Setting up the baseline – Implementing Traffic Management, Security, and Observability with Istio
To ensure continuity with the previous chapters, let’s start by creating a service account for Terraform so that we can interact with our GCP project:
$ gcloud iam service-accounts create terraform \
–description=”Service Account for terraform” –display-name=”Terraform”
$ gcloud projects add-iam-policy-binding $PROJECT_ID \
–member=”serviceAccount:terraform@$PROJECT_ID.iam.gserviceaccount.com” \
–role=”roles/editor”
$ gcloud iam service-accounts keys create key-file \
–iam-account=terraform@$PROJECT_ID.iam.gserviceaccount.com
You will see that a file called key-file has been created within your working directory. Now, create a new repository called mdo-environments with a README.md file on GitHub, rename the main
branch to prod, and create a new branch called dev using GitHub. Navigate to https://github. com//mdo-environments/settings/secrets/actions/ new and create a secret named GCP_CREDENTIALS. For the value, print the key-file file, copy its contents, and paste it into the values field of the GitHub secret.
Next, create another secret, PROJECT_ID, and specify your GCP project ID within the values field.
Next, we need to create a GCS bucket for Terraform to use as a remote backend. To do this, run the following commands:
$ gsutil mb gs://tf-state-mdo-terraform-${PROJECT_ID}
The next thing we need to do is set up our Secrets Manager. Let’s create a secret called external-secrets, where we will pass the MongoDB credentials in the JSON format. To do so, run the following command:
$ echo -ne ‘{“MONGO_INITDB_ROOT_USERNAME”: “root”, \
“MONGO_INITDB_ROOT_PASSWORD”: “itsasecret”}’ | \
gcloud secrets create external-secrets –locations=us-central1 \ –replication-policy=user-managed –data-file=-Created version [1] of the secret [external-secrets].
We need to create the Secret resource, which will interact with GCP to fetch the stored secret. First, we need to create a GCP service account to interact with Secrets Manager using the following commands:
$ cd ~
$ gcloud iam service-accounts create external-secrets
As we’re following the principle of least privilege, we will add the following role binding to provide access only to the external-secrets secret, as follows:
$ gcloud secrets add-iam-policy-binding external-secrets \
–member “serviceAccount:external-secrets@$PROJECT_ID.iam.gserviceaccount.com” \ –role “roles/secretmanager.secretAccessor”
Now, let’s generate the service account key file using the following command:
$ gcloud iam service-accounts keys create key.json \
–iam-account=external-secrets@$PROJECT_ID.iam.gserviceaccount.com
Next, copy the contents of the key.json file into a new GitHub Actions secret called GCP_SM_ CREDENTIALS.
We also need to create the following GitHub Actions secrets for binary authorization to work:
ATTESTOR_NAME=quality-assurance-attestor
KMS_KEY_LOCATION=us-central1
KMS_KEYRING_NAME=qa-attestor-keyring
KMS_KEY_NAME=quality-assurance-attestor-key
KMS_KEY_VERSION=1
As the workflow automatically raises pull requests at the end, we need to define a GitHub token. This token allows the workflow to act on behalf of the current user when creating the pull request. Here are the steps:
- Go to https://github.com/settings/personal-access-tokens/new.
- Create a new token with “Repository” access for the mdo-environments repository, granting it read-write pull request permissions. This approach aligns with the principle of least privilege, offering more granular control.
- Once the token is created, copy it.
- Now, create a GitHub Actions secret named GH_TOKEN and paste the copied token as the value.
Now that all the prerequisites have been met, we can clone our repository and copy the baseline code.
Run the following commands to do this:
$ cd ~ && git clone [email protected]:/mdo-environments.git
$ cd mdo-environments/
$ git checkout dev
$ cp -r ~/modern-devops/ch15/baseline/* .
$ cp -r ~/modern-devops/ch15/baseline/.github .
As we’re now on the baseline, let’s proceed further and understand the sample Blog App that we will deploy and manage in this chapter.
Leave a Reply