Meiro SafiBank GCP
Kube Status
The project to migrate Meiro apps from docker compose to kube has to be discontinued due to complexity and maintainability. Detailed issues found here (Deprecated) - Meiro to Kubernetes
Agreed Solution
Management agreed to solve the problem with “internal SaaS” approach and move Meiro apps to its own isolated GCP project, have the Meiro engineers install/support/maitain the application while Safi Engineers provide the underlying cloud infrastructure.
Layout of Environments and Access
90% of Meiro clients only have Production env, 10% have minimum Stage env (mostly MI only installed) and 0% have Dev environment. With that in mind, it is efficient as well as cost effective to have similar approach, tf-env-meiro-infra
would be the working directory which will be shared by dev/stage/prod workspaces but only few environments will actually be applied.
Access
For Access of the engineers, SSH with sudo access for VMs would be ideal flexibility for them to operate. Providing limited GCP access to Meiro project would be ideal, as well as to restart VMs, check health and view resource consumption for troubleshooting.
Meiro GCP Users Roles
roles/compute.viewer
roles/monitoring.viewer
can act on behalf of
safi-dev-meiro-os-admin@safi-env-dev-meiro.iam.gserviceaccount.com
orsafi-dev-meiro-os-user@safi-env-dev-meiro.iam.gserviceaccount.com
service accounts.
SSH
SSH is done only via IAP
gcloud compute ssh {VM NAME}\ --project={PROJECT}\ --zone={ZONE}\ --tunnel-through-iap\ --impersonate-service-account=safi-dev-meiro-os-admin@safi-env-dev-meiro.iam.gserviceaccount.com example: FOR SUDO USERS gcloud compute ssh safi-meiro-cdp --project=safi-env-dev-meiro --zone=asia-southeast1-a --tunnel-through-iap --impersonate-service-account=safi-dev-meiro-os-admin@safi-env-dev-meiro.iam.gserviceaccount.com example: FOR REGULAR USERS gcloud compute ssh safi-meiro-cdp --project=safi-env-dev-meiro --zone=asia-southeast1-a --tunnel-through-iap --impersonate-service-account=safi-dev-meiro-os-user@safi-env-dev-meiro.iam.gserviceaccount.com
PORTFOWARD
You can also do port-fowarding (like in kubernetes) in IAP
gcloud compute start-iap-tunnel INSTANCE_NAME INSTANCE_PORT \ --local-host-port=localhost:LOCAL_PORT \ --zone=ZONE \ --project=PROJECT \ --impersonate-service-account=SERVICE_ACCOUNT example: gcloud compute start-iap-tunnel safi-meiro-opensearch 80 --local-host-port=localhost:8080 --zone=asia-southeast1-a --project=safi-env-dev-meiro --impersonate-service-account=safi-dev-meiro-os-admin@safi-env-dev-meiro.iam.gserviceaccount.com
SUDO
To give acccess with sudo user, set os_admin
to true
and false
to use regular linux user (look for SafiMono/devops/terraform/_files/users_meiro.yaml )
users: - name: "Johd Doe" gcp_email: johndoe@gmail.com projects_iam: os_admin: true roles: - roles/compute.viewer - roles/monitoring.viewer
Okta
Okta Group | Description | Role Purpose |
---|---|---|
| Groups here can reach meiro urls via VPN | For VPN |
| Groups here can login to ALL meiro app via Okta | Read Only ALL Meiro App |
| Groups here can login CDP urls via Okta | Read Write CDP App |
| Groups here can login Integration app via Okta | Read Write Integration App |
| Groups here can login Events app via Okta | Read Write Events App |
| Groups here can login to ALL meiro app via Okta | Read Write ALL Merio App |
DNS Names
Domain | Description |
---|---|
| Meiro Business Explorer |
| Meiro Events |
| Meiro Integration |
| OpenSearch |
| CockroachDB |
Configuration files
file | Location | Description |
---|---|---|
| tf-env-meiro-infra/_files | VM SPECS and configuration |
| tf-env-meiro-infra/_files | Create and Modify Firewall ports and IP |
| terraform/_files | Create and Modify User Access |
| tf-dsn-safibankonline | Create and Modify Meirdo DNS |
Network
For meiro project vm range, 172.31.0.0/20
cidr for meiro accross 3 env projects
Name | IP Range | Region/GKE | VPC | Private GKE Master IP range |
---|---|---|---|---|
google-managed-services(for cloudsql(mysql,postgresql etc), memory store(redis) | 172.31.0.0/24 | asia-southeast1 | safi-dev-meiro-vpc | |
google-managed-services(for cloudsql(mysql,postgresql etc), memory store(redis) | 172.31.3.5/24 | asia-southeast1 | safi-stage-meiro-vpc | |
google-managed-services(for cloudsql(mysql,postgresql etc), memory store(redis) | 172.31.10.0/24 | asia-southeast1 | safi-prod-meiro-vpc | |
safi-meiro-public-subnets | 172.31.1.0/24 | asia-southeast1 | safi-dev-meiro-vpc | |
safi-meiro-public-subnets | 172.31.6.0/24 | asia-southeast1 | safi-stage-meiro-vpc | |
safi-meiro-public-subnets | 172.31.11.0/24 | asia-southeast1 | safi-prod-meiro-vpc | |
safi-meiro-private-subnets | 172.31.2.0/24 | asia-southeast1 | safi-dev-meiro-vpc | |
safi-meiro-private-subnets | 172.31.7.0/24 | asia-southeast1 | safi-stage-meiro-vpc | |
safi-meiro-private-subnets | 172.31.12.0/24 | asia-southeast1 | safi-prod-meiro-vpc | |
reserve-subnet1 | 172.31.13.0/24 | asia-southeast1 | safi-prod-meiro-vpc | |
reserve-subnet2 | 172.31.14.0/24 | asia-southeast1 | safi-prod-meiro-vpc | |
reserve-subnet3 | 172.31.15.0/24 | asia-southeast1 | safi-prod-meiro-vpc |
Attachments:
cf-logo-social-media.png (image/png)
Screen Shot 2022-09-29 at 2.11.44 PM.png (image/png)
Screen Shot 2022-10-04 at 2.25.49 PM.png (image/png)
Screen Shot 2022-10-24 at 9.37.26 PM.png (image/png)