為基本正式環境叢集設定網路

本教學課程適用於有興趣將網頁應用程式部署至 Google Kubernetes Engine (GKE) 叢集,並透過 HTTPS 負載平衡器公開該應用程式的雲端架構師和作業管理員。

目標

您在本教學課程中將學習以下內容:

  • 建立 GKE 叢集。
  • 使用 Terraform 建立全域 IP 位址和 Cloud DNS 區域。
  • 設定 HTTPS 負載平衡。
  • 部署範例網頁應用程式。

費用

在本文件中,您會使用下列 Google Cloud的計費元件:

如要根據預測用量估算費用,請使用 Pricing Calculator

初次使用 Google Cloud 的使用者可能符合免費試用期資格。

完成本文所述工作後,您可以刪除建立的資源,避免繼續計費,詳情請參閱「清除所用資源」。

事前準備

設定專案

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。

  2. In the Google Cloud console, on the project selector page, click Create project to begin creating a new Google Cloud project.

    Roles required to create a project

    To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Google Kubernetes Engine, Cloud DNS APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  5. In the Google Cloud console, on the project selector page, click Create project to begin creating a new Google Cloud project.

    Roles required to create a project

    To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Google Kubernetes Engine, Cloud DNS APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

    8.

  • 您必須擁有網域名稱,網域名稱的長度不得超過 63 個字元。您可以使用 Google Domains 或其他註冊商。

設定環境

在本教學課程中,您將使用 Cloud Shell 管理Google Cloud上託管的資源。Cloud Shell 已預先安裝本教學課程所需的軟體,包括 Terraformkubectlgcloud CLI

  1. 設定環境變數:

    PROJECT_ID=$(gcloud config get-value project)
gcloud config set project $PROJECT_ID
gcloud config set compute/region us-central1

  2. 複製程式碼存放區:

    git clone https://github.com/GoogleCloudPlatform/kubernetes-engine-samples.git

  3. 變更為工作目錄:

    cd kubernetes-engine-samples/autopilot/networking-tutorial

建立 GKE 叢集

下列 Terraform 檔案會建立 GKE 叢集:


terraform {
  required_version = "~> 1.3"
}

provider "google" {}

variable "region" {
  type        = string
  description = "Region where the cluster will be created."
  default     = "us-central1"
}

variable "cluster_name" {
  type        = string
  description = "Name of the cluster"
  default     = "networking-cluster"
}

resource "google_container_cluster" "default" {
  name             = var.cluster_name
  description      = "Cluster for sample web application"
  location         = var.region
  enable_autopilot = true

  ip_allocation_policy {}
}

output "region" {
  value       = var.region
  description = "Compute region"
}

output "cluster_name" {
  value       = google_container_cluster.default.name
  description = "Cluster name"
}

下列 Terraform 檔案會建立全域 IP 位址和 Cloud DNS 區域:


terraform {
  required_version = "~> 1.3"
}

variable "base_domain" {
  type        = string
  description = "Your base domain"
}

variable "name" {
  type        = string
  description = "Name of resources"
  default     = "networking-tutorial"
}

data "google_client_config" "current" {}

resource "google_compute_global_address" "default" {
  name = var.name
}

resource "google_dns_managed_zone" "default" {
  name        = var.name
  dns_name    = "${var.name}.${var.base_domain}."
  description = "DNS Zone for web application"
}

resource "google_dns_record_set" "a" {
  name         = google_dns_managed_zone.default.dns_name
  type         = "A"
  ttl          = 300
  managed_zone = google_dns_managed_zone.default.name

  rrdatas = [google_compute_global_address.default.address]
}

resource "google_dns_record_set" "cname" {
  name         = join(".", compact(["www", google_dns_record_set.a.name]))
  type         = "CNAME"
  ttl          = 300
  managed_zone = google_dns_managed_zone.default.name

  rrdatas = [google_dns_record_set.a.name]
}

output "dns_zone_name_servers" {
  value       = google_dns_managed_zone.default.name_servers
  description = "Write these virtual name servers in your base domain."
}

output "domain" {
  value = trim(google_dns_record_set.a.name, ".")
}

  1. 初始化 Terraform:

    terraform init

  2. 查看基礎架構變更:

    terraform plan

    系統顯示提示時,請輸入網域,例如 my-domain.net

  3. 套用 Terraform 設定:

    terraform apply --auto-approve

    系統顯示提示時,請輸入網域,例如 my-domain.net

    輸出結果會與下列內容相似:

    Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

cluster_name = "networking-cluster"
region = "us-central1"

建立外部應用程式負載平衡器

  1. 下列資訊清單說明 ManagedCertificate、FrontendConfig、Deployment、Service 和 Ingress:

    ---
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: networking-managed-cert
spec:
  domains:
    - DOMAIN_NAME
    - www.DOMAIN_NAME
---
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: networking-fc
spec:
  redirectToHttps:
    enabled: true
    responseCodeName: MOVED_PERMANENTLY_DEFAULT
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend
spec:
  selector:
    matchLabels:
      app: frontend
  replicas: 2
  template:
    metadata:
      labels:
        app: frontend
    spec:
      containers:
      - name: echo-amd64
        image: us-docker.pkg.dev/google-samples/containers/gke/hello-app-cdn:1.0
---
apiVersion: v1
kind: Service
metadata:
  name: frontend
spec:
  type: LoadBalancer
  selector:
    app: frontend
  ports:
  - name: http
    port: 80
    targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: frontend
  annotations:
    networking.gke.io/managed-certificates: networking-managed-cert
    networking.gke.io/v1beta1.FrontendConfig: networking-fc
    kubernetes.io/ingress.global-static-ip-name: networking-tutorial
    kubernetes.io/ingress.class: gce
  labels:
    app: frontend
spec:
  defaultBackend:
    service:
      name: frontend
      port:
        number: 80

    DOMAIN_NAME 替換為您的網域名稱,例如 my-domain.net

    這個資訊清單具有下列屬性:

    • networking.gke.io/managed-certificates:ManagedCertificate 的名稱。 這項資源會佈建 Google 代管的 SSL 憑證 (傳統版)。
    • networking.gke.io/v1beta1.FrontendConfig:FrontendConfig 資源的名稱。
    • kubernetes.io/ingress.global-static-ip-name:IP 位址的名稱。
    • kubernetes.io/ingress.class:指示 GKE Ingress 控制器建立外部應用程式負載平衡器。

  2. 將資訊清單套用至叢集:

    kubectl apply -f kubernetes-manifests.yaml

  3. 確認 Ingress 是否已建立:

    kubectl describe ingress frontend

    輸出結果會與下列內容相似:

    ...
  Events:
    Type    Reason  Age   From                     Message
    ----    ------  ----  ----                     -------
    Normal  ADD     2m    loadbalancer-controller  default/frontend
    Normal  CREATE  1m    loadbalancer-controller  ip: 203.0.113.2
...

    Ingress 可能需要幾分鐘才能完成佈建。

測試應用程式

  1. 檢查 SSL 憑證的狀態:

    kubectl get managedcertificates.networking.gke.io networking-managed-cert

    安全資料傳輸層 (SSL) 憑證的佈建作業最多可能需要 30 分鐘。下列輸出內容表示 SSL 憑證已準備就緒:

    NAME                      AGE   STATUS
networking-managed-cert   28m   Active

  2. 執行 curl 指令:

    curl -Lv https://DOMAIN_NAME

    輸出結果會與下列內容相似:

    *   Trying 34.160.115.33:443...
* Connected to DOMAIN_NAME (34.160.115.33) port 443 (#0)
...
* TLSv1.3 (IN), TLS handshake, Certificate (11):
...
* Server certificate:
*  subject: CN=DOMAIN_NAME
...
> Host: DOMAIN_NAME

清除所用資源

為避免因為本教學課程所用資源,導致系統向 Google Cloud 收取費用,請刪除含有相關資源的專案,或者保留專案但刪除個別資源。

刪除專案

    刪除 Google Cloud 專案:

    gcloud projects delete PROJECT_ID

刪除個別資源

  1. 刪除 Kubernetes 資源:

    kubectl delete -f kubernetes-manifests.yaml

  2. 刪除 Terraform 資源:

    terraform destroy --auto-approve

    系統顯示提示時,請輸入網域,例如 my-domain.net

後續步驟