Brandfolder's Infrastructure running on Google Cloud Platform.
-
Copy
example.tfvarstoterraform.tfvarsand populate it with the desired values.cp example.tfvars terraform.tfvars $EDITOR terraform.tfvars
-
Plan terraform and inspect the changes.
Note: If you use atlas skip this step and see the 'Atlas setup' section below.
terraform plan
-
If everything looks good, apply it.
Note: If you use atlas skip this step and see the 'Atlas setup' section below.
terraform apply
-
SSH into your bastion host. (If you specified a prefix, replace
bastionwith{prefix}bastion.)gcloud compute ssh bastion
-
You should be able to list the machines in the cluster. If so then you are ready for the next step.
sudo fleetctl list-machines
-
The vault servers should be loaded on every machine in the cluster, to confirm run the following while ssh'd into the bastion host:
fleetctl list-units | grep vault -
You should now be able to initialize vault. Copy the output to a secure location. This contains the information necessary to unseal the vault.
Note: The most secure location is a physical safe or a safety deposit box.
vault init
-
You now need to unseal vault. Follow the prompts, you will need 3 of the keys from #2 in this step.
Note: You will always need at least 1 vault server to be unsealed at all times in the cluster for new kubelets to boot properly. We suggest unsealing at least 2 servers to account for failover.
vault unseal
-
Now that vault is set up we can generate the certificates. Follow the prompts. You will need the root token from #2 in this step.
vault-generate-certs