Skip to content

Pave for PAS

In this and subsequent labs, we build automation to provision a platform.

In this lab, we focus on these prerequisite steps:

  • generating a TLS certificate for the platform
  • paving GCP for PAS (and PKS)

TLS Certificate

Install certbot

Let's Encrypt is a service for generating TLS certificates.

certbot is the recommended client for letsencrypt.

  1. Install certbot on the jumpbox.

    Follow the documented instructions for Ubuntu.

  2. Install the certbot plugin certbot-dns-google.

    sudo apt install python3-certbot-dns-google

  3. Verify that both certbot and the plugin are installed.

    certbot plugins

    The list of plugins in the output should include dns-google.

Create a service account

For certbot to verify domain ownership, we must provide it a service account with permission to access Cloud DNS network services in GCP.

From the GCP dashboard, navigate to the Service Accounts section under IAM.

  1. Click Create Service Account
  2. For the account name, enter certbot-service-account.
  3. Click Create.
  4. Give the account the role Dns Administrator
  5. Click the button Create Key (json).
  6. Click Done

Create a file on your jumpbox named certbot-service-account.json with the contents of the key that just downloaded.

  • Use chmod to alter the permissions on the file to 600 (user readable and writeable).
  • Move the file to your ~/.ssh directory

Generate the certificate

The type of certificate required for PAS is known as a wildcard certificate, one that is valid for not just to a single hostname but a list of related names.

For more information, see here.

  1. define your environment name as an environment variable

    export ENV_NAME=replace-me-with-your-actual-environment-name

  2. define a subdomain environment variable as a function of the environment name

    export SUBDOMAIN="sandbox.${ENV_NAME}.pal4pe.com"

  3. Issue the certificate request.

    sudo certbot certonly --dns-google \
  --dns-google-credentials ~/.ssh/certbot-service-account.json \
  --dns-google-propagation-seconds 120 \
  --domains "*.${SUBDOMAIN},*.apps.${SUBDOMAIN},*.login.sys.${SUBDOMAIN},*.sys.${SUBDOMAIN},*.uaa.sys.${SUBDOMAIN}"

    This process takes a couple of minutes as certbot communicates with letsencrypt to generate the certificate and to verify that you are indeed the owner of the subdomain in question.

  4. List your generated certificate.

    sudo certbot certificates

The certificate file is named fullchain.pem. Its accompanying private key is named privkey.pem. Both reside in a subdirectory of /etc/letsencrypt/live. It might be simplest to become root (sudo su -) to grab their contents.

Pave

Use git to clone the paving repository into your workspace.

Be careful not to confuse this new directory paving with the one you previously used to pave concourse.

Author terraform.tfvars

Navigate to ~/workpace/paving/gcp and copy the example tfvars file to a file named terraform.tfvars.

Edit the values of each field as follows:

  • environment_name: sandbox
  • project: enter your gcp project id
  • service_account_key: use the same service account key you used to pave Concourse
  • region: us-central1
  • availability_zones: ["us-central1-a", "us-central1-b", "us-central1-c"]
  • hosted_zone: enter the name of your hosted zone, the same one you created in the first lab
  • ssl_certificate: the contents of the tls certificate, fullchain.pem
  • ssl_private_key: the contents of the tls private key, privkey.pem

Terraform

Make sure that your working directory is ~/workspace/paving/gcp, then:

terraform init
terraform plan -var-file terraform.tfvars
terraform apply -var-file terraform.tfvars
terraform output stable_config > ../pas-terraform-output.yml

yq helps produce a legible, pretty-printed summary of the resources that were created:

yq read --colors --prettyPrint pas-terraform-outputs.yml

Inspect the generated infrastructure

Visit your GCP dashboard and navigate to the following areas of GCP to inspect the generated resources:

  • VPC Networks
  • Cloud DNS
  • Firewall rules
  • Load balancing
  • External IP Address
  • IAM

The terraform uses the sandbox as the prefix for the name of each resource it creates, making it easy to identify the resources in question from the dashboard.