Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Anthos GKE on AWS (management)
#!/usr/bin/env bash
# https://cloud.google.com/anthos/gke/docs/aws/how-to/installing-management
# NOTE: MUST have `jq` installed for JSON parsing to set ENV vars
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_OWNER=$(gcloud config get-value core/account) # set orig val
export ANTHOS_GKE_VERSION=$(anthos-gke version)
export AWS_REGION="us-east-2"
export ADMIN_AWS_IAM_ARN=$(aws sts get-caller-identity | jq '.Arn')
# AWS keys created during prerequisites
export KMS_KEY_ARN=$(cat aws-kms-key-meta.json | jq '.[].Arn')
export DATABASE_KMS_KEY_ARN=$(cat aws-kms-key2-meta.json | jq '.[].Arn')
# GCP keys created during prerequisites
export MANAGEMENT_KEY_PATH=$(PWD)/management-key.json
export HUB_KEY_PATH=$(PWD)/hub-key.json
export NODE_KEY_PATH=$(PWD)/node-key.json
# networking
echo "Listing AZs for region $AWS_REGION"
aws ec2 describe-availability-zones --region $AWS_REGION | jq '.AvailabilityZones[].ZoneName'
export VPC_CIDR_BLOCK="10.20.0.0/16"
export ZONE_1="us-east-2a"
export ZONE_2="us-east-2b"
export ZONE_3="us-east-2c"
export PRIVATE_CIDR_BLOCK_1="10.20.1.0/24"
export PRIVATE_CIDR_BLOCK_2="10.20.3.0/24"
export PRIVATE_CIDR_BLOCK_3="10.20.5.0/24"
export PUBLIC_CIDR_BLOCK_1="10.20.0.0/24"
export PUBLIC_CIDR_BLOCK_2="10.20.2.0/24"
export PUBLIC_CIDR_BLOCK_3="10.20.4.0/24"
export SSH_CIDR_BLOCK="YOUR-IP-ADDRESS/32" # bastion EC2 access
########################
# CREATE CONFIG FILE
########################
# create config file
cat > anthos-gke.yaml << EOF
apiVersion: multicloud.cluster.gke.io/v1
kind: AWSManagementService
metadata:
name: management
spec:
version: $ANTHOS_GKE_VERSION
region: $AWS_REGION
authentication:
awsIAM:
adminIdentityARNs:
- $ADMIN_AWS_IAM_ARN
kmsKeyARN: $KMS_KEY_ARN
databaseEncryption:
kmsKeyARN: $DATABASE_KMS_KEY_ARN
googleCloud:
projectID: $PROJECT_ID
serviceAccountKeys:
managementService: $MANAGEMENT_KEY_PATH
connectAgent: $HUB_KEY_PATH
node: $NODE_KEY_PATH
dedicatedVPC:
vpcCIDRBlock: $VPC_CIDR_BLOCK
availabilityZones:
- $ZONE_1
- $ZONE_2
- $ZONE_3
privateSubnetCIDRBlocks:
- $PRIVATE_CIDR_BLOCK_1
- $PRIVATE_CIDR_BLOCK_2
- $PRIVATE_CIDR_BLOCK_3
publicSubnetCIDRBlocks:
- $PUBLIC_CIDR_BLOCK_1
- $PUBLIC_CIDR_BLOCK_2
- $PUBLIC_CIDR_BLOCK_3
bastionAllowedSSHCIDRBlocks:
- $SSH_CIDR_BLOCK
EOF
################################
# ANTHOS GKE SETUP
################################
# validate config and bootstrap another file
anthos-gke aws management init
# create the management service on AWS
export GOOGLE_APPLICATION_CREDENTIALS=$NODE_KEY_PATH # missing from docs (also need storage.buckets.create permission)
anthos-gke aws management apply
################################
# CONNECTING TO CLUSTER
################################
# https://cloud.google.com/anthos/gke/docs/aws/how-to/integrating-existing-infrastructure#connect
# download bastion tunnel script and make executable
terraform output bastion_tunnel > bastion-tunnel.sh
chmod 755 bastion-tunnel.sh
# run tunnel (note you must use from IP in your bastion anthos-gke.yaml approve list)
./bastion-tunnel.sh -N & # added & to continue to use shell (optional)
# authenticate kubectl context
anthos-gke aws management get-credentials
# set proxy env var
export HTTP_PROXY=http://localhost:8118
# test with cluster info
kubectl cluster-info
echo "Good job!"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment