Skip to main content

How to deploy a new region

The following steps are needed to provision a new region/cluster

Steps needed before terraform can run​

deepdesk-gcp​

If grafana is required, add the hostname of the new grafana instance to the existing OAuth credentials in "deepdesk-cloud" project, named "Deepdesk SSO" and "Deepdesk SSO Staging"

  • Create the new project in onboarding.deepdesk.com
  • Remove the 'Editor' role from the default compute service account in the new project
  • Add a new unique subnet number to the hash in deepdesk-gcp/modules/vpc/subnetworks.tf
  • Add the project to Vanta's "scope" (in integrations β†’ google cloud)
gcloud projects create --organization=467147383583 --set-as-default --name=deepdesk-sg-staging deepdesk-sg-staging
gcloud beta billing projects link deepdesk-sg-staging --billing-account=012DAF-614773-4E8BB1
gcloud compute project-info add-metadata --metadata google-compute-default-region=asia-southeast1
gcloud services enable compute.googleapis.com
gcloud services enable cloudbuild.googleapis.com
gcloud services enable secretmanager.googleapis.com
gcloud services enable servicenetworking.googleapis.com
gcloud config set compute/region asia-southeast1

terraform init
terraform workspace new deepdesk-sg-staging
terraform import module.logging.google_logging_project_sink.default-logging-sink projects/deepdesk-sg-staging/sinks/_Default

  • Manually create a Cloud Build private worker pool:

    • Go to: https://console.cloud.google.com/cloud-build/settings/worker-pool
    • Click 'Create', and fill out the form as follows:
      • Name: e2-medium
      • Region: europe-west4 (yes, this is fixed for every project)
      • Machine type: e2-medium
      • Disk size: 100G
      • Project: <id of the newly created project>
      • Network: "default"
      • Assign external IPs: enabled

  • Create a secret 'vpn_private_key' that will be used for the VPN gateway:

    wg genkey | tee privatekey | wg pubkey > publickey
    • Store te contents of 'privatekey' in the vpn_private_key secret
    • Publish the public key in the VPN setup guide (document not migrated)

deepdesk-gcp​

  • Create a slack notification channel #alerting (requires OAuth flow with Slack). Display name must be "Slack Alerting Channel"
  • After creation of the cloudsql instance, set the postgres user password (Console -> DB Instance -> Users -> postgress -> Change password) to the password set in the "postgres_db_password" secret.
  • Create a ElasticSearch AppSearch admin key: https://kibana.<region_subdomain>.deepdesk.com/. Create a new google secret manager secret called 'appsearch_admin_key' and set the value to the admin token.
  • Run the following commands in order in the deepdesk-gcp repo (terraform doesn't handle CRD deps properly):
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.apis
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.vpc
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.cmek
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.gke_private_cluster
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.prometheus
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.cert-manager.helm_release.cert-manager
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.cert-manager
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.external-dns
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.istio.helm_release.istio-operator
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.istio
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.external-secrets.helm_release.external-secrets
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.external-secrets
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.flux
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.rabbitmq.helm_release.rabbitmq_cluster_operator
DEBUG=1 ./terraform/projects/per-project/run.sh `<project>` apply -target=module.rabbitmq

Further Onboarding​

  • Manually trigger all cloud build triggers in the new project to deploy cloud functions, kubeflow pipelines, etc.
  • Register github webhook to flux webhook url (kubectl get receivers.notification.toolkit.fluxcd.io) on repo deepdesk-config and deepdesk-helmcharts. WebHook secret in flux/github-webhook-token k8s secret.
  • Add the outbound NAT IP to the gmail smtp relay whitelist
  • Add the cluster public IP to the Tailscale ACL/grant configuration