Provisioning Compute / Network Resources
Network Resources
We next need to create a network for our compute resources:
gcloud compute networks create sigstore-the-hard-way-proj --subnet-mode custom
📝 if you receive an
reason: UREQ_PROJECT_BILLING_NOT_FOUNDerror, you need to enable billing on the API
We can now create a subnet with an internal range:
gcloud compute networks subnets create sigstore \
--network sigstore-the-hard-way-proj \
--range 10.240.0.0/24
Create some firewall rules to allow tcp, udp and icmp protocols:
gcloud compute firewall-rules create sigstore-the-hard-way-proj-allow-internal \
--allow tcp,udp,icmp \
--network sigstore-the-hard-way-proj \
--source-ranges 10.240.0.0/24
gcloud compute firewall-rules create sigstore-the-hard-way-allow-external \
--allow tcp:22,tcp:80,tcp:443,icmp \
--network sigstore-the-hard-way-proj \
--source-ranges 0.0.0.0/0
To verify the rules were created run the following command:
gcloud compute firewall-rules list --filter="network:sigstore-the-hard-way-proj"
You should see an output similar to the following:
NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED
sigstore-the-hard-way-allow-external sigstore-the-hard-way-proj INGRESS 1000 tcp:22,tcp:80,tcp:443,icmp False
sigstore-the-hard-way-proj-allow-internal sigstore-the-hard-way-proj INGRESS 1000 tcp,udp,icmp False
Compute Resources
Now we need to create four compute nodes for each service.
gcloud compute instances create sigstore-rekor \
--async \
--boot-disk-size 200GB \
--image-family debian-11 \
--image-project debian-cloud \
--machine-type e2-small \
--private-network-ip 10.240.0.10 \
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \
--subnet sigstore \
--tags sigstore-the-hard-way-proj,sigstore-rekor
gcloud compute instances create sigstore-fulcio \
--async \
--boot-disk-size 200GB \
--image-family debian-11 \
--image-project debian-cloud \
--machine-type e2-small \
--private-network-ip 10.240.0.11 \
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \
--subnet sigstore \
--tags sigstore-the-hard-way-proj,sigstore-fulcio
gcloud compute instances create sigstore-oauth2 \
--async \
--boot-disk-size 200GB \
--image-family debian-11 \
--image-project debian-cloud \
--machine-type e2-small \
--private-network-ip 10.240.0.12 \
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \
--subnet sigstore \
--tags sigstore-the-hard-way-proj,sigstore-oauth2
gcloud compute instances create sigstore-ctl \
--async \
--boot-disk-size 200GB \
--image-family debian-11 \
--image-project debian-cloud \
--machine-type e2-small \
--private-network-ip 10.240.0.13 \
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \
--subnet sigstore \
--tags sigstore-the-hard-way-proj,sigstore-ctl
Verify all compute instances are in a RUNNING state.
gcloud compute instances list --filter="tags.items=sigstore-the-hard-way-proj"
The output should be as follows:
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
sigstore-ctl europe-west1-c e2-small 10.240.0.13 35.241.198.188 RUNNING
sigstore-fulcio europe-west1-c e2-small 10.240.0.11 35.241.201.91 RUNNING
sigstore-oauth2 europe-west1-c e2-small 10.240.0.12 35.240.60.139 RUNNING
sigstore-rekor europe-west1-c e2-small 10.240.0.10 35.233.82.12 RUNNING