mikesparr/anthos-service-mesh.sh

## anthos-service-mesh.sh
#!/usr/bin/env bash

export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export CLUSTER_NAME="central"
export CLUSTER_LOCATION="us-central1"
export MACHINE_TYPE="n1-standard-4"
export NODE_POOL_NAME="default-pool"

export NETWORK_NAME="anthos-demo"
export SUBNET_K8S_NODES="k8s-nodes"
export SUBNET_K8S_NODES_RANGE="10.12.0.0/22"
export SUBNET_K8S_PODS="k8s-pods"
export SUBNET_K8S_PODS_RANGE="10.82.0.0/18"
export SUBNET_K8S_SVCS="k8s-svcs"
export SUBNET_K8S_SVCS_RANGE="10.82.64.0/22"

export ENVIRON_PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog
export MESH_ID="proj-${ENVIRON_PROJECT_NUMBER}"

# enable apis
gcloud services enable \
    container.googleapis.com \
    compute.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com \
    cloudtrace.googleapis.com \
    meshca.googleapis.com \
    meshtelemetry.googleapis.com \
    meshconfig.googleapis.com \
    iamcredentials.googleapis.com \
    anthos.googleapis.com \
    gkeconnect.googleapis.com \
    gkehub.googleapis.com \
    cloudresourcemanager.googleapis.com

# create VPC network
gcloud compute networks create $NETWORK_NAME \
    --subnet-mode="custom"

# create GKE subnet
gcloud compute networks subnets create $SUBNET_K8S_NODES \
    --network=$NETWORK_NAME \
    --region=$CLUSTER_LOCATION \
    --range=$SUBNET_K8S_NODES_RANGE \
    --enable-private-ip-google-access \
    --secondary-range=${SUBNET_K8S_PODS}=${SUBNET_K8S_PODS_RANGE} \
    --secondary-range=${SUBNET_K8S_SVCS}=${SUBNET_K8S_SVCS_RANGE}


############################################################
# TASK 1: Install cluster, Anthos Service Mesh, Hipster Shop
# region: us-central1
# nodes/zone: 1
# machine: n1-standard-4
# zones: 1a, 1b, 1c, 1f
# Istio on GKE = Enabled
# scope: cloud-platform
# Istio injection on 'default' ns
# labels: mesh_id=proj-${ENVIRON_PROJECT_NUMBER}
# https://cloud.google.com/istio/docs/istio-on-gke/installing
# https://cloud.google.com/kubernetes-engine/docs/how-to/creating-managing-labels
############################################################
gcloud beta container --project ${PROJECT_ID} clusters create ${CLUSTER_NAME} \
    --region ${CLUSTER_LOCATION} --no-enable-basic-auth \
    --node-locations "us-central1-a","us-central1-b","us-central1-c","us-central1-f" \
    --network "projects/${PROJECT_ID}/global/networks/${NETWORK_NAME}" \
    --subnetwork "projects/${PROJECT_ID}/regions/${CLUSTER_LOCATION}/subnetworks/${SUBNET_K8S_NODES}" \
    --cluster-secondary-range-name "${SUBNET_K8S_PODS}" \
    --services-secondary-range-name "${SUBNET_K8S_SVCS}" \
    --release-channel "regular" \
    --machine-type ${MACHINE_TYPE} \
    --image-type "UBUNTU" \
    --disk-type "pd-standard" \
    --disk-size "100" \
    --metadata disable-legacy-endpoints=true \
    --scopes "https://www.googleapis.com/auth/cloud-platform" \
    --num-nodes "1" \
    --enable-stackdriver-kubernetes \
    --enable-ip-alias \
    --default-max-pods-per-node "110" \
    --no-enable-master-authorized-networks \
    --addons HorizontalPodAutoscaling,HttpLoadBalancing,Istio \
    --istio-config auth=MTLS_PERMISSIVE \
    --enable-autoupgrade --enable-autorepair \
    --max-surge-upgrade 1 --max-unavailable-upgrade 0 \
    --labels mesh_id=${MESH_ID} \
    --workload-pool ${IDNS}

# register cluster
gcloud iam service-accounts create connect-sa
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
    --member="serviceAccount:connect-sa@${PROJECT_ID}.iam.gserviceaccount.com" \
    --role="roles/gkehub.connect"
gcloud iam service-accounts keys create connect-sa-key.json \
    --iam-account=connect-sa@${PROJECT_ID}.iam.gserviceaccount.com
gcloud container hub memberships register ${CLUSTER_NAME}-connect \
    --gke-cluster=${CLUSTER_LOCATION}/${CLUSTER_NAME} \
    --service-account-key-file=./connect-sa-key.json

# initialize mesh
curl --request POST \
    --header "Authorization: Bearer $(gcloud auth print-access-token)" \
    --data '' \
    "https://meshconfig.googleapis.com/v1alpha1/projects/${PROJECT_ID}:initialize"

# auto-inject sidecar
kubectl label namespace default istio-injection=enabled

# install hipster shop
# prereq: https://googlecontainertools.github.io/kpt/installation/
kpt pkg get \
    https://github.com/GoogleCloudPlatform/microservices-demo.git/release \
    hipster-demo

kubectl apply -f hipster-demo # default namespace


############################################################
# TASK 2: Create SLO for 'checkoutservice'
# manually create in GCP Console ( Anthos > Service Mesh > Create SLO )
# <500ms latency over rolling period of 1 day
# cluster: central
# namespace: default
# service: checkoutservice
# SLI type: Latency
# Compliance Target: 99%
# https://cloud.google.com/service-mesh/docs/observability/design-slo
# https://cloud.google.com/service-mesh/docs/observability/create-slo
############################################################

# create monitoring channel (email alerts)
gcloud beta monitoring channels create --display-name="DevOps Team" \
  --description="Primary contact method for the DevOps team lead" \
  --type=email \
  --user-labels=team=devops,role=lead,ord=1 \
  --channel-labels=email_address="${PROJECT_USER}"

# use console for creating SLO

# use console for creating Alert policy (to above monitoring channel)
	#!/usr/bin/env bash

	export PROJECT_ID=$(gcloud config get-value project)
	export PROJECT_USER=$(gcloud config get-value core/account) # set current user
	export CLUSTER_NAME="central"
	export CLUSTER_LOCATION="us-central1"
	export MACHINE_TYPE="n1-standard-4"
	export NODE_POOL_NAME="default-pool"

	export NETWORK_NAME="anthos-demo"
	export SUBNET_K8S_NODES="k8s-nodes"
	export SUBNET_K8S_NODES_RANGE="10.12.0.0/22"
	export SUBNET_K8S_PODS="k8s-pods"
	export SUBNET_K8S_PODS_RANGE="10.82.0.0/18"
	export SUBNET_K8S_SVCS="k8s-svcs"
	export SUBNET_K8S_SVCS_RANGE="10.82.64.0/22"

	export ENVIRON_PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
	export IDNS=${PROJECT_ID}.svc.id.goog
	export MESH_ID="proj-${ENVIRON_PROJECT_NUMBER}"

	# enable apis
	gcloud services enable \
	container.googleapis.com \
	compute.googleapis.com \
	monitoring.googleapis.com \
	logging.googleapis.com \
	cloudtrace.googleapis.com \
	meshca.googleapis.com \
	meshtelemetry.googleapis.com \
	meshconfig.googleapis.com \
	iamcredentials.googleapis.com \
	anthos.googleapis.com \
	gkeconnect.googleapis.com \
	gkehub.googleapis.com \
	cloudresourcemanager.googleapis.com

	# create VPC network
	gcloud compute networks create $NETWORK_NAME \
	--subnet-mode="custom"

	# create GKE subnet
	gcloud compute networks subnets create $SUBNET_K8S_NODES \
	--network=$NETWORK_NAME \
	--region=$CLUSTER_LOCATION \
	--range=$SUBNET_K8S_NODES_RANGE \
	--enable-private-ip-google-access \
	--secondary-range=${SUBNET_K8S_PODS}=${SUBNET_K8S_PODS_RANGE} \
	--secondary-range=${SUBNET_K8S_SVCS}=${SUBNET_K8S_SVCS_RANGE}


	############################################################
	# TASK 1: Install cluster, Anthos Service Mesh, Hipster Shop
	# region: us-central1
	# nodes/zone: 1
	# machine: n1-standard-4
	# zones: 1a, 1b, 1c, 1f
	# Istio on GKE = Enabled
	# scope: cloud-platform
	# Istio injection on 'default' ns
	# labels: mesh_id=proj-${ENVIRON_PROJECT_NUMBER}
	# https://cloud.google.com/istio/docs/istio-on-gke/installing
	# https://cloud.google.com/kubernetes-engine/docs/how-to/creating-managing-labels
	############################################################
	gcloud beta container --project ${PROJECT_ID} clusters create ${CLUSTER_NAME} \
	--region ${CLUSTER_LOCATION} --no-enable-basic-auth \
	--node-locations "us-central1-a","us-central1-b","us-central1-c","us-central1-f" \
	--network "projects/${PROJECT_ID}/global/networks/${NETWORK_NAME}" \
	--subnetwork "projects/${PROJECT_ID}/regions/${CLUSTER_LOCATION}/subnetworks/${SUBNET_K8S_NODES}" \
	--cluster-secondary-range-name "${SUBNET_K8S_PODS}" \
	--services-secondary-range-name "${SUBNET_K8S_SVCS}" \
	--release-channel "regular" \
	--machine-type ${MACHINE_TYPE} \
	--image-type "UBUNTU" \
	--disk-type "pd-standard" \
	--disk-size "100" \
	--metadata disable-legacy-endpoints=true \
	--scopes "https://www.googleapis.com/auth/cloud-platform" \
	--num-nodes "1" \
	--enable-stackdriver-kubernetes \
	--enable-ip-alias \
	--default-max-pods-per-node "110" \
	--no-enable-master-authorized-networks \
	--addons HorizontalPodAutoscaling,HttpLoadBalancing,Istio \
	--istio-config auth=MTLS_PERMISSIVE \
	--enable-autoupgrade --enable-autorepair \
	--max-surge-upgrade 1 --max-unavailable-upgrade 0 \
	--labels mesh_id=${MESH_ID} \
	--workload-pool ${IDNS}

	# register cluster
	gcloud iam service-accounts create connect-sa
	gcloud projects add-iam-policy-binding ${PROJECT_ID} \
	--member="serviceAccount:connect-sa@${PROJECT_ID}.iam.gserviceaccount.com" \
	--role="roles/gkehub.connect"
	gcloud iam service-accounts keys create connect-sa-key.json \
	--iam-account=connect-sa@${PROJECT_ID}.iam.gserviceaccount.com
	gcloud container hub memberships register ${CLUSTER_NAME}-connect \
	--gke-cluster=${CLUSTER_LOCATION}/${CLUSTER_NAME} \
	--service-account-key-file=./connect-sa-key.json

	# initialize mesh
	curl --request POST \
	--header "Authorization: Bearer $(gcloud auth print-access-token)" \
	--data '' \
	"https://meshconfig.googleapis.com/v1alpha1/projects/${PROJECT_ID}:initialize"

	# auto-inject sidecar
	kubectl label namespace default istio-injection=enabled

	# install hipster shop
	# prereq: https://googlecontainertools.github.io/kpt/installation/
	kpt pkg get \
	https://github.com/GoogleCloudPlatform/microservices-demo.git/release \
	hipster-demo

	kubectl apply -f hipster-demo # default namespace


	############################################################
	# TASK 2: Create SLO for 'checkoutservice'
	# manually create in GCP Console ( Anthos > Service Mesh > Create SLO )
	# <500ms latency over rolling period of 1 day
	# cluster: central
	# namespace: default
	# service: checkoutservice
	# SLI type: Latency
	# Compliance Target: 99%
	# https://cloud.google.com/service-mesh/docs/observability/design-slo
	# https://cloud.google.com/service-mesh/docs/observability/create-slo
	############################################################

	# create monitoring channel (email alerts)
	gcloud beta monitoring channels create --display-name="DevOps Team" \
	--description="Primary contact method for the DevOps team lead" \
	--type=email \
	--user-labels=team=devops,role=lead,ord=1 \
	--channel-labels=email_address="${PROJECT_USER}"

	# use console for creating SLO

	# use console for creating Alert policy (to above monitoring channel)