為基本正式環境叢集設定網路

本教學課程適用於對下列主題感興趣的雲端架構師和作業管理員:將網頁應用程式部署至 Google Kubernetes Engine (GKE) 叢集,並透過 HTTPS 負載平衡器公開該應用程式。

目標

您在本教學課程中將學習以下內容:

  • 建立 GKE 叢集。
  • 使用 Terraform 建立全域 IP 位址和 Cloud DNS 區域。
  • 設定 HTTPS 負載平衡。
  • 部署範例網頁應用程式。

費用

在本文件中,您會使用下列 Google Cloud的計費元件:

如要根據預測用量估算費用,請使用 Pricing Calculator

初次使用 Google Cloud 的使用者可能符合免費試用資格。

完成本文所述工作後,您可以刪除已建立的資源,避免繼續計費。詳情請參閱清除所用資源一節。

事前準備

設定專案

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, click Create project to begin creating a new Google Cloud project.

    Roles required to create a project

    To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Google Kubernetes Engine, Cloud DNS APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  5. In the Google Cloud console, on the project selector page, click Create project to begin creating a new Google Cloud project.

    Roles required to create a project

    To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Google Kubernetes Engine, Cloud DNS APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

    8.

    • 您必須擁有網域名稱,網域名稱的長度不得超過 63 個字元。您可以使用 Google Domains 或其他註冊商。

    設定環境

    在本教學課程中,您將使用 Cloud Shell 管理Google Cloud上託管的資源。Cloud Shell 已預先安裝本教學課程所需的軟體,包括 Terraformkubectlgcloud CLI

    1. 設定環境變數:

      PROJECT_ID=$(gcloud config get-value project)
gcloud config set project $PROJECT_ID
gcloud config set compute/region us-central1

    2. 複製程式碼存放區:

      git clone https://github.com/GoogleCloudPlatform/kubernetes-engine-samples.git

    3. 變更為工作目錄:

      cd kubernetes-engine-samples/autopilot/networking-tutorial

    建立 GKE 叢集

    下列 Terraform 檔案會建立 GKE 叢集:

    
terraform {
  required_version = "~> 1.3"
}

provider "google" {}

variable "region" {
  type        = string
  description = "Region where the cluster will be created."
  default     = "us-central1"
}

variable "cluster_name" {
  type        = string
  description = "Name of the cluster"
  default     = "networking-cluster"
}

resource "google_container_cluster" "default" {
  name             = var.cluster_name
  description      = "Cluster for sample web application"
  location         = var.region
  enable_autopilot = true

  ip_allocation_policy {}
}

output "region" {
  value       = var.region
  description = "Compute region"
}

output "cluster_name" {
  value       = google_container_cluster.default.name
  description = "Cluster name"
}

    下列 Terraform 檔案會建立全域 IP 位址和 Cloud DNS 區域:

    
terraform {
  required_version = "~> 1.3"
}

variable "base_domain" {
  type        = string
  description = "Your base domain"
}

variable "name" {
  type        = string
  description = "Name of resources"
  default     = "networking-tutorial"
}

data "google_client_config" "current" {}

resource "google_compute_global_address" "default" {
  name = var.name
}

resource "google_dns_managed_zone" "default" {
  name        = var.name
  dns_name    = "${var.name}.${var.base_domain}."
  description = "DNS Zone for web application"
}

resource "google_dns_record_set" "a" {
  name         = google_dns_managed_zone.default.dns_name
  type         = "A"
  ttl          = 300
  managed_zone = google_dns_managed_zone.default.name

  rrdatas = [google_compute_global_address.default.address]
}

resource "google_dns_record_set" "cname" {
  name         = join(".", compact(["www", google_dns_record_set.a.name]))
  type         = "CNAME"
  ttl          = 300
  managed_zone = google_dns_managed_zone.default.name

  rrdatas = [google_dns_record_set.a.name]
}

output "dns_zone_name_servers" {
  value       = google_dns_managed_zone.default.name_servers
  description = "Write these virtual name servers in your base domain."
}

output "domain" {
  value = trim(google_dns_record_set.a.name, ".")
}

    1. 初始化 Terraform:

      terraform init

    2. 查看基礎架構變更:

      terraform plan

      系統顯示提示訊息時,請輸入網域,例如 my-domain.net

    3. 套用 Terraform 設定:

      terraform apply --auto-approve

      系統顯示提示訊息時,請輸入網域,例如 my-domain.net

      輸出結果會與下列內容相似:

      Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

cluster_name = "networking-cluster"
region = "us-central1"

    建立外部應用程式負載平衡器

    1. 下列資訊清單說明 ManagedCertificate、FrontendConfig、Deployment、Service 和 Ingress:

      ---
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: networking-managed-cert
spec:
  domains:
    - DOMAIN_NAME
    - www.DOMAIN_NAME
---
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: networking-fc
spec:
  redirectToHttps:
    enabled: true
    responseCodeName: MOVED_PERMANENTLY_DEFAULT
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend
spec:
  selector:
    matchLabels:
      app: frontend
  replicas: 2
  template:
    metadata:
      labels:
        app: frontend
    spec:
      containers:
      - name: echo-amd64
        image: us-docker.pkg.dev/google-samples/containers/gke/hello-app-cdn:1.0
---
apiVersion: v1
kind: Service
metadata:
  name: frontend
spec:
  type: LoadBalancer
  selector:
    app: frontend
  ports:
  - name: http
    port: 80
    targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: frontend
  annotations:
    networking.gke.io/managed-certificates: networking-managed-cert
    networking.gke.io/v1beta1.FrontendConfig: networking-fc
    kubernetes.io/ingress.global-static-ip-name: networking-tutorial
    kubernetes.io/ingress.class: gce
  labels:
    app: frontend
spec:
  defaultBackend:
    service:
      name: frontend
      port:
        number: 80

      DOMAIN_NAME 替換為您的網域名稱,例如 my-domain.net

      這個資訊清單具有下列屬性:

      • networking.gke.io/managed-certificates:ManagedCertificate 的名稱。
      • networking.gke.io/v1beta1.FrontendConfig:FrontendConfig 資源的名稱。
      • kubernetes.io/ingress.global-static-ip-name:IP 位址的名稱。
      • kubernetes.io/ingress.class:指示 GKE Ingress 控制器建立外部應用程式負載平衡器。

    2. 將資訊清單套用至叢集:

      kubectl apply -f kubernetes-manifests.yaml

    3. 確認 Ingress 是否已建立:

      kubectl describe ingress frontend

      輸出結果會與下列內容相似:

      ...
  Events:
    Type    Reason  Age   From                     Message
    ----    ------  ----  ----                     -------
    Normal  ADD     2m    loadbalancer-controller  default/frontend
    Normal  CREATE  1m    loadbalancer-controller  ip: 203.0.113.2
...

      Ingress 可能需要幾分鐘才能完成佈建。

    測試應用程式

    1. 檢查 SSL 憑證的狀態:

      kubectl get managedcertificates.networking.gke.io networking-managed-cert

      佈建 SSL 憑證最多可能需要 30 分鐘。下列輸出內容表示 SSL 憑證已準備就緒:

      NAME                      AGE   STATUS
networking-managed-cert   28m   Active

    2. 執行 curl 指令:

      curl -Lv https://DOMAIN_NAME

      輸出結果會與下列內容相似:

      *   Trying 34.160.115.33:443...
* Connected to DOMAIN_NAME (34.160.115.33) port 443 (#0)
...
* TLSv1.3 (IN), TLS handshake, Certificate (11):
...
* Server certificate:
*  subject: CN=DOMAIN_NAME
...
> Host: DOMAIN_NAME

    清除所用資源

    如要避免系統向您的 Google Cloud 帳戶收取本教學課程中所用資源的相關費用,請刪除含有該項資源的專案,或者保留專案但刪除個別資源。

    刪除專案

    1. In the Google Cloud console, go to the Manage resources page.

      Go to Manage resources

    2. In the project list, select the project that you want to delete, and then click Delete.
    3. In the dialog, type the project ID, and then click Shut down to delete the project.

    刪除個別資源

    1. 刪除 Kubernetes 資源:

      kubectl delete -f kubernetes-manifests.yaml

    2. 刪除 Terraform 資源:

      terraform destroy --auto-approve

      系統顯示提示訊息時,請輸入網域,例如 my-domain.net

    後續步驟