Improve deployment procedure

[pieterlange]

I'm currently not happy with the scripts used for deployment but i'm not sure what to do about it yet.

• One option is to write helm charts.
• Another is something like spread

[cemo]

helm charts please :) there is already a chart currently. I believe that your approach is superior. It would be better to change it.

[pieterlange]

For the record, i'm probably going for helm charts but i'd like to support multiple deployment strategies with regards to CA management; right now it's done outside of the cluster. That assumes a lot about proper CA management but at least enables people who know what they're doing to do it correctly :).

What chart did you find?

[cemo]

Here it is: https://github.com/kubernetes/charts/tree/master/stable/openvpn

[zambien]

I'm using terraform for infrastructure as code and have recently created a personal VPN project using some of your code and some terraform code all deploying to GCP/GKE:

https://github.com/zambien/terraform-gcp-gke-openvpn

Please feel free to use any of this if you like. I'd welcome any feedback, issues, or PRs.

[pieterlange]

That looks like a fair amount of work! I haven't (seriously) worked with terraform yet but i'll make an honest effort to review what you've done here in the next week.

[zambien]

Cool, thanks. High level, it does the following:

• Create a network in google cloud
• Create a subnet in that network
• Provision google API access for services
• Create a GKE cluster with 1 n1-standard-1 node
• A custom module to deploy/delete the image and service
• A custom module for pki
• Create a kubernetes secret for pki

Looking back at it you are right.. it was more work than I intended! :)

I've been using Terraform for a few months now and really like it. My team has been creating immutable stacks for various technologies mostly around AWS. We have templates for ECS, EC2 clusters, security groups, etc. Unfortunately I can't share most of that because it was done for the company I work for on an internal repo.

This was my first foray into GCP and Kubernetes so the end result is a little rough.. more of a learning/prototyping exercise than anything else. Since the motivation was to create a personal VPN with very low cloud cost (I failed) I'm going to try again with just a plain old GCE f1-micro instance and a docker machine deployment. That repo is a WIP and here:

https://github.com/zambien/terraform-gcp-gce-openvpn

[pieterlange]

Trying to get the ticket back on topic:
The hardest problem at the root of this ticket is still secret management (especially the CA root key).

I will need to define a clear strategy for dealing with this problem before i'll cut a 1.0 release. I'd like to implement a full-fledged kubernetes Operator function that will do automatic key rotation & management all server(cluster)-side out of UX concerns and not being able to trust human operators to do regular key rotation, but at the same time leave the option of managing your own PKI. That last part shouldn't be too hard as it is what we have now.

That first option leaves a huge amount of trust to the cluster and considering the deployment scenarios that trust is not always warranted and should be explicitly kept out of the cluster.

[zambien]

That sounds like a separate project possibly but I may not be understanding the scope of what needs to be solved.

I've written infrastructure as code similar to what I linked earlier for HashiCorp's Vault. I use that for my internal PKI among other things. Am I on the right track here or off base?