Create GLB demo

wwwil · Dec 11, 2019 · 2f2996e · 2f2996e
commit 2f2996e
Show file tree

Hide file tree

Showing 11 changed files with 830 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,10 @@
+# Ignore Terraform state, plan, and variable files
+**/.terraform
+*.tfstate
+*.tfstate.*
+*tfplan*
+*tfvars
+
+# Ignore GCP account keys
+keys.json
+account.json
diff --git a/01-clusters/gke.tf b/01-clusters/gke.tf
@@ -0,0 +1,53 @@
+resource "google_container_cluster" "glb-demo-us" {
+  name               = "glb-demo-us"
+  location           = "us-central1"
+  initial_node_count = 3
+
+  node_config {
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+    ]
+
+    metadata = {
+      disable-legacy-endpoints = "true"
+    }
+  }
+
+  ip_allocation_policy {
+    cluster_ipv4_cidr_block  = "10.1.0.0/16"
+    services_ipv4_cidr_block = "10.2.0.0/16"
+  }
+
+  timeouts {
+    create = "30m"
+    update = "40m"
+  }
+}
+
+resource "google_container_cluster" "glb-demo-eu" {
+  name               = "glb-demo-eu"
+  location           = "europe-west2"
+  initial_node_count = 3
+
+  node_config {
+    oauth_scopes = [
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+    ]
+
+    metadata = {
+      disable-legacy-endpoints = "true"
+    }
+  }
+
+  ip_allocation_policy {
+    cluster_ipv4_cidr_block  = "10.3.0.0/16"
+    services_ipv4_cidr_block = "10.4.0.0/16"
+  }
+
+  timeouts {
+    create = "30m"
+    update = "40m"
+  }
+}
diff --git a/01-clusters/main.tf b/01-clusters/main.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = "~> 0.12"
+}
+
+provider "google" {
+  version = 3.1
+  project = "jetstack-wil"
+  region  = "global"
+}
diff --git a/02-apps/hello-app.yaml b/02-apps/hello-app.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: hello-app
+  labels:
+    app: hello-app
+spec:
+  replicas: 9
+  selector:
+    matchLabels:
+      app: hello-app
+  template:
+    metadata:
+      labels:
+        app: hello-app
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - hello-app
+            topologyKey: "kubernetes.io/hostname"
+      containers:
+      - name: frontend
+        image: gcr.io/google-samples/hello-app:2.0
+        ports:
+          - containerPort: 80
+        env:
+          - name: PORT
+            value: "80"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hello-app
+  labels:
+    app: hello-app
+  annotations:
+    cloud.google.com/neg: '{"exposed_ports": {"80":{}}}'
+spec:
+  type: NodePort
+  selector:
+    app: hello-app
+  ports:
+  - name: hello-app
+    port: 80
+---
diff --git a/02-apps/zone-printer.yaml b/02-apps/zone-printer.yaml
@@ -0,0 +1,49 @@
+---
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: zone-printer
+  labels:
+    app: zone-printer
+spec:
+  replicas: 9
+  selector:
+    matchLabels:
+      app: zone-printer
+  template:
+    metadata:
+      labels:
+        app: zone-printer
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - zone-printer
+            topologyKey: "kubernetes.io/hostname"
+      containers:
+      - name: frontend
+        image: gcr.io/google-samples/zone-printer:0.1
+        ports:
+          - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: zone-printer
+  labels:
+    app: zone-printer
+  annotations:
+    cloud.google.com/neg: '{"exposed_ports": {"80":{}}}'
+spec:
+  type: NodePort
+  selector:
+    app: zone-printer
+  ports:
+  - name: zone-printer
+    port: 80
+---
diff --git a/03-glb/glb.tf b/03-glb/glb.tf
@@ -0,0 +1,196 @@
+resource "google_compute_global_address" "glb_demo" {
+  name = "glb-demo"
+}
+
+resource "google_compute_global_forwarding_rule" "glb_demo" {
+  name                  = "glb-demo"
+  ip_address            = google_compute_global_address.glb_demo.address
+  port_range            = "80"
+  target                = google_compute_target_http_proxy.glb_demo.self_link
+  load_balancing_scheme = "EXTERNAL"
+}
+
+resource "google_compute_target_http_proxy" "glb_demo" {
+  name = "glb-demo"
+
+  url_map = google_compute_url_map.glb_demo.self_link
+}
+
+resource "google_compute_url_map" "glb_demo" {
+  name            = "glb-demo"
+  default_service = google_compute_backend_service.glb_demo_zone_printer.self_link
+
+  host_rule {
+    hosts        = ["*"]
+    path_matcher = "glb-demo"
+  }
+
+  path_matcher {
+    name            = "glb-demo"
+    default_service = google_compute_backend_service.glb_demo_zone_printer.self_link
+
+    path_rule {
+      paths   = ["/hello-app"]
+      service = google_compute_backend_service.glb_demo_hello_app.self_link
+    }
+  }
+}
+
+# The max_rate for these backends is set to the minimum so that simply by
+# aggressively refreshing the page traffic will be sent to different instances
+# in different zones to demonstrate the load balancer in operation.
+
+resource "google_compute_backend_service" "glb_demo_zone_printer" {
+  name                  = "glb-demo-zone-printer"
+  health_checks         = [google_compute_health_check.glb_demo.self_link]
+  load_balancing_scheme = "EXTERNAL"
+  protocol              = "HTTP"
+  port_name             = "http"
+  security_policy       = google_compute_security_policy.glb_demo.self_link
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.zone_printer_neg_eu_1.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.zone_printer_neg_eu_2.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.zone_printer_neg_eu_3.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.zone_printer_neg_us_1.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.zone_printer_neg_us_2.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.zone_printer_neg_us_3.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+}
+
+resource "google_compute_backend_service" "glb_demo_hello_app" {
+  name                  = "glb-demo-hello-app"
+  health_checks         = [google_compute_health_check.glb_demo.self_link]
+  load_balancing_scheme = "EXTERNAL"
+  protocol              = "HTTP"
+  port_name             = "http"
+  security_policy       = google_compute_security_policy.glb_demo.self_link
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.hello_app_neg_eu_1.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.hello_app_neg_eu_2.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.hello_app_neg_eu_3.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.hello_app_neg_us_1.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.hello_app_neg_us_2.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+
+  backend {
+    group          = data.google_compute_network_endpoint_group.hello_app_neg_us_3.self_link
+    balancing_mode = "RATE"
+    max_rate       = 1
+  }
+}
+
+resource "google_compute_health_check" "glb_demo" {
+  name                = "glb-demo"
+  healthy_threshold   = 1
+  check_interval_sec  = 60
+  unhealthy_threshold = 10
+  timeout_sec         = 60
+
+  tcp_health_check {
+    port = "80"
+  }
+}
+
+# This is a firewall rule to allow incoming traffic on port 80
+resource "google_compute_firewall" "glb_demo" {
+  name      = "glb-demo"
+  network   = "default"
+  direction = "INGRESS"
+  priority  = 1000
+
+  allow {
+    protocol = "tcp"
+    ports    = ["80"]
+  }
+
+  # These are the source ranges for Google's network for traffic coming in from
+  # the load balancer
+  source_ranges = [
+    "130.211.0.0/22",
+    "35.191.0.0/16",
+  ]
+}
+
+# This is a Cloud Armor policy
+resource "google_compute_security_policy" "glb_demo" {
+  name = "glb_demo"
+
+  # Default rule, allow all traffic
+  rule {
+    action   = "allow"
+    priority = "2147483647"
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["*"]
+      }
+    }
+    description = "default rule"
+  }
+
+  # Deny traffic from some IPs
+  rule {
+    action = "deny(403)"
+    # Lower value means higher priority
+    priority = "1000"
+    match {
+      versioned_expr = "SRC_IPS_V1"
+      config {
+        src_ip_ranges = ["9.9.9.0/24"]
+      }
+    }
+    description = "Deny access to IPs in 9.9.9.0/24"
+  }
+
+}