Skip to content

Latest commit

 

History

History
124 lines (94 loc) · 4.04 KB

vendor-gcs.md

File metadata and controls

124 lines (94 loc) · 4.04 KB
Raw

Google Cloud compatibility

Silta is fully GKE compatible since it's primarily used on it.

Cluster requirements

Requirements are listed on silta-cluster chart page, those are common for all silta-cluster installations.

Deployment specifics

There is no extra configuration required for basic deployments. The only change would be cluster.type but it's normally overridden in CI pipeline.

Drupal, frontend and simple charts:

cluster:
  type: gke

Google Cloud features

VPC native cluster

GKE clusters are VPC native the default now, but for compatibility reasons silta deployments are set to route-based mode by default now. This is normally overridden in CI, according to cluster.

cluster:
  type: gke
  vpcNative: true

GKE Ingress for HTTP(S) Load Balancing

Projects can define exposeDomain hosts and use GKE Ingress Class

exposeDomains:
  example-gce-ingress:
    hostname: example.com
    # see ingress.gce definition. This can also be a custom ingress too.
    ingress: gce
    
ingress:
  gce:
    # Request a global static ip from cluster administrator first
    staticIpAddressName: custom-ip-name

nginx:
  # Reverse proxy IP's to trust with contents of X-Forwarded-For header 
  realipfrom: 
    # Load Balancer IP (static ip you were given)
    gce-lb-ip: 1.2.3.4/32

Cloud Armor

Cloud Armor can only be used with GKE Ingress. Once enabled, You can define security policy (Cloud Armor policy) for Your service's backendConfig.

Silta uses "silta-ingress" security policy name by default, it can be adjusted.

backendConfig:
  securityPolicy:
    name: "silta-ingress"

Filestore

Filestore - add an alternate storageclass with a shared Filestore volume.
Public and private files can be stored on Google Filestore via NFS mount, providing higher i/o access than default storage. This option is useful for projects with lots of files served.
Have an exported share named /main_share.

Example configuration for new deployments.

mounts:
  public-files:
    enabled: true
    storage: 1G
    mountPath: /app/web/sites/default/files
    storageClassName: nfs-shared
  private-files:
    enabled: true
    storage: 1G
    mountPath: /app/private
    storageClassName: nfs-shared

Add USER directive to silta/php.Dockerfile right after the COPY line so files are created with correct permissions and can be modified via shell (i.e. drush cr).

USER www-data

Dockerfile example of a project

FROM wunderio/silta-php-fpm:8.2-fpm-v1
COPY --chown=www-data:www-data . /app
USER www-data

Full example on using the provisioned storageclass in new and existing projects here

ingress-nginx load balancer on GKE private cluster

When using GKE private cluster, ingress-nginx requires an additional firewall rule that allows control plane connection to nodes on port 8443. Example and solution is borrowed from kubernetes/ingress-nginx#5401

# Control pane range (normally 172.16.0.0/28)
# gcloud container clusters describe [CLUSTER_NAME] --region europe-north1 --format json | jq -r '.privateClusterConfig.masterIpv4CidrBlock'
CONTROL_PLANE_RANGE=172.16.0.0/28

# Get cluster tag
NETWORK_TAGS=$(gcloud compute instances describe \
    $(kubectl get nodes -o jsonpath='{.items[0].metadata.name}') \
    --format="value(tags.items[0])")

# Print firewall rule command
echo gcloud compute firewall-rules create silta-nginx-lb-ingress \
    --action ALLOW \
    --direction INGRESS \
    --source-ranges ${CONTROL_PLANE_RANGE} \
    --rules tcp:8443 \
    --target-tags ${NETWORK_TAGS}

Review and execute command printed above.