This example shows how inputs to the individual modules could look like to bring up a production ready infrastructure.
It is not intended to be used as is but does document the sequence in which an initial rollout (+ teardown) should take place.
Every change to one of the (modules
)[../../modules] in this repository is tested in our CI pipeline via the code in this example.
On a successfull run the examples are updated to point to the latest known good version of the modules.
This means that when cloning the repository the example should work as is without modification.
To execute this example end-to-end first you must clone the repository and cd into this folder:
$ git clone https://github.com/GaloyMoney/galoy-infra.git
$ cd galoy-infra/examples/gcp
The bootstrap
phase is intended to be executed against a blank GCP project.
It will create the inception
service account + GCS bucket to store the terraform state files for the other phases.
Some variables must be set first:
$ cat <<EOF > bootstrap/terraform.tfvars
name_prefix = "<short-name-prefix>"
gcp_project = "<your-gcp-project>"
EOF
$ cat <<EOF > inception/users.auto.tfvars
users = [
{
id = "user:<your-user-email"
inception = true
platform = true
logs = true
}
]
EOF
$ make bootstrap
Executing make bootstrap
will execute terraform apply
in the bootstrap
folder and also import the relevant resources into the inception
phase - which will subsequently own the lifecycle of those resources.
Once bootstrap has been executed the inception
phase can provision the VPC network, bastion, roles and service accounts needed to install the complete galoy stack.
Execute it via:
$ make inception
Once complete you should see outputs that includes the bastion_ip
bastion_ip = "<ip-address>"
The platform
phase in this example will bring up the actual kubernetes platform. Once inception
is complete you can execute:
bin/prep-platform.sh
make platform
The result should be (among other things) a k8s cluster running in your gcp project.
Since the next phase must be executed from the bastion let's first make sure you are able to ssh there. Access to the bastion is enabled via OsLogin with 2-factor-authentication activated. That means in order to ssh to the bastion you must first upload your public key via the gcloud cli:
gcloud compute os-login ssh-keys add --key-file=~/.ssh/id_rsa.pub
and activate a 2FA method in your google account.
Your bastion username is your email address with _
underscores instead of .
and @
:
export BASTION_USER="$(echo <your-email> | sed 's/[.@]/_/g')"
See if you can ssh via:
$ ssh ${BASTION_USER}@${bastion_ip}
<select 2fa method>
$ <bastion-user>@<bastion-name>
The services
phase will bring up a few global dependencies that are pre-requisits for the galoy helm charts to function.
To bring them up you must first sync the local code to the bastion via:
bin/prep-services.sh
Once the code has been uploaded you should ssh onto the bastion and login to gcloud from there:
$ ssh ${BASTION_USER}@${bastion_ip}
$ gcloud auth login
(...)
$ kauth
$ gcloud auth application-default login
Once you have completed the authentication you should be able to talk to k8s and execute the rollout of the services phase:
$ k get ns
$ cd repo/examples/gcp
$ make initial-services
$ make services