├── .gitignore ├── 01-clusters ├── gke.tf └── main.tf ├── 02-apps ├── hello-app.yaml └── zone-printer.yaml ├── 03-glb ├── glb.tf ├── main.tf ├── negs.tf └── terraform.tfvars.template ├── LICENSE └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore Terraform state, plan, and variable files 2 | **/.terraform 3 | *.tfstate 4 | *.tfstate.* 5 | *tfplan* 6 | *tfvars 7 | 8 | # Ignore GCP account keys 9 | keys.json 10 | account.json 11 | 12 | # Ignore SSL keys, CSRs and certs 13 | *.key 14 | *.csr 15 | *.crt 16 | -------------------------------------------------------------------------------- /01-clusters/gke.tf: -------------------------------------------------------------------------------- 1 | resource "google_container_cluster" "glb-demo-us" { 2 | name = "glb-demo-us" 3 | location = "us-central1" 4 | initial_node_count = 3 5 | 6 | node_config { 7 | oauth_scopes = [ 8 | "https://www.googleapis.com/auth/logging.write", 9 | "https://www.googleapis.com/auth/monitoring", 10 | ] 11 | 12 | metadata = { 13 | disable-legacy-endpoints = "true" 14 | } 15 | } 16 | 17 | ip_allocation_policy { 18 | cluster_ipv4_cidr_block = "10.1.0.0/16" 19 | services_ipv4_cidr_block = "10.2.0.0/16" 20 | } 21 | 22 | timeouts { 23 | create = "30m" 24 | update = "40m" 25 | } 26 | } 27 | 28 | resource "google_container_cluster" "glb-demo-eu" { 29 | name = "glb-demo-eu" 30 | location = "europe-west2" 31 | initial_node_count = 3 32 | 33 | node_config { 34 | oauth_scopes = [ 35 | "https://www.googleapis.com/auth/logging.write", 36 | "https://www.googleapis.com/auth/monitoring", 37 | ] 38 | 39 | metadata = { 40 | disable-legacy-endpoints = "true" 41 | } 42 | } 43 | 44 | ip_allocation_policy { 45 | cluster_ipv4_cidr_block = "10.3.0.0/16" 46 | services_ipv4_cidr_block = "10.4.0.0/16" 47 | } 48 | 49 | timeouts { 50 | create = "30m" 51 | update = "40m" 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /01-clusters/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 0.12" 3 | } 4 | 5 | provider "google" { 6 | version = 3.1 7 | project = "jetstack-wil" 8 | region = "global" 9 | } 10 | -------------------------------------------------------------------------------- /02-apps/hello-app.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1beta1 3 | kind: Deployment 4 | metadata: 5 | name: hello-app 6 | labels: 7 | app: hello-app 8 | spec: 9 | replicas: 9 10 | selector: 11 | matchLabels: 12 | app: hello-app 13 | template: 14 | metadata: 15 | labels: 16 | app: hello-app 17 | spec: 18 | affinity: 19 | podAntiAffinity: 20 | requiredDuringSchedulingIgnoredDuringExecution: 21 | - labelSelector: 22 | matchExpressions: 23 | - key: app 24 | operator: In 25 | values: 26 | - hello-app 27 | topologyKey: "kubernetes.io/hostname" 28 | containers: 29 | - name: frontend 30 | image: gcr.io/google-samples/hello-app:2.0 31 | ports: 32 | - containerPort: 80 33 | env: 34 | - name: PORT 35 | value: "80" 36 | --- 37 | apiVersion: v1 38 | kind: Service 39 | metadata: 40 | name: hello-app 41 | labels: 42 | app: hello-app 43 | annotations: 44 | cloud.google.com/neg: '{"exposed_ports": {"80":{}}}' 45 | spec: 46 | type: NodePort 47 | selector: 48 | app: hello-app 49 | ports: 50 | - name: hello-app 51 | port: 80 52 | --- 53 | -------------------------------------------------------------------------------- /02-apps/zone-printer.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1beta1 3 | kind: Deployment 4 | metadata: 5 | name: zone-printer 6 | labels: 7 | app: zone-printer 8 | spec: 9 | replicas: 9 10 | selector: 11 | matchLabels: 12 | app: zone-printer 13 | template: 14 | metadata: 15 | labels: 16 | app: zone-printer 17 | spec: 18 | affinity: 19 | podAntiAffinity: 20 | requiredDuringSchedulingIgnoredDuringExecution: 21 | - labelSelector: 22 | matchExpressions: 23 | - key: app 24 | operator: In 25 | values: 26 | - zone-printer 27 | topologyKey: "kubernetes.io/hostname" 28 | containers: 29 | - name: frontend 30 | image: gcr.io/google-samples/zone-printer:0.1 31 | ports: 32 | - containerPort: 80 33 | --- 34 | apiVersion: v1 35 | kind: Service 36 | metadata: 37 | name: zone-printer 38 | labels: 39 | app: zone-printer 40 | annotations: 41 | cloud.google.com/neg: '{"exposed_ports": {"80":{}}}' 42 | spec: 43 | type: NodePort 44 | selector: 45 | app: zone-printer 46 | ports: 47 | - name: zone-printer 48 | port: 80 49 | --- -------------------------------------------------------------------------------- /03-glb/glb.tf: -------------------------------------------------------------------------------- 1 | resource "google_compute_global_address" "glb_demo" { 2 | name = "glb-demo" 3 | } 4 | 5 | resource "google_compute_global_forwarding_rule" "glb_demo_http" { 6 | name = "glb-demo-http" 7 | ip_address = google_compute_global_address.glb_demo.address 8 | port_range = "80" 9 | target = google_compute_target_http_proxy.glb_demo.self_link 10 | load_balancing_scheme = "EXTERNAL" 11 | } 12 | 13 | resource "google_compute_target_http_proxy" "glb_demo" { 14 | name = "glb-demo" 15 | 16 | url_map = google_compute_url_map.glb_demo.self_link 17 | } 18 | 19 | resource "google_compute_global_forwarding_rule" "glb_demo_https" { 20 | name = "glb-demo-https" 21 | ip_address = google_compute_global_address.glb_demo.address 22 | port_range = "443" 23 | target = google_compute_target_https_proxy.glb_demo.self_link 24 | load_balancing_scheme = "EXTERNAL" 25 | } 26 | 27 | resource "google_compute_ssl_certificate" "glb_demo" { 28 | name_prefix = "glb-demo-" 29 | private_key = file("example.key") 30 | certificate = file("example.crt") 31 | } 32 | 33 | resource "google_compute_target_https_proxy" "glb_demo" { 34 | name = "glb-demo" 35 | 36 | ssl_certificates = [google_compute_ssl_certificate.glb_demo.self_link] 37 | url_map = google_compute_url_map.glb_demo.self_link 38 | } 39 | 40 | resource "google_compute_url_map" "glb_demo" { 41 | name = "glb-demo" 42 | default_service = google_compute_backend_service.glb_demo_zone_printer.self_link 43 | 44 | host_rule { 45 | hosts = ["*"] 46 | path_matcher = "glb-demo" 47 | } 48 | 49 | path_matcher { 50 | name = "glb-demo" 51 | default_service = google_compute_backend_service.glb_demo_zone_printer.self_link 52 | 53 | path_rule { 54 | paths = ["/hello-app"] 55 | service = google_compute_backend_service.glb_demo_hello_app.self_link 56 | } 57 | } 58 | } 59 | 60 | # The max_rate for these backends is set to the minimum so that simply by 61 | # aggressively refreshing the page traffic will be sent to different instances 62 | # in different zones to demonstrate the load balancer in operation. 63 | 64 | resource "google_compute_backend_service" "glb_demo_zone_printer" { 65 | name = "glb-demo-zone-printer" 66 | health_checks = [google_compute_health_check.glb_demo.self_link] 67 | load_balancing_scheme = "EXTERNAL" 68 | protocol = "HTTP" 69 | port_name = "http" 70 | security_policy = google_compute_security_policy.glb_demo.self_link 71 | 72 | backend { 73 | group = data.google_compute_network_endpoint_group.zone_printer_neg_eu_1.self_link 74 | balancing_mode = "RATE" 75 | max_rate = 1 76 | } 77 | 78 | backend { 79 | group = data.google_compute_network_endpoint_group.zone_printer_neg_eu_2.self_link 80 | balancing_mode = "RATE" 81 | max_rate = 1 82 | } 83 | 84 | backend { 85 | group = data.google_compute_network_endpoint_group.zone_printer_neg_eu_3.self_link 86 | balancing_mode = "RATE" 87 | max_rate = 1 88 | } 89 | 90 | backend { 91 | group = data.google_compute_network_endpoint_group.zone_printer_neg_us_1.self_link 92 | balancing_mode = "RATE" 93 | max_rate = 1 94 | } 95 | 96 | backend { 97 | group = data.google_compute_network_endpoint_group.zone_printer_neg_us_2.self_link 98 | balancing_mode = "RATE" 99 | max_rate = 1 100 | } 101 | 102 | backend { 103 | group = data.google_compute_network_endpoint_group.zone_printer_neg_us_3.self_link 104 | balancing_mode = "RATE" 105 | max_rate = 1 106 | } 107 | } 108 | 109 | resource "google_compute_backend_service" "glb_demo_hello_app" { 110 | name = "glb-demo-hello-app" 111 | health_checks = [google_compute_health_check.glb_demo.self_link] 112 | load_balancing_scheme = "EXTERNAL" 113 | protocol = "HTTP" 114 | port_name = "http" 115 | security_policy = google_compute_security_policy.glb_demo.self_link 116 | 117 | backend { 118 | group = data.google_compute_network_endpoint_group.hello_app_neg_eu_1.self_link 119 | balancing_mode = "RATE" 120 | max_rate = 1 121 | } 122 | 123 | backend { 124 | group = data.google_compute_network_endpoint_group.hello_app_neg_eu_2.self_link 125 | balancing_mode = "RATE" 126 | max_rate = 1 127 | } 128 | 129 | backend { 130 | group = data.google_compute_network_endpoint_group.hello_app_neg_eu_3.self_link 131 | balancing_mode = "RATE" 132 | max_rate = 1 133 | } 134 | 135 | backend { 136 | group = data.google_compute_network_endpoint_group.hello_app_neg_us_1.self_link 137 | balancing_mode = "RATE" 138 | max_rate = 1 139 | } 140 | 141 | backend { 142 | group = data.google_compute_network_endpoint_group.hello_app_neg_us_2.self_link 143 | balancing_mode = "RATE" 144 | max_rate = 1 145 | } 146 | 147 | backend { 148 | group = data.google_compute_network_endpoint_group.hello_app_neg_us_3.self_link 149 | balancing_mode = "RATE" 150 | max_rate = 1 151 | } 152 | } 153 | 154 | resource "google_compute_health_check" "glb_demo" { 155 | name = "glb-demo" 156 | healthy_threshold = 1 157 | check_interval_sec = 60 158 | unhealthy_threshold = 10 159 | timeout_sec = 60 160 | 161 | tcp_health_check { 162 | port = "80" 163 | } 164 | } 165 | 166 | # This is a firewall rule to allow incoming traffic on port 80 167 | resource "google_compute_firewall" "glb_demo" { 168 | name = "glb-demo" 169 | network = "default" 170 | direction = "INGRESS" 171 | priority = 1000 172 | 173 | allow { 174 | protocol = "tcp" 175 | ports = ["80"] 176 | } 177 | 178 | # These are the source ranges for Google's network for traffic coming in from 179 | # the load balancer 180 | source_ranges = [ 181 | "130.211.0.0/22", 182 | "35.191.0.0/16", 183 | ] 184 | } 185 | 186 | # This is a Cloud Armor policy 187 | resource "google_compute_security_policy" "glb_demo" { 188 | name = "glb-demo" 189 | 190 | # Default rule, allow all traffic 191 | rule { 192 | action = "allow" 193 | priority = "2147483647" 194 | match { 195 | versioned_expr = "SRC_IPS_V1" 196 | config { 197 | src_ip_ranges = ["*"] 198 | } 199 | } 200 | description = "default rule" 201 | } 202 | 203 | # Deny traffic from some IPs 204 | rule { 205 | action = "deny(403)" 206 | # Lower value means higher priority 207 | priority = "1000" 208 | match { 209 | versioned_expr = "SRC_IPS_V1" 210 | config { 211 | src_ip_ranges = ["9.9.9.0/24"] 212 | } 213 | } 214 | description = "Deny access to IPs in 9.9.9.0/24" 215 | } 216 | 217 | } 218 | -------------------------------------------------------------------------------- /03-glb/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = "~> 0.12" 3 | } 4 | 5 | provider "google" { 6 | version = 3.1 7 | project = "jetstack-wil" 8 | region = "global" 9 | } 10 | 11 | output "glb_demo_address" { 12 | value = google_compute_global_address.glb_demo.address 13 | } 14 | 15 | variable "zone_printer_neg_eu" { 16 | type = string 17 | } 18 | 19 | variable "zone_printer_neg_us" { 20 | type = string 21 | } 22 | 23 | variable "hello_app_neg_eu" { 24 | type = string 25 | } 26 | 27 | variable "hello_app_neg_us" { 28 | type = string 29 | } 30 | -------------------------------------------------------------------------------- /03-glb/negs.tf: -------------------------------------------------------------------------------- 1 | data "google_compute_network_endpoint_group" "zone_printer_neg_eu_1" { 2 | name = var.zone_printer_neg_eu 3 | zone = "europe-west2-a" 4 | } 5 | 6 | data "google_compute_network_endpoint_group" "zone_printer_neg_eu_2" { 7 | name = var.zone_printer_neg_eu 8 | zone = "europe-west2-b" 9 | } 10 | 11 | data "google_compute_network_endpoint_group" "zone_printer_neg_eu_3" { 12 | name = var.zone_printer_neg_eu 13 | zone = "europe-west2-c" 14 | } 15 | 16 | data "google_compute_network_endpoint_group" "zone_printer_neg_us_1" { 17 | name = var.zone_printer_neg_us 18 | zone = "us-central1-a" 19 | } 20 | 21 | data "google_compute_network_endpoint_group" "zone_printer_neg_us_2" { 22 | name = var.zone_printer_neg_us 23 | zone = "us-central1-b" 24 | } 25 | 26 | data "google_compute_network_endpoint_group" "zone_printer_neg_us_3" { 27 | name = var.zone_printer_neg_us 28 | zone = "us-central1-f" 29 | } 30 | 31 | data "google_compute_network_endpoint_group" "hello_app_neg_eu_1" { 32 | name = var.hello_app_neg_eu 33 | zone = "europe-west2-a" 34 | } 35 | 36 | data "google_compute_network_endpoint_group" "hello_app_neg_eu_2" { 37 | name = var.hello_app_neg_eu 38 | zone = "europe-west2-b" 39 | } 40 | 41 | data "google_compute_network_endpoint_group" "hello_app_neg_eu_3" { 42 | name = var.hello_app_neg_eu 43 | zone = "europe-west2-c" 44 | } 45 | 46 | data "google_compute_network_endpoint_group" "hello_app_neg_us_1" { 47 | name = var.hello_app_neg_us 48 | zone = "us-central1-a" 49 | } 50 | 51 | data "google_compute_network_endpoint_group" "hello_app_neg_us_2" { 52 | name = var.hello_app_neg_us 53 | zone = "us-central1-b" 54 | } 55 | 56 | data "google_compute_network_endpoint_group" "hello_app_neg_us_3" { 57 | name = var.hello_app_neg_us 58 | zone = "us-central1-f" 59 | } 60 | -------------------------------------------------------------------------------- /03-glb/terraform.tfvars.template: -------------------------------------------------------------------------------- 1 | zone_printer_neg_eu = ZONE_PRINTER_NEG_EU 2 | zone_printer_neg_us = ZONE_PRINTER_NEG_US 3 | hello_app_neg_eu = HELLO_APP_NEG_EU 4 | hello_app_neg_us = HELLO_APP_NEG_US 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # glb-demo 2 | 3 | This is a demo of a container-native multi-cluster global load balancer, with Cloud Armor polices, for Google Cloud Platform (GCP) using Terraform. 4 | 5 | It is designed to accompany a post on Jetstack's blog (coming soon). 6 | 7 | **This is a demo only.** 8 | It should not be used 'as is' in production, or any other shared, long lived, environments. 9 | It is just designed to quickly show off and test what a global load balancer can do. 10 | Many of the configurations and procedures used are not secure or robust. 11 | 12 | ## Requirements 13 | 14 | * The Google Cloud SDK (`gcloud` command) 15 | * `kubectl` command 16 | * `terraform` command, version `0.12.x` 17 | 18 | ## Step 00 - Auth 19 | 20 | Ensure the `gcloud` command is up to date and logged in using the correct Google account and project. 21 | Then generate credentials for Terraform. 22 | This method will set Terraform to use your account. 23 | This is generally bad practise and Terraform should be set to use a service account. 24 | 25 | ``` 26 | gcloud auth application-default login 27 | ``` 28 | 29 | Complete web login in browser, the command output should tell you the location of the credentials file with the message `Credentials saved to file:`. 30 | Then set the `GOOGLE_CLOUD_KEYFILE_JSON` environment variable to point to the credentials file created, for example: 31 | 32 | ``` 33 | export GOOGLE_CLOUD_KEYFILE_JSON="/Users/wwwil/.config/gcloud/application_default_credentials.json" 34 | ``` 35 | 36 | ## Step 01 - Create the Clusters 37 | 38 | Enter the `01-clusters/` directory, initialise Terraform, and apply the project files. 39 | 40 | ``` 41 | terraform init 42 | terraform apply 43 | ``` 44 | 45 | Ensure the plan looks correct and then enter `yes`. 46 | 47 | ## Step 02 - Deploy The Apps 48 | 49 | Enter the `02-apps/` directory. 50 | 51 | Get credentials for the first cluster and apply the manifests for `zone-printer` and `hello-app`. 52 | 53 | ``` 54 | gcloud container clusters get-credentials glb-demo-eu --region europe-west2 55 | kubectl apply -f zone-printer.yaml 56 | kubectl apply -f hello-app.yaml 57 | ``` 58 | 59 | Repeat this for the second cluster. 60 | 61 | ``` 62 | gcloud container clusters get-credentials glb-demo-us --region us-central1 63 | kubectl apply -f zone-printer.yaml 64 | kubectl apply -f hello-app.yaml 65 | ``` 66 | 67 | Ensure the Pods are running in both clusters. 68 | 69 | ``` 70 | kubectl get pods 71 | NAME READY STATUS RESTARTS AGE 72 | hello-app-858d49df47-88cd7 1/1 Running 0 21s 73 | hello-app-858d49df47-gcnnz 1/1 Running 0 21s 74 | hello-app-858d49df47-gcz4c 1/1 Running 0 21s 75 | hello-app-858d49df47-gfgqr 1/1 Running 0 21s 76 | hello-app-858d49df47-j64w2 1/1 Running 0 21s 77 | hello-app-858d49df47-qrg69 1/1 Running 0 21s 78 | hello-app-858d49df47-smrk6 1/1 Running 0 21s 79 | hello-app-858d49df47-srt24 1/1 Running 0 21s 80 | hello-app-858d49df47-xdp2w 1/1 Running 0 21s 81 | zone-printer-7c9568c559-6klrj 1/1 Running 0 23s 82 | zone-printer-7c9568c559-8mf4w 1/1 Running 0 23s 83 | zone-printer-7c9568c559-8pw4p 1/1 Running 0 23s 84 | zone-printer-7c9568c559-csbvk 1/1 Running 0 23s 85 | zone-printer-7c9568c559-drktf 1/1 Running 0 23s 86 | zone-printer-7c9568c559-fmzmq 1/1 Running 0 23s 87 | zone-printer-7c9568c559-rxsth 1/1 Running 0 23s 88 | zone-printer-7c9568c559-vp7dr 1/1 Running 0 23s 89 | zone-printer-7c9568c559-zdpkk 1/1 Running 0 23s 90 | zoneprinter-546c64f489-lm5vd 1/1 Running 0 21h 91 | ``` 92 | 93 | ## Step 03 - Create the GLB 94 | 95 | Enter the `03-glb/` directory. 96 | 97 | For each cluster get the name of the network endpoint groups (NEGs) created for the Services deployed. 98 | The names and zones of these NEGs is added as an annotation to the Service. 99 | The NEG names need to be supplied to Terraform for use in the load balancer. 100 | This is achieved here using the input variables, and a template `.tfvars` file. 101 | 102 | ``` 103 | gcloud container clusters get-credentials glb-demo-eu --region europe-west2 104 | ZONE_PRINTER_NEG_EU=$(kubectl get service zone-printer -o json | jq '.metadata.annotations["cloud.google.com/neg-status"] | fromjson | .network_endpoint_groups["80"]') 105 | HELLO_APP_NEG_EU=$(kubectl get service hello-app -o json | jq '.metadata.annotations["cloud.google.com/neg-status"] | fromjson | .network_endpoint_groups["80"]') 106 | gcloud container clusters get-credentials glb-demo-us --region us-central1 107 | ZONE_PRINTER_NEG_US=$(kubectl get service zone-printer -o json | jq '.metadata.annotations["cloud.google.com/neg-status"] | fromjson | .network_endpoint_groups["80"]') 108 | HELLO_APP_NEG_US=$(kubectl get service hello-app -o json | jq '.metadata.annotations["cloud.google.com/neg-status"] | fromjson | .network_endpoint_groups["80"]') 109 | cp terraform.tfvars.template terraform.tfvars 110 | sed -i.bak "s|ZONE_PRINTER_NEG_EU|$ZONE_PRINTER_NEG_EU|g" terraform.tfvars 111 | sed -i.bak "s|ZONE_PRINTER_NEG_US|$ZONE_PRINTER_NEG_US|g" terraform.tfvars 112 | sed -i.bak "s|HELLO_APP_NEG_EU|$HELLO_APP_NEG_EU|g" terraform.tfvars 113 | sed -i.bak "s|HELLO_APP_NEG_US|$HELLO_APP_NEG_US|g" terraform.tfvars 114 | rm -f terraform.tfvars.bak 115 | ``` 116 | 117 | To support HTTPS the load balancer needs an SSL certificate. 118 | This is provided to the load balancer HTTPS proxy using a GCP SSL certificate resource, created by Terraform from a certificate and key file. 119 | Generate a key and self signed certificate to use. 120 | 121 | ``` 122 | openssl genrsa -out example.key 2048 123 | openssl req -new -key example.key -out example.csr \ 124 | -subj "/CN=example.com" 125 | openssl x509 -req -days 365 -in example.csr -signkey example.key \ 126 | -out example.crt 127 | ``` 128 | 129 | Now initialise Terraform, and apply the project files. 130 | 131 | ``` 132 | terraform init 133 | terraform apply 134 | ``` 135 | 136 | Ensure the plan looks correct and then enter `yes`. 137 | 138 | ## Step 04 - Test the GLB 139 | 140 | Once Terraform has finished it will output the value of the global IP address it reserved. 141 | Enter this IP into a browser and you should see the `zone-printer` app, which will show the GCP zone of the instance you are connected to. 142 | If this does not work you may need to wait a bit longer while the load balancer configuration is propagated by Google's network. 143 | 144 | The maximum rate for connections is set very low in the load balancer. 145 | this should mean that by aggressively refreshing the connection to the IP in the browser you should see the zone you connect to changes. 146 | This demonstrates the load balancing in effect. 147 | 148 | To verify that HTTPS is working prefix the IP address with `https://`. 149 | This will likely show a warning that the certificate was not recognised as we are using a self signed certificate. 150 | Ignore the warning and proceed to the page anyway, it should show the `zone-printer` app. 151 | 152 | The region shown by `zone-printer` should not change, and should always be the region closest to where you connect from. 153 | To verify that the global load balancing is directing traffic correctly we can run `curl` from a remote machine in the other region. 154 | 155 | Connect to the cluster in the region you are not currently being served from. 156 | For example if you're in Europe connect to the US cluster. 157 | 158 | ``` 159 | gcloud container clusters get-credentials glb-demo-us --region us-central1 160 | ``` 161 | 162 | Or if you're in the US connect to the Europe cluster. 163 | 164 | ``` 165 | gcloud container clusters get-credentials glb-demo-us --region us-central1 166 | ``` 167 | 168 | Then run `curl` to the global IP address on one of the Nodes over an `ssh` connection. 169 | 170 | ``` 171 | ADDRESS=$(terraform output glb_demo_address) 172 | INSTANCE=$(kubectl get nodes -o json | jq -r '.items[0].metadata.name') 173 | ZONE=$(kubectl get nodes -o json | jq -r '.items[0].metadata.labels["failure-domain.beta.kubernetes.io/zone"]') 174 | gcloud compute ssh $INSTANCE --zone $ZONE --command "curl $ADDRESS" 175 | ``` 176 | 177 | This should show one of the zones in the other region. 178 | Repeatedly using curl should cause the zone to change. 179 | 180 | The `zone-printer` is shown when visiting the global IP address directly as it is set as the default backend. 181 | Because of the URL Map we can also connect to the `hello-web` app by appending `/hello-app` in the browser. 182 | This should show the `Hello, world!` message. 183 | 184 | ## Step 05 - Clean Up 185 | 186 | Once you've finished testing the load balancer you can clean up the resources. 187 | 188 | Enter the `03-glb` directory and run destroy the load balancer resources with Terraform. 189 | 190 | ``` 191 | terraform destroy 192 | ``` 193 | 194 | Verify the plan looks correct and enter 'yes' to proceed. 195 | 196 | Then enter the `01-clusters` directory and destroy the clusters with Terraform. 197 | 198 | ``` 199 | terraform destroy 200 | ``` 201 | 202 | Check the plan again and enter 'yes' to proceed. 203 | 204 | ## Apps 205 | 206 | The apps deployed in this demo are [Zone Printer](https://github.com/GoogleCloudPlatform/k8s-multicluster-ingress/tree/master/examples/zone-printer) and [Hello App](https://github.com/GoogleCloudPlatform/kubernetes-engine-samples/tree/master/hello-app). 207 | --------------------------------------------------------------------------------