云原生之旅 - 4）基础设施即代码使用 Terraform 创建 Kubernetes _生活百科

前言上一篇文章我们已经简单的入门Terraform，本篇介绍如何使用Terraform在GCP和AWS 创建Kubernetes 资源。
Kubernetes 在云原生时代的重要性不言而喻，等于这个时代的操作系统，基本上只需要建这个资源，就可以将绝大多数的应用跑在上面，包括数据库，甚至很多团队的大数据处理例如 Spark, Flink 都跑在Kubernetes上。

GCP Kubernetes = GKE
AWS Kubernetes = EKS
Azure Kubernetes = AKS

本篇文章主要介绍前两者的Terraform 代码实现，现在使用官方的 module 要比以前方便太多了，哪怕是新手都可以很快的将资源建起来，当然如果要更多的了解，还是需要慢慢下功夫的。
关键词：IaC, Infrastructure as Code, Terraform, 基础设施即代码，使用Terraform创建GKE，使用Terraform创建EKS
环境信息:
* Terraform 1.2.9* Google Cloud SDK 397.0.0* aws-cli 2.7.7 使用Terraform创建GKE准备一个GCS bucket
# valid LOCATION values are `asia`, `eu` or `us`gsutil mb -l $LOCATION gs://$BUCKET_NAMEgsutil versioning set on gs://$BUCKET_NAME准备如下tf文件
backend.tfterraform {backend "gcs" {bucket = "sre-dev-terraform-test"prefix = "demo/state"}}providers.tf
terraform {required_version = ">= 1.2.9"required_providers {google = {source= "hashicorp/google"version = "~> 4.0"}google-beta = {source= "hashicorp/google-beta"version = "~> 4.0"}}}provider "google" {project = local.project.project_idregion= local.project.region}provider "google-beta" {project = local.project.project_idregion= local.project.region}
使用 terraform google module 事半功倍，代码如下
gke-cluster.tf
data "google_compute_zones" "available" {region = "us-central1"status = "UP"}resource "google_compute_network" "default" {project= local.project.project_idname= local.project.network_nameauto_create_subnetworks = falserouting_mode= "GLOBAL"}resource "google_compute_subnetwork" "wade-gke" {project= local.project.project_idnetwork= google_compute_network.default.namename= local.wade_cluster.subnet_nameip_cidr_range = local.wade_cluster.subnet_rangeregion= local.wade_cluster.regionsecondary_ip_range {range_name= format("%s-secondary1", local.wade_cluster.cluster_name)ip_cidr_range = local.wade_cluster.secondary_ip_range_pods}secondary_ip_range {range_name= format("%s-secondary2", local.wade_cluster.cluster_name)ip_cidr_range = local.wade_cluster.secondary_ip_range_services}private_ip_google_access = true}resource "google_service_account" "sa-wade-test" {account_id= "sa-wade-test"display_name = "sa-wade-test"}module "wade-gke" {source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster"version = "23.1.0"project_id = local.project.project_idname= local.wade_cluster.cluster_namekubernetes_version= local.wade_cluster.cluster_versionregion= local.wade_cluster.regionnetwork= google_compute_network.default.namesubnetwork= google_compute_subnetwork.wade-gke.namemaster_ipv4_cidr_block = "10.1.0.0/28"ip_range_pods= google_compute_subnetwork.wade-gke.secondary_ip_range.0.range_nameip_range_services= google_compute_subnetwork.wade-gke.secondary_ip_range.1.range_nameservice_account= google_service_account.sa-wade-test.emailmaster_authorized_networks= local.wade_cluster.master_authorized_networksmaster_global_access_enabled= falseistio= falseissue_client_certificate= falseenable_private_endpoint= falseenable_private_nodes= trueremove_default_node_pool= trueenable_shielded_nodes= falseidentity_namespace= "enabled"node_metadata= "https://www.huyubaike.com/biancheng/GKE_METADATA"horizontal_pod_autoscaling= trueenable_vertical_pod_autoscaling = falsenode_pools= local.wade_cluster.node_poolsnode_pools_oauth_scopes = local.wade_cluster.oauth_scopesnode_pools_labels= local.wade_cluster.node_pools_labelsnode_pools_metadata= https://www.huyubaike.com/biancheng/local.wade_cluster.node_pools_metadatanode_pools_taints= local.wade_cluster.node_pools_taintsnode_pools_tags= local.wade_cluster.node_pools_tags}
变量 locals.tf
【云原生之旅 - 4）基础设施即代码使用 Terraform 创建 Kubernetes】master_authorized_networks 需要改为自己要放行的白名单，只有白名单的IP才能访问 cluster api endpoint 。为了安全性，不要用0.0.0.0/0
locals {# project detailsproject = {project_id= "sre-eng-cn-dev"region= "us-central1"network_name= "wade-test-network"}# cluster detailswade_cluster = {cluster_name= "wade-gke"cluster_version= "1.22.12-gke.500"subnet_name= "wade-gke"subnet_range= "10.254.71.0/24"secondary_ip_range_pods= "172.20.72.0/21"secondary_ip_range_services = "10.127.8.0/24"region= "us-central1"node_pools = [{name= "app-pool"machine_type= "n1-standard-2"node_locations= join(",", slice(data.google_compute_zones.available.names, 0, 3))initial_node_count = 1min_count= 1max_count= 10max_pods_per_node= 64disk_size_gb= 100disk_type= "pd-standard"image_type= "COS"auto_repair= trueauto_upgrade= falsepreemptible= falsemax_surge= 1max_unavailable= 0}]node_pools_labels = {all = {}}node_pools_tags = {all = ["k8s-nodes"]}node_pools_metadata = https://www.huyubaike.com/biancheng/{all = {disable-legacy-endpoints ="true"}}node_pools_taints = {all = []}oauth_scopes = {all = ["https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/compute","https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/service.management","https://www.googleapis.com/auth/servicecontrol",]}master_authorized_networks = [{display_name = "Whitelist 1"cidr_block= "4.14.xxx.xx/32"},{display_name = "Whitelist 2"cidr_block= "64.124.xxx.xx/32"},]}}