Skip to content

Latest commit



133 lines (90 loc) · 4.19 KB

File metadata and controls

133 lines (90 loc) · 4.19 KB


Create production ready Development Platform for Kubernetes. It contains tools for:

  • Monitoring, Alerting, Logging
  • Ingress based adding of DNS entries and TLS Certificates
  • Oauth based authentication
  • CI/CD tool

In detail - installed tools are:

  • Ingress Controller
  • Prometheus mit node-exporter, Grafana, Alert Manager, kube-state-metrics etc.
  • EFK Stack
  • External DNS
  • cert-manager
  • oauth2-proxy
  • keycloak
  • argo Workflow, argo-events


  • Installed kustomize 2.0.1
  • Running GKE Kubernetes Cluster with at least n1-standard-2 machines


What you need to know now:

  • An Email Adress for HTTPS-Certificate issues
  • Your new DNS zone name (e.g.
  • A GCP project ID (e.g. my-google-project-223304)

Own OAUTH provider

KubePlatform comes with a preconfigured KeyCloak used for user management and oauth2 authentication. If you plan to use your own oauth provider, collect these parameters:

  • An Issuer URL for OpenID Connect
  • Client ID and its client secret
  • Cookie Secret

Add these paramteres to:

  • patches/oauth2-proxy-patch.yaml


The installation consists basically of these parts

  1. GCE configuration
  2. Overlay Configuration
  3. Installing yamls on Kubernetes

GCE configuration

GCE Preparation and DNS Configuration

  1. Create a new DNS Zone and a ServiceAccount to be used by external-dns to add hosts to:
export PROJECT_ID=my-google-project-223304

gcloud dns managed-zones create "${DOMAIN//./-}" \
    --dns-name "$DOMAIN." \
    --description "Automatically managed zone by"

gcloud iam service-accounts create ${DOMAIN//./-} \
    --display-name "${DOMAIN//./-} service account for external-dns"

gcloud iam service-accounts keys create ./google-credentials.json \
  --iam-account ${DOMAIN//./-}@$

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member serviceAccount:${DOMAIN//./-}@$ --role roles/dns.admin
  1. Ensure that the downloaded credential file google-credentails.json is the google-overlay folder
  2. Make a note of the nameservers that were assigned to your new DNS zone (and enter them as NS entries in your providers DNS):
gcloud dns record-sets list \
    --zone "${DOMAIN//./-}" \
    --name "$DOMAIN." \
    --type NS

Overlay Configuration

Configuration is made in these three files:

    • Enter the desired domain (e.g.
    • Enter the GCE project (e.g. PROJECT=my-google-project-223304)
  • cluster-issuer-patch.yaml
    • Enter two email adresses for Letsencrypt certificate. One for staging and one (or the same) for prod.
  • kustomization.yaml
    • Choose namePrefix, nameSuffix and namespace
    • If you plan to use letencrypt prod environment instead of staging, change var CLUSTER_ISSUER_NAME accordingly

Installing yamls

  1. create Kubernetes cluster and retrieve kubectl credentials
  2. kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin
  3. create namespace you have chosen above
  4. execute kustomize build google-overlay | kubectl apply -f -


Wait until your PODs are running

Setup a User in Keycloak:

  1. A call to https://keycloak.$(DOMAIN)/auth/admin/ should point you to your Keycloak instance (usename is keycloak password refer to your kustomization.yaml)
  2. Add a user of your choice in Manage/Users (must have an email adress). Please refer to the respective keycloak documentation

You should then be able to use this user to go to:

using ARGO

For running basic workflows refer to the demos page.

For using it for CI refer to this example