Initial commit

.github/release-cluster/README.md

@@ -0,0 +1,75 @@
+# cymbal-shops.retail.cymbal.dev manifests
+
+This directory contains extra deploy manifests for configuring Online Boutique solution on GKE for cymbal-shops.retail.cymbal.dev.
+
+_Note: before moving forward, the Online Boutique apps should already be deployed [on the online-boutique-release GKE cluster](/docs/releasing#10-deploy-releasekubernetes-manifestsyaml-to-our-online-boutique-release-gke-cluster)._
+
+## Public static IP address
+
+Create the static public IP address:
+```
+STATIC_IP_NAME=online-boutique-ip # name hard-coded in: frontend-ingress.yaml
+gcloud compute addresses create $STATIC_IP_NAME --global
+```
+
+When ready to do so, you could grab this public IP address and update your DNS:
+```
+gcloud compute addresses describe $STATIC_IP_NAME \
+    --global \
+    --format "value(address)"
+```
+
+## Cloud Armor
+
+Set up Cloud Armor:
+```
+SECURITY_POLICY_NAME=online-boutique-security-policy # Name hard-coded in: backendconfig.yaml
+gcloud compute security-policies create $SECURITY_POLICY_NAME \
+    --description "Block various attacks"
+gcloud compute security-policies rules create 1000 \
+    --security-policy $SECURITY_POLICY_NAME \
+    --expression "evaluatePreconfiguredExpr('xss-stable')" \
+    --action "deny-403" \
+    --description "XSS attack filtering"
+gcloud compute security-policies rules create 12345 \
+    --security-policy $SECURITY_POLICY_NAME \
+    --expression "evaluatePreconfiguredExpr('cve-canary')" \
+    --action "deny-403" \
+    --description "CVE-2021-44228 and CVE-2021-45046"
+gcloud compute security-policies update $SECURITY_POLICY_NAME \
+    --enable-layer7-ddos-defense
+gcloud compute security-policies update $SECURITY_POLICY_NAME \
+    --log-level=VERBOSE
+```
+
+## SSL Policy
+
+Set up an SSL policy in order to later set up a redirect from HTTP to HTTPs:
+```
+SSL_POLICY_NAME=online-boutique-ssl-policy # Name hard-coded in: frontendconfig.yaml
+gcloud compute ssl-policies create $SSL_POLICY_NAME \
+    --profile COMPATIBLE  \
+    --min-tls-version 1.0
+```
+
+## Deploy Kubernetes manifests
+
+Deploy the Kubernetes manifests in this current folder:
+```
+kubectl apply -f .
+```
+
+Wait for the `ManagedCertificate` to be provisioned. This usually takes about 30 minutes.
+```
+kubectl get managedcertificates
+```
+
+Remove the default `LoadBalancer` `Service` not used at this point:
+```
+kubectl delete service frontend-external
+```
+
+Remove the `loadgenerator` `Deployment` not used at this point:
+```
+kubectl delete deployment loadgenerator
+```

.github/release-cluster/backend-config.yaml

@@ -0,0 +1,21 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: cloud.google.com/v1
+kind: BackendConfig
+metadata:
+  name: frontend-backend-config
+spec:
+  securityPolicy:
+    name: online-boutique-security-policy

.github/release-cluster/frontend-config.yaml

@@ -0,0 +1,23 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: networking.gke.io/v1beta1
+kind: FrontendConfig
+metadata:
+  name: frontend-frontend-config
+spec:
+  sslPolicy: online-boutique-ssl-policy
+  redirectToHttps:
+    enabled: true
+    responseCodeName: MOVED_PERMANENTLY_DEFAULT

.github/release-cluster/frontend-ingress.yaml

@@ -0,0 +1,38 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: frontend-ingress
+  annotations:
+    kubernetes.io/ingress.global-static-ip-name: online-boutique-ip
+    networking.gke.io/managed-certificates: online-boutique-certificate
+    networking.gke.io/v1beta1.FrontendConfig: frontend-frontend-config
+spec:
+  defaultBackend:
+    service:
+      name: frontend
+      port:
+        number: 80
+  rules:
+  - http:
+      paths:
+      - path: /*
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: frontend
+            port:
+              number: 80

.github/release-cluster/frontend-service.yaml

@@ -0,0 +1,29 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend
+  annotations:
+    cloud.google.com/neg: '{"ingress": true}'
+    cloud.google.com/backend-config: '{"default": "frontend-backend-config"}'
+spec:
+  type: ClusterIP
+  selector:
+    app: frontend
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080

.github/release-cluster/managed-cert.yaml

@@ -0,0 +1,21 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: networking.gke.io/v1
+kind: ManagedCertificate
+metadata:
+  name: online-boutique-certificate
+spec:
+  domains:
+    - cymbal-shops.retail.cymbal.dev