Created
March 28, 2017 21:54
-
-
Save jeremywadsack/6893fafff29f3b12b996e80320c8e3d8 to your computer and use it in GitHub Desktop.
Create a Google Cloud HTTPS Load Balancer (with Cloud CDN) that fronts a Kubernetes service hosted in a GKE cluster exposed on a NodePort.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # TODO: Fill in these details for the cluster and project: | |
| # The GKE cluster | |
| CLUSTER= | |
| # Assume the app is named the same as the working directory | |
| APP=$(basename $(pwd)) | |
| # The GKE tag that identifies the cluster nodes | |
| CLUSTER_TARGET_TAG= | |
| # Expects to have `tls.crt` and `tls.key` in this folder | |
| CERTIFICATES_PATH= | |
| # Node Port exposed in the kubernetes service | |
| NODE_PORT= | |
| # The path to use for health checks on the nodes | |
| HEALTH_CHECK_PATH=/ | |
| # The zone where the instances are located | |
| ZONE=us-central1-a | |
| # Create a load balancer static IP address | |
| IP_NAME=${APP}-ip-1 | |
| gcloud compute addresses list -r ${IP_NAME} 2> /dev/null | grep ${IP_NAME} > /dev/null | |
| rc=$? | |
| if [[ $rc != 0 ]] | |
| then | |
| gcloud compute addresses create ${IP_NAME} --global | |
| fi | |
| # Create firewall rule to allow load balancer and health checks to node port | |
| FW_RULE_NAME=${APP}-nodeport | |
| gcloud compute firewall-rules list -r ${FW_RULE_NAME} 2> /dev/null | grep ${FW_RULE_NAME} > /dev/null | |
| rc=$? | |
| if [[ $rc != 0 ]] | |
| then | |
| gcloud compute firewall-rules create ${FW_RULE_NAME} --target-tags ${CLUSTER_TARGET_TAG} --source-ranges 130.211.0.0/22,35.191.0.0/16 --allow tcp:${NODE_PORT} | |
| fi | |
| # Get the instance groups in the cluster | |
| MGROUPS=$(gcloud compute instance-groups managed list -r "gke-${CLUSTER}-.*" 2> /dev/null | grep gke | cut -f 1 -d' ') | |
| # Set up the Health Check | |
| HEALTH_CHECK_NAME=${APP}-health-check | |
| gcloud compute health-checks list -r ${HEALTH_CHECK_NAME} 2> /dev/null | grep ${HEALTH_CHECK_NAME} > /dev/null | |
| rc=$? | |
| if [[ $rc != 0 ]] | |
| then | |
| gcloud compute health-checks create https ${HEALTH_CHECK_NAME} --port ${NODE_PORT} --request-path ${HEALTH_CHECK_PATH} | |
| fi | |
| # Create a backend service | |
| PORT_NAME=${APP}-https | |
| BACKEND_SERVICE_NAME="be-${APP}-${CLUSTER}" | |
| gcloud compute backend-services list -r ${BACKEND_SERVICE_NAME} 2> /dev/null | grep ${BACKEND_SERVICE_NAME} > /dev/null | |
| rc=$? | |
| if [[ $rc != 0 ]] | |
| then | |
| gcloud compute backend-services create ${BACKEND_SERVICE_NAME} --protocol HTTPS --health-checks ${HEALTH_CHECK_NAME} --port-name ${PORT_NAME} --session-affinity NONE --global --enable-cdn | |
| fi | |
| for GROUP in ${MGROUPS} | |
| do | |
| # Add a named port for the upstream NodePort | |
| PORTS=$(gcloud compute instance-groups managed get-named-ports ${GROUP} 2> /dev/null | grep -v PORT) | |
| echo ${PORTS} | grep ${PORT_NAME} > /dev/null | |
| rc=$? | |
| if [[ $rc != 0 ]] | |
| then | |
| NAMED_PORTS=$(echo ${PORTS} | awk '{print $1 ":" $2}' | paste -d, -s -) | |
| NAMED_PORTS=${NAMED_PORTS},${PORT_NAME}:${NODE_PORT} | |
| gcloud compute instance-groups managed set-named-ports ${GROUP} --zone ${ZONE} --named-ports ${NAMED_PORTS} | |
| fi | |
| # Add instance group to service | |
| gcloud compute backend-services list -r ${BACKEND_SERVICE_NAME} 2> /dev/null | grep ${GROUP} > /dev/null | |
| rc=$? | |
| if [[ $rc != 0 ]] | |
| then | |
| gcloud compute backend-services add-backend ${BACKEND_SERVICE_NAME} --balancing-mode UTILIZATION --max-utilization 0.8 --capacity-scaler 1 --instance-group ${GROUP} --instance-group-zone ${ZONE} --global | |
| fi | |
| done | |
| # Create a URL Map | |
| URL_MAP_NAME=${APP}-url-map | |
| gcloud compute url-maps list -r ${URL_MAP_NAME} 2> /dev/null | grep ${URL_MAP_NAME} > /dev/null | |
| rc=$? | |
| if [[ $rc != 0 ]] | |
| then | |
| gcloud compute url-maps create ${URL_MAP_NAME} --default-service ${BACKEND_SERVICE_NAME} | |
| fi | |
| # Create certificate resources | |
| CERT_NAME=${APP}-cert | |
| gcloud compute ssl-certificates list -r ${CERT_NAME} 2> /dev/null | grep ${CERT_NAME} > /dev/null | |
| rc=$? | |
| if [[ $rc != 0 ]] | |
| then | |
| gcloud compute ssl-certificates create ${CERT_NAME} --certificate ${CERTIFICATES_PATH}/tls.crt --private-key ${CERTIFICATES_PATH}/tls.key | |
| fi | |
| # Create HTTPS proxy | |
| PROXY_NAME=${APP}-https-proxy | |
| gcloud compute target-https-proxies list -r ${PROXY_NAME} 2> /dev/null | grep ${PROXY_NAME} > /dev/null | |
| rc=$? | |
| if [[ $rc != 0 ]] | |
| then | |
| gcloud compute target-https-proxies create ${PROXY_NAME} --url-map ${URL_MAP_NAME} --ssl-certificate ${CERT_NAME} | |
| fi | |
| # Create global forwarding rule | |
| GRF_NAME=${APP}-gfr | |
| gcloud compute forwarding-rules list -r ${GRF_NAME} 2> /dev/null | grep ${GRF_NAME} > /dev/null | |
| rc=$? | |
| if [[ $rc != 0 ]] | |
| then | |
| IP_ADDRESS=$(gcloud compute addresses list -r ${IP_NAME} 2> /dev/null | grep -Eo '(?:\d+\.){3}\d+') | |
| if [[ ! -z $IP_ADDRESS ]] | |
| then | |
| gcloud compute forwarding-rules create ${GRF_NAME} --address ${IP_ADDRESS} --target-https-proxy ${PROXY_NAME} --global --ports 443 | |
| else | |
| >&2 echo Could not find an IP address for ${IP_NAME} | |
| fi | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment