This document provides steps for deploying a scalable instance of InsightCloudSec on GCP using GKE and Cloud SQL. If you have questions or issues, reach out to [email protected].
Value Names (DivvyCloud vs. InsightCloudSec)
Some components use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.
Before you get started with this setup, ensure that you have the following:
- A GCP account with the appropriate admin permissions
- Permission to create/modify resources in CloudSQL, MemoryStore, and Kubernetes
Note: The content on this page applies to self-hosted customers. For hosted customers we recommend that you contact your CSM or [email protected] with any questions or concerns.
1. To ensure that the CloudSQL API is enabled, go to “APIs” in the GCP console. Then:
- Click on “Library” on the left
- Search for and select “Cloud SQL Admin API” and ensure it is enabled.
2. Create a Cloud SQL database and complete the description for this db instance using the recommended specs:
- Engine: MySQL 5.7
- Instance type: db-n1-standard-4
- 100 GB volume (Enable automatic storage increases)
- Private IP
- Availability: High availability (regional)
Complete the settings as outlined in the example below
3. Once the instance comes up, click on your database to view the details.
Save your Instance details
Copy the instance connection name; you’ll need it later to complete the configuration.
4. Click on the "Users" tab and create a new user:
- Username = divvy
- Password = [your choice]
5. Go to Overview and click on "Connect using cloud shell".
6. Once the shell comes up, in the mysql> prompt, paste in the following, line by line:
CREATE DATABASE divvy;
CREATE DATABASE divvykeys;
GRANT ALL PRIVILEGES on divvy.* to 'divvy'@'%';
GRANT ALL PRIVILEGES on divvykeys.* to 'divvy'@'%';
GRANT RELOAD ON *.* TO 'divvy'@'%';
Next you will need to create a Memorystore (Redis) instance in the GCP Console.
1. Open the GCP Console and locate the "Memorystore" option under "Storage".
2. Click "Create Instance" and complete the form as follows:
- Instance ID - your instance ID
- Display Name - your display name
- Version - 4.0
- Instance tier - Standard (recommended for inclusion of failover)
- Location - ensure that Region and Zone match the Cloud SQL database you specified
- Instance capacity - 3GB (recommended)
3. Click "Create" and wait for the instance to build. Note the associated IP address.
1. To create a static IP, go to VPC network
- From the left menu bar, choose External IP addresses
- Click Reserve Static Address
- Name: divvy
- Ensure static address is in the same region as GKE cluster, CloudSQL, and MemoryStore instances
- Click Reserve
Ensure GKE cluster, CloudSQL, and MemoryStore instances are in the same region and VPC network.
2. Copy the Static IP and save this information.
1. To create a cluster, close the cloud shell window, and go to IAM & Admin.
- From the left menu bar, choose Service Accounts
- Create a GCP Service Account by choosing from top menu bar, then use the following:
- Name: GKEtoCloudSQL
- Role: Cloud SQL Client (Cloud SQL / Cloud SQL Client)
- Leave the “Grant users access to this service account” blank
2. Create a key (JSON) and download/save the JSON.
3. Go to Kubernetes Engine, and select "create cluster", using the following:
- Name: divvycloud-gke
- In the box for the default-pool, update the machine type to 2vCPUs n1-standard-2
4. Click on More options and select "Enable AutoScaling":
- Minimum number of nodes: 2
- Max number of nodes: 6
5. In the Networking section, ensure the "Enable VPC-native traffic routing (uses alias IP)" box is checked.
6. Once the cluster is created, click on "Connect" and then "Run in Cloud Shell" to connect to the cluster.
7. Paste these commands, one by one, into the terminal:
curl -O https://s3.amazonaws.com/get.divvycloud.com/prodserv/gcp/gke/divvycloud-gke-nginx-lb.zip
8. Update the InsightCloudSec version on line 4 of the
values.yaml file to the latest version. You can see the latest version here.
9. Paste this command into the terminal:
kubectl create namespace divvycloud
1. To create a CloudSQLProxy secret:
- In the terminal, create a file called service_account.json
- Paste in the JSON from the service account and save the file
2. Run the following command
kubectl create secret generic -n divvycloud cloudsql-instance-credentials --from-file=credentials.json=service_account.json
1. To create a TLS Certificate Secret:
- Create a certificate and key file
- Upload those into the cluster:
kubectl create secret tls divvycloud --key hostname.key --cert hostname.crt
1. Open the file called "values.yaml" and enter your required parameters.
The standard parameters are:
cloudSQLInstanceName:[Cloud SQL Instance Connection Name (saved from database creation)]
databaseUser:[ divvy user created (default is divvy)]
databasePassword:[ divvy password created]
redisHost:[IP Address from the created Memorystore instance above]
loadBalancerIP:[IP Address from the created static IP above]
hosts:[Hostname record that is pointed at your static IP, it must match the tls certificate]
2. In the terminal window, run these commands:
2a. To upgrade, update the InsightCloudSec version in
values.yaml and re-run the install command:
3. Connect to your InsightCloudSec/DivvyCloud instance by doing the following:
- Close the cloud shell window
- In the Kubernetes engine, go to the Services & Ingress tab
- Once the interface server is up, the endpoint displayed there will be the hostname you connect to for your InsightCloudSec instance. You will need to create a DNS record to point to the static IP you created earlier. A connection directly to the IP address without a hostname will be ignored.
Reaching the SIte
If the site can’t be reached, please wait a few minutes and try again. During a clean installation, there are a large number of MySQL schema updates that must be executed.
4. When all is ready, you will see the following:
Updated 4 days ago