This Terraform module simplifies the deployment of the BindPlane OP Management Console within a Google Kubernetes Engine (GKE) environment. It's specifically engineered for organizations seeking a scalable and highly available solution, capitalizing on the strengths of containerization and managed platform services like Cloud SQL for PostgreSQL.
This module streamlines the process of deploying BindPlane OP, by leveraging GKE, PubSub and Cloud SQL, this module provides:
- Simplified Deployment: Deploy a production-ready BindPlane OP environment with minimal manual configuration.
- Enhanced Scalability: Easily adapt to increasing demands and data volumes as your needs evolve.
- Increased Resilience: Benefit from the high availability and fault tolerance offered by GKE and Cloud SQL.
- Operational Efficiency: Reduce operational overhead by utilizing managed Kubernetes and database services.
This module encapsulates best practices for deploying BindPlane OP in a cloud-native environment, ensuring a robust and reliable foundation for your observability platform.
The following diagram illustrates the high-level design of created resources, which can be adapted to specific requirements via variables:
BindPlane OP Management console will be exposed via Internal HTTPS Load Balancer, this module assume a private connection to GCP environment is in place to reach the BindPlane management console over private IPs. In case no private connection is in place it should be pretty straightforward to setup a proxy VM to proxy the connection towards the bindplane console. Of course such a deployment can only deal with agents running on the same GCP infrastructure.
If you want to deploy from your Cloud Shell, click on the image below, sign in if required and when the prompt appears, click on “confirm”.
Otherwise, in your console of choice:
git clone https://github.com/GoogleCloudPlatform/cloud-foundation-fabric.gitBefore you deploy the architecture, you will need at least the following information/configurations in place (for more precise configuration see the Variables section):
- The project ID
- The VPC host project
- VPC and subnets should already exist
- Subnet must be configured with pods and services secondary ranges (default names for secondary ranges is "pod" and "services")
Once you have the required information, head back to your cloned repository. Make sure you’re in the directory of this tutorial (where this README is in).
Configure the Terraform variables in your terraform.tfvars file.
See the example test at the end of this README.md as starting point - just
copy it to terraform.tfvars and edit the latter. See the variables
documentation below.
Warning
BindPlane secrets (such as license and admin password) specified as variables within this Terraform configuration will be stored in plain text within the Terraform state file.
Setup terraform providers in the root module to deal with kubernetes resources as follows:
data "google_client_config" "identity" {
count = module.bindplane-gke.fleet_host != null ? 1 : 0
}
provider "kubernetes" {
host = module.bindplane-gke.fleet_host
token = try(data.google_client_config.identity.0.access_token, null)
}
provider "kubectl" {
host = module.bindplane-gke.fleet_host
token = try(data.google_client_config.identity.0.access_token, null)
}Initialize your Terraform environment and deploy the resources:
terraform init
terraform applyGet kubeconfig to connect to the cluster using the command below:
gcloud container fleet memberships get-credentials CLUSTER_NAME --project PROJECTThen running the command kubectl get pods you should receive the following message:
"No resources found in default namespace."
In case private connection is available and DNS configuration is properly in place you should be able to reach the BindPlane OP Management console navigating the url (e.g. https://bindplane.example.com/), the following login page should show up.
Access the management console leveraging credentials bootstrapped via terraform (user and password in bindplane_secrets variable).
| name | description | type | required | default |
|---|---|---|---|---|
| bindplane_secrets | Bindplane secrets. | object({…}) |
✓ | |
| network_config | Shared VPC network configurations to use for GKE cluster. | object({…}) |
✓ | |
| prefix | Prefix used for resource names. | string |
✓ | |
| project_id | Project id, references existing project if project_create is null. |
string |
✓ | |
| region | GCP region. | string |
✓ | |
| bindplane_config | Bindplane config. | object({…}) |
{} |
|
| cluster_config | GKE cluster configuration. | object({…}) |
{} |
|
| dns_config | DNS config. | object({…}) |
{} |
|
| postgresql_config | Cloud SQL postgresql config. | object({…}) |
{} |
|
| project_create | Provide values if project creation is needed, uses existing project if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. | object({…}) |
null |
| name | description | sensitive |
|---|---|---|
| bindplane_hostname | BindPlane OP Management console hostname. | |
| ca_cert | TLS CA certificate. | |
| cluster_ca_certificate | GKE CA Certificate. | |
| fleet_host | GKE Fleet host. | |
| lb_ip_address | Ingress LB address. |
module "bindplane-gke" {
source = "./fabric/blueprints/secops/bindplane-gke"
project_id = "test"
project_create = {
billing_account_id = "12345-ABCDEF-12345"
parent = "folders/2345678901"
}
bindplane_secrets = {
user = "admin"
password = "thisisnotasecret"
sessions_secret = "xxxxxx-xxxxxxx-xxxxxx"
license = "XXXXXXXXXXXXXXXXXXXXXX"
}
dns_config = {
bootstrap_private_zone = true
domain = "example.com"
hostname = "bindplane"
}
network_config = {
network_self_link = "https://www.googleapis.com/compute/v1/projects/prod-net-landing-0/global/networks/prod-landing-0"
subnet_self_link = "https://www.googleapis.com/compute/v1/projects/prod-net-landing-0/regions/europe-west1/subnetworks/gke"
ip_range_gke_master = "192.168.0.0/28"
}
region = "europe-west8"
prefix = "tmp"
}
# tftest modules=10 resources=45