bastion host - apigee/ahr GitHub Wiki
Bastion Host
CloudShell: Create Bastion VM
CloudShell is an interactive option not suitable for long-running operations. It will time-out in 20 minutes losing your session settings in process. Apigee hybrid provisioning is a long-running process, it makes sense to provision a bastion VM. Bastion VM is also useful for troubleshooting, at it would be able to access private network addresses of your project.
We are going to:
- create a Service Account;
- add granular roles to it;
- provision a VM with scope and service account that will allow execute the provisioning script successfully;
- invoke SSH session at the VM.
-
In the GCP Console, activate Cloud Shell
-
Define PROJECT variable. Click at the Authorize button when asked.
NOTE: For QwikLabs, you can use the following command and skip the step:
export PROJECT=$(gcloud projects list --filter='project_id~qwiklabs-gcp' --format=value'(project_id)') echo $PROJECT
export PROJECT=<your-project-id>
gcloud config set project $PROJECT
- Create a service account for installation purposes. Click at the Authorize button when asked.
export INSTALLER_SA_ID=installer-sa
gcloud iam service-accounts create $INSTALLER_SA_ID
- Add IAM policy bindings with required roles
The following snippet contains list of role required to successfully install cluster; ASM; and Hybrid. The purpose is to explicitly grant required roles only.
WARNING: For a false feeling of simplicity you might be templed to bind SA to a project owner role: roles='roles/owner'. It still is marginally better than using your credentials on a shared VM.
TIP: Useful links:
https://cloud.google.com/iam/docs/understanding-roles
https://cloud.google.com/service-mesh/docs/installation-permissions
roles/compute.securityAdmin -- create firewall
roles='roles/compute.networkAdmin
roles/compute.viewer
roles/compute.securityAdmin
roles/iam.securityAdmin
roles/container.admin
roles/resourcemanager.projectIamAdmin
roles/apigee.admin
roles/iam.serviceAccountAdmin
roles/iam.serviceAccountKeyAdmin
roles/iam.serviceAccountUser
roles/serviceusage.serviceUsageAdmin
roles/servicemanagement.admin
roles/gkehub.admin
roles/meshconfig.admin
roles/privateca.admin'
for r in $roles; do
gcloud projects add-iam-policy-binding $PROJECT \
--member=serviceAccount:$INSTALLER_SA_ID@$PROJECT.iam.gserviceaccount.com \
--role=$r
done
- Configure some provisioning parameters of the bastion host as appropriate
export BASTION_NETWORK=default
export BASTION_SUBNET=default
export BASTION_ZONE=europe-west1-b
export BASTION_MACHINE_TYPE=e2-standard-2 # frugal option: f1-micro
- Create a compute instance with installer SA identity that will be used to execute script.
gcloud compute instances create bastion \
--network $BASTION_NETWORK \
--subnet $BASTION_SUBNET \
--zone=$BASTION_ZONE \
--machine-type=$BASTION_MACHINE_TYPE \
--service-account $INSTALLER_SA_ID@$PROJECT.iam.gserviceaccount.com \
--scopes cloud-platform
Bastion Host: Install Prerequisites
-
In GCP Console, open Compute Engine/VM instances page, using hamburger menu.
-
The for bastion host, click SSH button to open an SSH session.
-
Execute following apt command to make sure required utilities are installed
sudo apt-get update
sudo apt install -y mc dnsutils git jq kubectl
sudo apt install -y google-cloud-sdk-gke-gcloud-auth-plugin # gke-gcloud-auth-plugin --version
- Turn on kubectl plugin called “gke-gcloud-auth-plugin [until v1.25 version]
See for details: https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
echo 'export USE_GKE_GCLOUD_AUTH_PLUGIN=true' >> ~/.bashrc
- You might not have bash completion package installed. If that's the case, you will see an error when trying to auto-complete custom completions:
# for: bash: _get_comp_words_by_ref: command not found
To install it, execute
sudo apt -y install bash-completion
source ~/.profile # to 'fix' a current session