Created
August 27, 2020 17:58
-
-
Save mikesparr/56be9e0cca7138b4cabed2247005a027 to your computer and use it in GitHub Desktop.
Anthos GKE on AWS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Docs: https://cloud.google.com/anthos/gke/docs/aws/how-to/prerequisites | |
# NOTE: MUST have `jq` installed for JSON parsing to set ENV vars | |
export PROJECT_ID=$(gcloud config get-value project) | |
export PROJECT_OWNER=$(gcloud config get-value core/account) # set orig val | |
# confirm aws CLI working | |
aws --version | |
# create two KMS keys | |
aws kms create-key > aws-kms-key-meta.json | |
aws kms create-key > aws-kms-key2-meta.json | |
# fetch ARN from each key | |
export KMS_ARN1=$(cat aws-kms-key-meta.json | jq '.[].Arn') | |
export KMS_ARN2=$(cat aws-kms-key2-meta.json | jq '.[].Arn') | |
echo "Key 1 Arn: ${KMS_ARN1}" | |
echo "Key 2 Arn: ${KMS_ARN2}" | |
# create aliases for keys | |
aws kms create-alias \ | |
--alias-name=alias/gke-key \ | |
--target-key-id=$KMS_ARN1 | |
aws kms create-alias \ | |
--alias-name=alias/gke-key2 \ | |
--target-key-id=$KMS_ARN2 | |
# enable gcloud apis | |
gcloud services enable cloudresourcemanager.googleapis.com | |
gcloud services enable gkehub.googleapis.com | |
gcloud services enable gkeconnect.googleapis.com | |
gcloud services enable logging.googleapis.com | |
gcloud services enable monitoring.googleapis.com | |
gcloud services enable serviceusage.googleapis.com | |
gcloud services enable stackdriver.googleapis.com | |
gcloud services enable storage-api.googleapis.com | |
gcloud services enable storage-component.googleapis.com | |
# create service accounts | |
gcloud iam service-accounts create management-sa | |
gcloud iam service-accounts create hub-sa | |
gcloud iam service-accounts create node-sa | |
# download keys | |
gcloud iam service-accounts keys create management-key.json \ | |
--iam-account management-sa@$PROJECT_ID.iam.gserviceaccount.com | |
gcloud iam service-accounts keys create hub-key.json \ | |
--iam-account hub-sa@$PROJECT_ID.iam.gserviceaccount.com | |
gcloud iam service-accounts keys create node-key.json \ | |
--iam-account node-sa@$PROJECT_ID.iam.gserviceaccount.com | |
# management sa | |
gcloud projects add-iam-policy-binding \ | |
$PROJECT_ID \ | |
--member serviceAccount:management-sa@$PROJECT_ID.iam.gserviceaccount.com \ | |
--role roles/gkehub.admin | |
gcloud projects add-iam-policy-binding \ | |
$PROJECT_ID \ | |
--member serviceAccount:management-sa@$PROJECT_ID.iam.gserviceaccount.com \ | |
--role roles/serviceusage.serviceUsageViewer | |
# hub sa | |
gcloud projects add-iam-policy-binding \ | |
$PROJECT_ID \ | |
--member serviceAccount:hub-sa@$PROJECT_ID.iam.gserviceaccount.com \ | |
--role roles/gkehub.connect | |
# node sa | |
gcloud projects add-iam-policy-binding \ | |
$PROJECT_ID \ | |
--member serviceAccount:node-sa@$PROJECT_ID.iam.gserviceaccount.com \ | |
--role roles/storageAdmin # objectViewer didn't work for mgmt install (need create TF state bucket) | |
# download anthos-gke CLI | |
# NOTE: your service account MUST BE ADDED (MANUALLY BY GOOGLE) TO APPROVE LIST FIRST | |
# gcloud auth activate-service-account --key-file=node-key.json # if not project owner | |
gsutil cp gs://gke-multi-cloud-release/aws/aws-1.4.1-gke.15/bin/darwin/amd64/anthos-gke . | |
# gsutil cp gs://gke-multi-cloud-release/aws/aws-1.4.1-gke.15/bin/linux/amd64/anthos-gke . | |
chmod 755 anthos-gke | |
sudo mv anthos-gke /usr/local/bin | |
# change gcloud auth back to original user | |
# gcloud config set account $PROJECT_OWNER | |
# test the CLI is working | |
anthos-gke version |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# https://cloud.google.com/anthos/gke/docs/aws/how-to/installing-management | |
# NOTE: MUST have `jq` installed for JSON parsing to set ENV vars | |
export PROJECT_ID=$(gcloud config get-value project) | |
export PROJECT_OWNER=$(gcloud config get-value core/account) # set orig val | |
export ANTHOS_GKE_VERSION=$(anthos-gke version) | |
export AWS_REGION="us-east-2" | |
export ADMIN_AWS_IAM_ARN=$(aws sts get-caller-identity | jq '.Arn') | |
# AWS keys created during prerequisites | |
export KMS_KEY_ARN=$(cat aws-kms-key-meta.json | jq '.[].Arn') | |
export DATABASE_KMS_KEY_ARN=$(cat aws-kms-key2-meta.json | jq '.[].Arn') | |
# GCP keys created during prerequisites | |
export MANAGEMENT_KEY_PATH=$(PWD)/management-key.json | |
export HUB_KEY_PATH=$(PWD)/hub-key.json | |
export NODE_KEY_PATH=$(PWD)/node-key.json | |
# networking | |
echo "Listing AZs for region $AWS_REGION" | |
aws ec2 describe-availability-zones --region $AWS_REGION | jq '.AvailabilityZones[].ZoneName' | |
export VPC_CIDR_BLOCK="10.20.0.0/16" | |
export ZONE_1="us-east-2a" | |
export ZONE_2="us-east-2b" | |
export ZONE_3="us-east-2c" | |
export PRIVATE_CIDR_BLOCK_1="10.20.1.0/24" | |
export PRIVATE_CIDR_BLOCK_2="10.20.3.0/24" | |
export PRIVATE_CIDR_BLOCK_3="10.20.5.0/24" | |
export PUBLIC_CIDR_BLOCK_1="10.20.0.0/24" | |
export PUBLIC_CIDR_BLOCK_2="10.20.2.0/24" | |
export PUBLIC_CIDR_BLOCK_3="10.20.4.0/24" | |
export SSH_CIDR_BLOCK="172.31.28.238/32" # bastion EC2 instance | |
######################## | |
# CREATE CONFIG FILE | |
######################## | |
# create config file | |
cat > anthos-gke.yaml << EOF | |
apiVersion: multicloud.cluster.gke.io/v1 | |
kind: AWSManagementService | |
metadata: | |
name: management | |
spec: | |
version: $ANTHOS_GKE_VERSION | |
region: $AWS_REGION | |
authentication: | |
awsIAM: | |
adminIdentityARNs: | |
- $ADMIN_AWS_IAM_ARN | |
kmsKeyARN: $KMS_KEY_ARN | |
databaseEncryption: | |
kmsKeyARN: $DATABASE_KMS_KEY_ARN | |
googleCloud: | |
projectID: $PROJECT_ID | |
serviceAccountKeys: | |
managementService: $MANAGEMENT_KEY_PATH | |
connectAgent: $HUB_KEY_PATH | |
node: $NODE_KEY_PATH | |
dedicatedVPC: | |
vpcCIDRBlock: $VPC_CIDR_BLOCK | |
availabilityZones: | |
- $ZONE_1 | |
- $ZONE_2 | |
- $ZONE_3 | |
privateSubnetCIDRBlocks: | |
- $PRIVATE_CIDR_BLOCK_1 | |
- $PRIVATE_CIDR_BLOCK_2 | |
- $PRIVATE_CIDR_BLOCK_3 | |
publicSubnetCIDRBlocks: | |
- $PUBLIC_CIDR_BLOCK_1 | |
- $PUBLIC_CIDR_BLOCK_2 | |
- $PUBLIC_CIDR_BLOCK_3 | |
bastionAllowedSSHCIDRBlocks: | |
- $SSH_CIDR_BLOCK | |
EOF | |
################################ | |
# ANTHOS GKE SETUP | |
################################ | |
# validate config and bootstrap another file | |
anthos-gke aws management init | |
# create the management service on AWS | |
export GOOGLE_APPLICATION_CREDENTIALS=$NODE_KEY_PATH # missing from docs (also need storage.buckets.create permission) | |
anthos-gke aws management apply | |
################################ | |
# CONNECTING TO CLUSTER | |
################################ | |
# https://cloud.google.com/anthos/gke/docs/aws/how-to/integrating-existing-infrastructure#connect | |
# download bastion tunnel script and make executable | |
terraform output bastion_tunnel > bastion-tunnel.sh | |
chmod 755 bastion-tunnel.sh | |
# run tunnel (note you must use from IP in your bastion anthos-gke.yaml approve list) | |
./bastion-tunnel.sh -N & # added & to continue to use shell (optional) | |
# authenticate kubectl context | |
anthos-gke aws management get-credentials | |
# set proxy env var | |
export HTTP_PROXY=http://localhost:8118 | |
# test with cluster info | |
kubectl cluster-info | |
echo "Good job!" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# https://cloud.google.com/anthos/gke/docs/aws/how-to/creating-user-cluster | |
# create user cluster config | |
terraform output cluster_example > cluster-0.yaml | |
# create first cluster (make sure the bastion_tunnel.sh is running) | |
kubectl apply -f cluster-0.yaml | |
sleep 600 # give time for cluster to reconcile | |
# create kubeconfig for new cluster (make sure bastion_tunnel.sh and PROXY_HOST var set) | |
anthos-gke aws clusters get-credentials cluster-0 | |
# get cluster-0 info and test kubeconfig | |
kubectl cluster-info | |
####################################### | |
# VIEW CLUSTER STATUS (SWITCH BACK TO MGMT) | |
####################################### | |
# kubectl config get-contexts (view list) | |
# kubectl config use-context gke_aws_management_gke-XXXXXXXXXX (your ID) | |
# view clusters | |
kubectl get AWSClusters | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment