docs: add operator manual for GCP

[Ajarmar]

Added operator manual for setting up Compliant Kubernetes on GCP using compliantkubernetes-kubespray and compliantkubernetes-apps, using the GCP Persistent Disk Driver for block storage.

Fixes elastisys/compliantkubernetes-kubespray#14 and #58

[cristiklein]

Nice! Please fix:

• the minor issues I suggested
• double-check the formatting with mkdocs serve
• fix the pipeline errors

[cristiklein]

Please capitalize SSH throughout.

[cristiklein]

Also, somewhat orthogonal to the present PR, please note that for Exoscale we opted to include the SSH key inline to facilitate operators sharing operation of a cluster. See full discussion here.

[Xartos]

Since this is a variable name I think we should stick to the naming convention of terraform
EDIT: nvm. I didn't see the ssh word in the end of the sentence

[cristiklein]

A few questions for myself:

1. Do we use GCP load-balancers?
2. Do we have an issue to iron this out?

[cristiklein]

This repo is internal. Can you write what DNS entries to create in the following format:

echo "
*.$BASE_DOMAIN     60s A 203.0.113.123
*.ops.$BASE_DOMAIN 60s A 203.0.113.123
"

[llarsson]

Very nice! Some comments/questions, and then I am really looking forward to learning what @ph4n666's run through of this stuff shows. :)

[llarsson]

Please add a line about why it will not work. What alternative should they go with instead?

[Pavan-Gunda]

Don't we need a for loop for every bash script mentioned in this commit?

[Xartos]

Great tutorial! just some minor comments

[Xartos]

I would go with something more generic, like

Suggested change

	5. Set up the nodes by performing the following steps, replacing `<prefix>` with `sc`/`wc`:
	5. Set up the nodes by performing the following steps, replacing `<prefix>` with `my-sc-cluster`/`my-wc-cluster`:

To make it feel like you want to change this and not that it's a requirement to use sc/wc

[Ajarmar]

The compliantkubernetes-kubespray readme still says:

For now you need to set this to wc or sc if you want to install compliantkubernetes apps on top afterwards, this restriction will be removed later.

Is this no longer true? I'm also a bit unsure in general how much this documentation should accommodate for multitenancy setups since there still are some issues on the apps side, like the DNS problem

[cristiklein]

I think that is no longer true. Otherwise, how did I set up two WCs on AWS? 😄

Can you clarify "DNS problem"? I am aware of a few sharp corners, but not blockers.

[Ajarmar]

I'm not sure about the specifics but @lentzi90 and @pettersv ran into some DNS issues when setting up a MT cluster. Not really "blockers" because it was still possible to set it up, but there were some limitations as a consequence. You'd have to ask them for the details

[lentzi90]

For compliantkubernetes-kubespray it will work fine with different names now. In apps it is a bit rough around the edges since you will need to use each prefix as a separate CK8S_CONFIG_PATH and the kubeconfigs for the workload clusters must all be named kube_config_wc.yaml. See elastisys/compliantkubernetes-apps#85.

The DNS issue is that the service cluster cannot measure uptime or alert correctly for WC API servers. It will think that they (actually "it", as it only knows about one) are down and send out alerts accordingly. This is because all clusters in one environment must have the same ops and base domains pointing to the SC for this to work. This means that the health check for the WC API server ends up targeting SC instead of one of the WCs and of course fails. So expect constant alerts. 😉 🚨

[cristiklein]

@lentzi90 Do we have an issue for the uptime alert?

Regarding the former, this does the trick for me:

for CLUSTER in $WORKLOAD_CLUSTERS; do
    ln -sf $CK8S_CONFIG_PATH/.state/kube_config_${CLUSTER}.yaml $CK8S_CONFIG_PATH/.state/kube_config_wc.yaml
    ./bin/ck8s apply wc  # Respond "n" if you get a WARN
done

[lentzi90]

Created an issue now for the DNS/alerting: elastisys/compliantkubernetes-apps#253

I bet your snippet works great Cristian. Could you add it somewhere so that it is impossible to miss it when setting up a cluster?

[cristiklein]

The program PC Pitstop included a clause in their end-user license agreement stating that anybody who read the clause and contacted the company would receive a monetary reward, but it took four months and over 3,000 software downloads before anybody collected it.

Should I include something similar around my snippet? 😂

[cristiklein]

One more:

Please don't contact me before you've read all the relevant parts of this page. I will know if you haven't and I'll ignore your message.
[2 screen scrolls later]
Write me a letter that indicates that you've read this page by including the phrase “parens rock”,

[Xartos]

Would we want to have the for loop as we have in the AWS and Exoscale tutorials here? To make them more inline with each other?

[cristiklein]

Yes, please we support multiple workload clusters. 😄

[Xartos]

Since you use this for other snippets as well. Should you use pushd/popd so that you don't need to run cd ../../../../ between each snippet?

[Ajarmar]

Yeah, that's a bit nicer if you want the commands to just be copy-pastable - my idea with writing it the way I did was just to make it clear which folder the commands should be executed in, not necessarily that the user should cd ../../../../ after each snippet

[Xartos]

Yea, I totally understand. That's why I like the pushd/popd because then it's clear where the commands are running AND you can still copy/paste it and it will automagically work. Best of both worlds 😉

[Xartos]

You should be able to just mv $CLUSTER-inventory.ini inventory.ini right?
Or is there some things missing?

[Ajarmar]

Yeah, that should work fine.

[Xartos]

I'm guessing this isn't possible to do in kubespray?

[Ajarmar]

I'm not sure about this, haven't really looked into it.

[Pavan-Gunda]

Don't we need a for loop for every bash script mentioned in this commit?

[cristiklein]

LGTM.