl" | sha256sum --check + +sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl +chmod +x kubectl +mkdir -p ~/.local/bin +mv ./kubectl ~/.local/bin/kubectl +kubectl version --client + +curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 +chmod 700 get_helm.sh +./get_helm.sh +helm version + +sudo apt-get update -y +sudo apt-get install tinyproxy -y diff --git a/modules/k8s/main.tf b/modules/k8s/main.tf index 7c1a8bc..8d857ed 100644 --- a/modules/k8s/main.tf +++ b/modules/k8s/main.tf @@ -1,11 +1,20 @@ # Service account -resource "google_service_account" "kubernetes" { - account_id = var.account_id_kubernetes +resource "google_service_account" "gke_sa" { + account_id = var.account_id_kubernetes + display_name = "GKE Admin Service Account" +} + +resource "google_project_iam_binding" "gke_sa_admin" { + project = var.project_id + role = "roles/container.admin" + members = [ + "serviceAccount:${google_service_account.gke_sa.email}" + ] } # GKE cluster -resource "google_container_cluster" "my_gke" { - name = "primary" +resource "google_container_cluster" "pwncorp_cluster" { + name = "pwncorp-cluster" location = var.region deletion_protection = false # We can't create a cluster with no node pool defined, but we want to only use @@ -61,15 +70,15 @@ resource "google_container_cluster" "my_gke" { # Node pool for Cluster resource "google_container_node_pool" "gke_linux_node_pool" { - name = "${google_container_cluster.my_gke.name}--linux-node-pool" - location = google_container_cluster.my_gke.location + name = "${google_container_cluster.pwncorp_cluster.name}--linux-node-pool" + location = google_container_cluster.pwncorp_cluster.location node_locations = var.node_zones - cluster = google_container_cluster.my_gke.name + cluster = google_container_cluster.pwncorp_cluster.name node_count = 1 autoscaling { - max_node_count = 2 - min_node_count = 1 + max_node_count = 2 # change to 6 + min_node_count = 1 # change to 3 } management { @@ -84,10 +93,10 @@ resource "google_container_node_pool" "gke_linux_node_pool" { labels = { role = "general" - cluster = google_container_cluster.my_gke.name + cluster = google_container_cluster.pwncorp_cluster.name } - service_account = google_service_account.kubernetes.email + service_account = google_service_account.gke_sa.email oauth_scopes = [ "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", diff --git a/root/variables.tf b/root/variables.tf index a96fe50..9b6d9fc 100644 --- a/root/variables.tf +++ b/root/variables.tf @@ -7,7 +7,7 @@ variable "region" { variable "dev_folder_id" { default = "135331753386" type = string - description = "Dev folder ID in organization" + description = "Dev/Prod folder ID in organization. Default is dev folder ID" } variable "folder_name" { @@ -66,7 +66,8 @@ variable "vm_name" { variable "machine_type" { type = string - description = "VM name" + description = "The compute instance machine type. Default machine has 8 vCPU and 32GiB vRAM" + default = "e2-standard-8" } variable "zone" { @@ -89,7 +90,7 @@ variable "nat_ip_allocate_strategy" { } variable "account_id_kubernetes" { type = string - description = "account id for workload identity" + description = "service account id for workload identity with access to GKE cluster node pools" } variable "initial_node_count" { type = number