Created by Fol Justin Lacsina, last modified on Nov 14, 2022

Meiro SafiBank GCP

Kube Status

The project to migrate Meiro apps from docker compose to kube has to be discontinued due to complexity and maintainability. Detailed issues found here (Deprecated) - Meiro to Kubernetes

Agreed Solution

Management agreed to solve the problem with “internal SaaS” approach and move Meiro apps to its own isolated GCP project, have the Meiro engineers install/support/maitain the application while Safi Engineers provide the underlying cloud infrastructure.

Layout of Environments and Access

90% of Meiro clients only have Production env, 10% have minimum Stage env (mostly MI only installed) and 0% have Dev environment. With that in mind, it is efficient as well as cost effective to have similar approach, tf-env-meiro-infra would be the working directory which will be shared by dev/stage/prod workspaces but only few environments will actually be applied.

Access

For Access of the engineers, SSH with sudo access for VMs would be ideal flexibility for them to operate. Providing limited GCP access to Meiro project would be ideal, as well as to restart VMs, check health and view resource consumption for troubleshooting.

Meiro GCP Users Roles

  • roles/compute.viewer

  • roles/monitoring.viewer

  • can act on behalf of safi-dev-meiro-os-admin@safi-env-dev-meiro.iam.gserviceaccount.com or safi-dev-meiro-os-user@safi-env-dev-meiro.iam.gserviceaccount.comservice accounts.

SSH

SSH is done only via IAP

gcloud compute ssh {VM NAME}\ 
    --project={PROJECT}\
    --zone={ZONE}\
    --tunnel-through-iap\
    --impersonate-service-account=safi-dev-meiro-os-admin@safi-env-dev-meiro.iam.gserviceaccount.com

example: FOR SUDO USERS
gcloud compute ssh safi-meiro-cdp --project=safi-env-dev-meiro --zone=asia-southeast1-a --tunnel-through-iap --impersonate-service-account=safi-dev-meiro-os-admin@safi-env-dev-meiro.iam.gserviceaccount.com

example: FOR REGULAR USERS
gcloud compute ssh safi-meiro-cdp --project=safi-env-dev-meiro --zone=asia-southeast1-a --tunnel-through-iap --impersonate-service-account=safi-dev-meiro-os-user@safi-env-dev-meiro.iam.gserviceaccount.com

PORTFOWARD

You can also do port-fowarding (like in kubernetes) in IAP

gcloud compute start-iap-tunnel INSTANCE_NAME INSTANCE_PORT \
    --local-host-port=localhost:LOCAL_PORT \
    --zone=ZONE \
    --project=PROJECT \
    --impersonate-service-account=SERVICE_ACCOUNT

example:
gcloud compute start-iap-tunnel safi-meiro-opensearch 80 --local-host-port=localhost:8080 --zone=asia-southeast1-a --project=safi-env-dev-meiro --impersonate-service-account=safi-dev-meiro-os-admin@safi-env-dev-meiro.iam.gserviceaccount.com

SUDO

To give acccess with sudo user, set os_admin to true and false to use regular linux user (look for SafiMono/devops/terraform/_files/users_meiro.yaml )

users:
  - name: "Johd Doe"
    gcp_email: johndoe@gmail.com
    projects_iam:
      os_admin: true
      roles:
        - roles/compute.viewer
        - roles/monitoring.viewer

Okta

Okta Group

Description

Role Purpose

Meiro

Groups here can reach meiro urls via VPN

For VPN

meiro-viewer

Groups here can login to ALL meiro app via Okta

Read Only ALL Meiro App

meiro-cdp-editor

Groups here can login CDP urls via Okta

Read Write CDP App

meiro-integration-editor

Groups here can login Integration app via Okta

Read Write Integration App

meiro-events-editor

Groups here can login Events app via Okta

Read Write Events App

meiro-editor

Groups here can login to ALL meiro app via Okta

Read Write ALL Merio App

DNS Names

Domain

Description

cdp.meiro.{env}.safibank.online

Meiro Business Explorer

events.meiro.{env}.safibank.online

Meiro Events

integration.meiro.{env}.safibank.online

Meiro Integration

opensearch.meiro.{env}.safibank.online

OpenSearch

cockroachdb.meiro.{env}.safibank.online

CockroachDB

Configuration files

file

Location

Description

vms.yaml

tf-env-meiro-infra/_files

VM SPECS and configuration

firewall_ip.yaml

tf-env-meiro-infra/_files

Create and Modify Firewall ports and IP

users_meiro.yaml

terraform/_files

Create and Modify User Access

meiro_reccords.tf

tf-dsn-safibankonline

Create and Modify Meirdo DNS

Network

For meiro project vm range, 172.31.0.0/20 cidr for meiro accross 3 env projects

Name

IP Range

Region/GKE

VPC

Private GKE Master IP range

google-managed-services(for cloudsql(mysql,postgresql etc), memory store(redis)

172.31.0.0/24

asia-southeast1

safi-dev-meiro-vpc

google-managed-services(for cloudsql(mysql,postgresql etc), memory store(redis)

172.31.3.5/24

asia-southeast1

safi-stage-meiro-vpc

google-managed-services(for cloudsql(mysql,postgresql etc), memory store(redis)

172.31.10.0/24

asia-southeast1

safi-prod-meiro-vpc

safi-meiro-public-subnets

172.31.1.0/24

asia-southeast1

safi-dev-meiro-vpc

safi-meiro-public-subnets

172.31.6.0/24

asia-southeast1

safi-stage-meiro-vpc

safi-meiro-public-subnets

172.31.11.0/24

asia-southeast1

safi-prod-meiro-vpc

safi-meiro-private-subnets

172.31.2.0/24

asia-southeast1

safi-dev-meiro-vpc

safi-meiro-private-subnets

172.31.7.0/24

asia-southeast1

safi-stage-meiro-vpc

safi-meiro-private-subnets

172.31.12.0/24

asia-southeast1

safi-prod-meiro-vpc

reserve-subnet1

172.31.13.0/24

asia-southeast1

safi-prod-meiro-vpc

reserve-subnet2

172.31.14.0/24

asia-southeast1

safi-prod-meiro-vpc

reserve-subnet3

172.31.15.0/24

asia-southeast1

safi-prod-meiro-vpc

Attachments:

Screen Shot 2022-08-19 at 12.51.12 PM.png (image/png)
cf-logo-social-media.png (image/png)
Screen Shot 2022-09-29 at 2.11.44 PM.png (image/png)
Screen Shot 2022-10-04 at 2.25.49 PM.png (image/png)
Screen Shot 2022-10-24 at 9.37.26 PM.png (image/png)