• Terraform to create all

Ensure you're the correct cluster using:

kubectl config current-context

To change the cluster you're pointing to:

kubectl config get-contexts

Set one of the clusters, such as gke_gcp-project_europe-west2-c_cluster-name:

kubectl config use-context gke_gcp-project_europe-west2-c_cluster-name

Helm is used to install tooling such as cert-manager.

kubectl create -f kubernetes/manifests/auth/tiller-rbac-config.yaml

helm init --service-account tiller

There is currently no environment-specific config, although they would live at: kubernetes/manifests/environment/(production|stage)/configmap-environment.yaml

There is currently no all-environment-specific secrets, although they would live at: kubernetes/manifests/environment/all/secrets-environment.yaml

There are currently no environment-specific secrets, although they would live at: kubernetes/manifests/environment/(production|stage)/secrets-environment.yaml

There are currently no environment-specific secrets, although they would live at: kubernetes/manifests/environment/all/secrets-environment.yaml

Config specific to the component, for example wiring such as other services like API_HOST: "foo:50051".

NOTE: services should not use environment naming such as foo-stage but naming such as foo. This is because an environment is defined by the cluster the manifest are applied to rather than the service names.

The following commands should be run for all component_names in components:

kubectl apply -f kubernetes/manifests/components/(component_name)/configmap-(component_name).yaml

Create Kubernetes deployment which maps the container image to container ports, configmaps, and health-checks etc.

kubectl apply -f kubernetes/manifests/components/(component_name)/deployment-(component_name).yaml

Create Horizontal Pod Autoscaler which encapsulates the autoscaling rules for this service.

kubectl apply -f kubernetes/manifests/components/(component_name)/hpa-(component_name).yaml

Create Kubernetes service which exposes the component pod to traffic. Services should not have external access directly but instead run through an ingress controller.

kubectl apply -f kubernetes/manifests/components/(component_name)/service-(component_name).yaml

The ingress controller is the entry point into the Kubernetes cluster over port 80 (HTTP) and 443 (HTTPS), the latter using the certificate created by the cert-manager which is installed later. To use the certificate you need the annotation:

certmanager.k8s.io/cluster-issuer: letsencrypt-issuer

ACTION: Initially (for a brand new cluster) you will need to create the ingress controller without the references to the certificates. This is because you need to create the ingress controller, to get the IP address, to create the DNS A-record (see later), to get the certificate.

So comment out the lines such as:

# annotations:
#  certmanager.k8s.io/cluster-issuer: letsencrypt-issuer

...and:

# tls:
# - secretName: andr-tls

...then run:

kubectl apply -f kubernetes/manifests/ingress/ingress.yaml

Obtain the external IP address of the ingress (this will some time):

kubectl get ing andr-ingress

When the external IP is available, visit GCP Cloud DNS and update andr.io. A record with the new IP (NB: you should probably only do this when you are sure that you want to receive traffic on this cluster).

Visiting andr.io will, for some time, either point to the previous address or return a Google 404. It will take some time to update the load-balancers and is normal.

NOTE: The cert-manager won't be able to create the certificate until you're actually accepting traffic to the cluster so if you're migrating from an old cluster you may need to create the andr-tls secret manually or accept an amount of outage as you update DNS records and receive a new certificate on your new cluster.

cert-manager is used to manage certificates.

helm install --name cert-manager --namespace kube-system stable/cert-manager

kubectl apply -f kubernetes/manifests/ingress/acme-issuer.yaml

kubectl apply -f kubernetes/manifests/ingress/certificate.yaml

ACTION: At this point you should set the ingress controller back to using TLS so uncomment the lines in kubernetes/manifests/ingress/ingress.yaml and re-run the apply command.