1. 首頁 > 生活百科 > >

云原生之旅 - 4)基礎設施即代碼 使用 Terraform 創建 Kubernetes

生活百科

前言上一篇文章我們已經簡單的入門Terraform,本篇介紹如何使用Terraform在GCP和AWS 創建Kubernetes 資源 。
Kubernetes 在云原生時代的重要性不言而喻,等于這個時代的操作系統,基本上只需要建這個資源,就可以將絕大多數的應用跑在上面,包括數據庫,甚至很多團隊的大數據處理例如 Spark, Flink 都跑在Kubernetes上 。

  • GCP Kubernetes = GKE
  • AWS Kubernetes = EKS
  • Azure Kubernetes = AKS
本篇文章主要介紹前兩者的Terraform 代碼實現,現在使用官方的 module 要比以前方便太多了,哪怕是新手都可以很快的將資源建起來,當然如果要更多的了解 , 還是需要慢慢下功夫的 。
關鍵詞:IaC, Infrastructure as Code, Terraform, 基礎設施即代碼,使用Terraform創建GKE,使用Terraform創建EKS
環境信息:
* Terraform 1.2.9* Google Cloud SDK 397.0.0* aws-cli 2.7.7 使用Terraform創建GKE準備一個GCS bucket
# valid LOCATION values are `asia`, `eu` or `us`gsutil mb -l $LOCATION gs://$BUCKET_NAMEgsutil versioning set on gs://$BUCKET_NAME準備如下tf文件
backend.tfterraform {backend "gcs" {bucket = "sre-dev-terraform-test"prefix = "demo/state"}}providers.tf
terraform {required_version = ">= 1.2.9"required_providers {google = {source= "hashicorp/google"version = "~> 4.0"}google-beta = {source= "hashicorp/google-beta"version = "~> 4.0"}}}provider "google" {project = local.project.project_idregion= local.project.region}provider "google-beta" {project = local.project.project_idregion= local.project.region}
使用 terraform google module 事半功倍,代碼如下
gke-cluster.tf
data "google_compute_zones" "available" {region = "us-central1"status = "UP"}resource "google_compute_network" "default" {project= local.project.project_idname= local.project.network_nameauto_create_subnetworks = falserouting_mode= "GLOBAL"}resource "google_compute_subnetwork" "wade-gke" {project= local.project.project_idnetwork= google_compute_network.default.namename= local.wade_cluster.subnet_nameip_cidr_range = local.wade_cluster.subnet_rangeregion= local.wade_cluster.regionsecondary_ip_range {range_name= format("%s-secondary1", local.wade_cluster.cluster_name)ip_cidr_range = local.wade_cluster.secondary_ip_range_pods}secondary_ip_range {range_name= format("%s-secondary2", local.wade_cluster.cluster_name)ip_cidr_range = local.wade_cluster.secondary_ip_range_services}private_ip_google_access = true}resource "google_service_account" "sa-wade-test" {account_id= "sa-wade-test"display_name = "sa-wade-test"}module "wade-gke" {source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster"version = "23.1.0"project_id = local.project.project_idname= local.wade_cluster.cluster_namekubernetes_version= local.wade_cluster.cluster_versionregion= local.wade_cluster.regionnetwork= google_compute_network.default.namesubnetwork= google_compute_subnetwork.wade-gke.namemaster_ipv4_cidr_block = "10.1.0.0/28"ip_range_pods= google_compute_subnetwork.wade-gke.secondary_ip_range.0.range_nameip_range_services= google_compute_subnetwork.wade-gke.secondary_ip_range.1.range_nameservice_account= google_service_account.sa-wade-test.emailmaster_authorized_networks= local.wade_cluster.master_authorized_networksmaster_global_access_enabled= falseistio= falseissue_client_certificate= falseenable_private_endpoint= falseenable_private_nodes= trueremove_default_node_pool= trueenable_shielded_nodes= falseidentity_namespace= "enabled"node_metadata= "https://www.huyubaike.com/biancheng/GKE_METADATA"horizontal_pod_autoscaling= trueenable_vertical_pod_autoscaling = falsenode_pools= local.wade_cluster.node_poolsnode_pools_oauth_scopes = local.wade_cluster.oauth_scopesnode_pools_labels= local.wade_cluster.node_pools_labelsnode_pools_metadata= https://www.huyubaike.com/biancheng/local.wade_cluster.node_pools_metadatanode_pools_taints= local.wade_cluster.node_pools_taintsnode_pools_tags= local.wade_cluster.node_pools_tags}
變量 locals.tf
【云原生之旅 - 4)基礎設施即代碼 使用 Terraform 創建 Kubernetes】master_authorized_networks 需要改為自己要放行的白名單,只有白名單的IP才能訪問 cluster api endpoint 。為了安全性,不要用0.0.0.0/0
locals {# project detailsproject = {project_id= "sre-eng-cn-dev"region= "us-central1"network_name= "wade-test-network"}# cluster detailswade_cluster = {cluster_name= "wade-gke"cluster_version= "1.22.12-gke.500"subnet_name= "wade-gke"subnet_range= "10.254.71.0/24"secondary_ip_range_pods= "172.20.72.0/21"secondary_ip_range_services = "10.127.8.0/24"region= "us-central1"node_pools = [{name= "app-pool"machine_type= "n1-standard-2"node_locations= join(",", slice(data.google_compute_zones.available.names, 0, 3))initial_node_count = 1min_count= 1max_count= 10max_pods_per_node= 64disk_size_gb= 100disk_type= "pd-standard"image_type= "COS"auto_repair= trueauto_upgrade= falsepreemptible= falsemax_surge= 1max_unavailable= 0}]node_pools_labels = {all = {}}node_pools_tags = {all = ["k8s-nodes"]}node_pools_metadata = https://www.huyubaike.com/biancheng/{all = {disable-legacy-endpoints ="true"}}node_pools_taints = {all = []}oauth_scopes = {all = ["https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/compute","https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/service.management","https://www.googleapis.com/auth/servicecontrol",]}master_authorized_networks = [{display_name = "Whitelist 1"cidr_block= "4.14.xxx.xx/32"},{display_name = "Whitelist 2"cidr_block= "64.124.xxx.xx/32"},]}}

推薦閱讀