Monday, June 12, 2017

Terraform: How to create named_port after google_container_cluster resource?

By Hường Hana 1:00 PM , Leave a Comment

I created a google_container_cluster ...

resource "google_container_cluster" "primary" {   name = "primary"   # rest of the config ... }

... and now want to add a named_port to the managed instance group that is created on the fly by the google cloud platform.

The google_container_cluster resource returns instance_group_urls. But I don't know how to use this output in order to create a named port.

1 Answers

Answers 1

This is not clear from your question, but I'm presuming you're using Google Container Engine (GKE).

GKE Usage

When you're using Google Container Engine (GKE), the general idea is that you do configuration only at the Kubernetes level and GKE takes care of the rest. GKE uses Google Compute Engine (GCE) underneath to manage the infrastructure and this is where instance groups and other GCE resources come in.

Terraform with GKE

The terraform google_container_cluster maps to a GKE configuration for the cluster itself. Manually modifying the GCE instance group resources underneath does not seem to be a common use case.

Named ports in GCE is used only for Load balancing, where the BackendService configuration in the load balancer can use named ports to refer to the ports on the instance groups instead of specifying port numbers.

At the Kubernetes level you can define services and specify incoming and target ports which GKE will map to GCE load balancer (with backend services, instance groups and VMs).

Load Balancing

For load balancing you have 2 main options in Kubernetes:

  1. Type LoadBalancer - From the Kubernetes doc about load balancing:

Type LoadBalancer

On cloud providers which support external load balancers, setting the type field to "LoadBalancer" will provision a load balancer for your Service. The actual creation of the load balancer happens asynchronously, and information about the provisioned balancer will be published in the Service’s status.loadBalancer field.

For example:

kind: Service apiVersion: v1 metadata:   name: my-service spec:   selector:     app: MyApp   ports:     - protocol: TCP       port: 80       targetPort: 9376       nodePort: 30061   clusterIP: 10.0.171.239   loadBalancerIP: 78.11.24.19   type: LoadBalancer status:   loadBalancer:     ingress:       - ip: 146.148.47.155

Traffic from the external load balancer will be directed at the backend Pods, though exactly how that works depends on the cloud provider. Some cloud providers allow the loadBalancerIP to be specified. In those cases, the load-balancer will be created with the user-specified loadBalancerIP. If the loadBalancerIP field is not specified, an ephemeral IP will be assigned to the loadBalancer. If the loadBalancerIP is specified, but the cloud provider does not support the feature, the field will be ignored.

  1. Ingress resource - If your service is HTTP/HTTPS, Kubernetes also supports Ingress resource starting with Kubernetes v1.1. GKE will automatically set up a L7 load balancer and also support SSL/TLS.

Using ingress resource has the following advantages:

  1. Specify services per URL path and port (it uses URL Maps from GCE to configure this).
  2. Set up and terminate SSL/TLS on the GCE load balancer (it uses Target proxies from GCE to configure this).
  3. GKE will automatically also configure the GCE health checks for your services.

All you need to do is to implement the service logic for your backends in the POD to handle the requests.

More info available on the GKE page about setting up HTTP load balancing.

Still need to manually add named ports?

Finally, if you still feel the need to modify the instance groups after they have been created using google_container_cluster, here is some info:

  1. The instance group API documentation for GCE will explain how you can manipulate the named ports (and other fields if required). More specifically look at instanceGroups.setNamedPorts API.
  2. You will use the URL you received earlier for manipulation using the REST API.
  3. If directly using the REST API, you will need to pass the right access tokens for authentication. If using any client libraries you will need to set up application default credentials (the preferred way) or load them manually and configure it. Info about authentication and Application Default credentials is available here. gcloud is also an alternative.
  4. Just adding named ports to instance groups will not be sufficient. You will most likely need to update your BackendService resource to use those named ports. You can look at the portName field in BackendService API.
If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment