ksemele
/
tf-gke-test
mirror of https://github.com/ksemele/tf-gke-test.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
tf-gke-test/private-cluster-module
History
Aleksei Krugliak 24642950f7 comment backend.tf for default 2024-09-01 15:25:36 +04:00
..
README.md add bucket and private-cluster-module 2024-09-01 15:19:36 +04:00
backend.tf comment backend.tf for default 2024-09-01 15:25:36 +04:00
demo-namespace.tf add bucket and private-cluster-module 2024-09-01 15:19:36 +04:00
get-credentials.sh add bucket and private-cluster-module 2024-09-01 15:19:36 +04:00
gke.tf add bucket and private-cluster-module 2024-09-01 15:19:36 +04:00
outputs.tf add bucket and private-cluster-module 2024-09-01 15:19:36 +04:00
providers.tf add bucket and private-cluster-module 2024-09-01 15:19:36 +04:00
variables.tf add bucket and private-cluster-module 2024-09-01 15:19:36 +04:00
versions.tf add bucket and private-cluster-module 2024-09-01 15:19:36 +04:00
vpc.tf add bucket and private-cluster-module 2024-09-01 15:19:36 +04:00

README.md

private-cluster-module

What is created ty thah template

This example is using remote bucket state. You can modify this manually or not.

  1. VPC network with one subnet
  2. GKE cluster with external endpoint and only authorized networks access.
  3. Workload nodepool with one node
  4. Namespace this-is-demo-cluster

How to use the code

Optional bucket usage.

If you would try to use bucket state, you need to uncomment code block in backend.tf.

Then go to ../bucket directory and create the bucket by following the instructions at README.

Then return to this directory.

  1. Create terraform.tfvars file with a few variables
project          = "your-gcp-project"
host_project     = "your-gcp-project"

master_authorized_networks = [
  { cidr_block = "0.0.0.1/32", display_name = "your current IP" }
]

region, zone and environment_name are optional

Your current IP you can get via this command for example:

curl -s ifconfig.me
  1. Create cluster All commands will be applied via Terraform 1.8.0 or via OpenTofu, the same version. I use alias t for the commands.
t init
t apply
  1. Get the credentials for the new cluster (configure kubeconfig)

You can see all useful commands and links in the output:

t output

There is a manual command:

gcloud container clusters get-credentials $(t output -raw kubernetes_cluster_name) --region $(t output -raw zone) --project $(t output -raw project)

Or just use ./get-credentials.sh

  1. Destroy all resources
t destroy

Additional info

Some manual tests.

terraform

create cluster
./get-credentials.sh
try access from different networks
manual cred command
output gcloud_gke_get_creds command
output links
create simple nginx pod kubectl run nginx --image=nginx:latest -n default && kubectl get po -w
flux install && kubectl get po -n flux-system -w
destroy cluster
test bucket backend

opentofu

create cluster
./get-credentials.sh
try access from different networks
manual cred command
output gcloud_gke_get_creds command
output links
create simple nginx pod kubectl run nginx --image=nginx:latest -n default && kubectl get po -w
flux install && kubectl get po -n flux-system -w
destroy cluster
test bucket backend

Requirements

Name Version
terraform ~>1.8.0
google ~>5.41.0
google-beta ~> 5.41
kubernetes ~>2.32.0

Providers

Name Version
google 5.41.0
kubernetes 2.32.0

Modules

Name Source Version
gke terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster-update-variant 32.0.0

Resources

Name Type
google_compute_network.vpc resource
google_compute_subnetwork.subnet resource
google_project_service.service_networking resource
kubernetes_namespace.this-is-demo-cluster resource
google_client_config.default data source

Inputs

Name Description Type Default Required
bucket_credentials_json Default path to your gcloud credentials json file string "~/.config/gcloud/application_default_credentials.json" no
bucket_name Bucket name string "your-project-bucket" no
bucket_prefix Path to store your state in bucket string "terraform/state/demo" no
environment_name Environment name string "demo" no
host_project The GCP project housing the VPC network to host the cluster in string "demo" no
master_authorized_networks List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). list(object({ cidr_block = string, display_name = string })) 
[
  {
    "cidr_block": "1.1.1.1/32",
    "display_name": "Use your IP/VPN IP here"
  }
]
 no
project Google Project to create resources in string "demo" no
region The region to host the cluster in string "europe-west1" no
vpc_network The GCP network to apply firewall rules in string "demo-vpc" no
zone The region to host the cluster in string "europe-west1-b" no

Outputs

Name Description
gcloud_gke_get_creds Command to get GKE credentials
gcloud_gke_link GKE web ui link
gcloud_vpc_link VPC web ui link
kubernetes_cluster_host GKE Cluster Host
kubernetes_cluster_name GKE Cluster Name
master_authorized_networks_config Here are networks that are allowed to reach your k8s API
project GCloud Project ID
region GCloud Region
zone GCloud Project ID