Challenge
The customer, a large financial media company, operates a hybrid cloud environment comprised of
on-premise data centers and multiple cloud providers. Rearc worked with the customer's internal cloud team,
which strives to empower their
application developer teams to rapidly deploy both containerized as well as VM based
workloads in ANY cloud provider by providing a simple menu item of foundational compute
capabilities and platforms they can choose from. This insulates developer teams from having to
deal with idiosyncrasies of individual cloud compute platforms. These foundational capabilities
include platforms like managed Kubernetes and cloud VMs for non-containerized workloads.
The objective was to present those options as easy-to-consume, Infrastructure-as-code (IAC)
modules to encourage proper, fast and secure adoption. To achieve this state, it was also
necessary to provision the proper underlying networking and machine image primitives. This
was also done using modular IAC.
Solution
Rearc partnered with the customer and identified use-cases for compute workloads. Rearc then
leveraged Terraform in a "module library pattern" to implement and document the various flavors
of GCP compute platform options that satisfied those use-cases. As a preliminary step, similar
modules were created and executed for components like VPC and GCP machine images to
provide the necessary primitives to achieve the higher level objective. The modules are
consumed by Jenkins as the CI/CD platform to deploy compute infrastructure in GCP for
Internet-facing as well as internal applications.
Outcome
With Rearc’s assistance, the customer has enriched their IAC module registry with multiple
modular components that are used to create compute platforms like VMs, instance groups and
Kubernetes clusters in GCP projects. Application developer teams leverage these platforms to
deploy their applications in GCP. These components include:
- Virtual Network Module for deploying purpose-built global VPCs in GCP projects. The
same module can be used to restrict a VPC to regional routing mode if required. The
module also provides the option to share the VPC across multiple GCP projects. The
module provides submodules to manage subnets, routes, NAT and Internet gateway as
well as firewalling.
- Machine Image Module to create gold machine images from approved marketplace
images. These gold images are then employed by internal customers to either deploy
VMs or Instance groups for their workloads or as Kubernetes worker nodes. They also
serve as a base for creating customized application machine images by some internal
customers. The module uses customer-provided packer templates as input to the image
creation process and also provides the capability to copy the same image across multiple
regions as well as share to other customer projects, thus adopting the "central builder
pattern" for enforcing policy compliance.
- Kubernetes Module for deploying GKE clusters and associated components. This
module deploys regional GKE clusters with multiple redundant zonal node Instance
Groups as the node pool. The Kubernetes API endpoint is private and is exposed to
the customer's internal networks via an Nginx reverse proxy instance group front-ended by a
cloud load balancer and an ACL. As is common with managed Kubernetes, the customer
VPC is peered with the Google VPC that contains the managed control plane while the
node pool is deployed in the customer VPC. The module deploys the entire solution
end-to-end and contains multiple optional sub-modules like ingress controller, kube state
metrics, t-shirt sizing, HPA to account for specific use-cases.
