github.com/mre-fog/trillianxx@v1.1.2-0.20180615153820-ae375a99d36a/examples/deployment/kubernetes/README.md (about) 1 Deploying onto Kubernetes in Google Cloud 2 ========================================= 3 4 This document guides you through the process of spinning up an example Trillian 5 deployment on Google Cloud using Kubernetes and Cloud Spanner. 6 7 Prerequisites 8 ------------- 9 10 1. You should have this repo checked out :) 11 1. A recent [Debian](https://debian.org) based distribution (other platforms 12 may work, but YMMV) 13 1. You must have the [`jq` binary](https://packages.debian.org/stretch/jq) 14 installed (for command-line manipulation of JSON) 15 1. You have `gcloud`/`kubectl`/`go`/`Docker` etc. installed (See 16 [Cloud quickstart](https://cloud.google.com/kubernetes-engine/docs/quickstart) 17 docs) 18 1. You have a Google account with billing configured 19 1. You will need to request additional Quota for Compute Engine "in-use IP addresses" (need: 11; default: 8) [link](https://console.cloud.google.com/iam-admin/quotas?service=compute.googleapis.com&metric=In-use%20IP%20addresses) 20 21 Process 22 ------- 23 1. Go to [Google Cloud Console](https://console.cloud.google.com) 24 1. Create a new project 25 1. Edit the [config.sh](config.sh) file, set `PROJECT_NAME` to the name of your 26 project 27 1. Run: `./create.sh`. 28 This script will create the Kubernetes cluster, node pools, and Spanner 29 database, service account and etcd cluster. 30 It should take about 5 to 10 minutes to finish and must complete without 31 error. 32 1. Now you can deploy the Trillian services. 33 Run: `./deploy.sh` 34 This will build the Trillian Docker images, tag them, and create/update the 35 Kubernetes deployment. 36 1. To update a running deployment, simply re-run `./deploy.sh` at any time. 37 38 Next steps 39 ---------- 40 You should now have a working Trilian Log deployment in Kubernetes. 41 To do something useful with it, you'll need provision one or more trees into 42 the Trillian log, and run a "personality" layer. 43 44 To provision a tree into Trillian, you can use the Trillian admin API, like so: 45 46 ```bash 47 curl -X POST ${LOG_URL}/v1beta1/trees -d '{ "tree":{ "tree_state":"ACTIVE", "tree_type":"LOG", "hash_strategy":"RFC6962_SHA256", "signature_algorithm":"ECDSA", "max_root_duration":"0", "hash_algorithm":"SHA256" }, "key_spec":{ "ecdsa_params":{ "curve":"P256" } } }' 48 {... tree_id: <large number here> ...} 49 curl -X POST ${LOG_URL}/v1beta1/logs/${tree_id}:init 50 51 ``` 52 53 The easiest way to do this is probably to use `kubectl exec <name of one of the logserver pods> -ti -- /bin/bash` to get a shell on a logserver Pod, and use curl from there. 54 55 (Use `kubectl get pods` to retrieve a list of all the Pods.) 56 57 **NOTE: none of the Trillian APIs are exposed to the internet with this config, 58 this is intentional since the only access to Trillian should be via a 59 personality layer.** 60 61 Next, you may wish to deploy the [Certificate Transparency personality](https://github.com/google/certificate-transparency-go/tree/master/trillian). 62 Example Kubernetes deployment configs for that can be found [here](https://github.com/google/certificate-transparency-go/tree/master/trillian/examples/deployment/kubernetes). 63 You can probably use the [deploy_gce_ci.sh](https://github.com/google/certificate-transparency-go/blob/master/scripts/deploy_gce_ci.sh) 64 script with a small tweak to the environment variables it contains at the top 65 to set the project ID and zone. 66 67 TODO(al): Provide a complete end-to-end script/walk through of this. 68 69 70 Known Issues 71 ------------ 72 - This deployment is quite tightly coupled to Google Cloud Kubernetes 73 - Only CloudSpanner is supported currently 74 - There is no Trillian Map support currently (because there is no map support 75 in the current CloudSpanner storage implementation).