Opinionated infrastructure and supporting materials to host a website from a GCS Bucket on GKE
GCP does not allow us to put IAP on a backend bucket, and I run several GKE clusters so this seems like a pretty simple solution
See the Full example repository where minimal input is required from your self to get up and running
Any issues, check the Troubleshooting Page
- Terraform installed locally
- Helm installed locally
See the Resources section
Q: Why are we creating a secret?
A: The secrets are created so that if you need to allow other team members to upgrade the helm chart, they are able to pull the secrets from your central secret manager
You will need to create a DNS record pointing to the IP address created by the module.
Q: What values can I set in the helm chart?
A: see helmcharts/gcs-web-server/values.yaml
- GKE Cluster with Workload Identity enabled
- GKE Project with IAP Oauth Consent screen created
- service project where the buckets and service accounts can be created
- Secrets project
These requirements will be explained in detail below
See Allow Pods to authenticate to Google CLoud APIs using Workload Identity on how to enable Workload Identity on your cluster
This is required for IAP
Navigate to APIs & Services > OAuth consent screen
A service project is required to store the below items in
- Service accounts
- GCS Buckets
- Workload Identity Bindings
We do not create these in the GKE project, as it's best practice to keep a deployment per project.
You should create the project in the format of:
<company-name>-<name-of-site>Do not prepend {env} to this, as the Module will create buckets and service accounts for all environments (if you chose to create multiple) in the same project
A secrets project is required as the module creates secrets with the IAP oauth credentials (If enabled)
You can set this to any project that has the secrets api enabled
Upload what ever static site you want in to the root of the bucket. It will render html, css and javascript
All pages will get rendered when you hit the link.
The server supports sub-pages, so if you are uploading everything in go gs://gcs-webstite/site/index.html - Your page will
be available at http://<>/site/index.html
| Name of endpoint | Response code | Example response |
|---|---|---|
/healthz |
http/200 |
{"status":"UP"} |
/health |
http/200 |
{"status":"UP"} |
Note These endpoints do not generate logs, to save costs.
To make use of your own custom 404 page, place a 404.html file in the root of the bucket/
This page will be served for the below errors:
Currently not supported. If this is required please open an issue.
| IP Stack version | IP address | Port |
|---|---|---|
v6 |
[::] |
80 |
v4 |
0.0.0.0 |
80 |
- Helm
- Terraform
Optionally: skaffold
A secret is created by default (eg: you cant turn it off) so that if other members of the team need access to upgrade the helm chart, they have the secrets locally.
See how to print latest secret
To create multiple environments, simply copy and paste the entire module, and change the env to one of dev, test, or prod
Limitation in the helm chart that I have not fixed yet