The following repository contains code for infrastructure and tools that are setting up Fleet of GKE clusters with Anthos Connect Gateway in a fully IaC driven way.
- terraform folder contains code required to provision the infrastructure
- gke-connect-agent-generator folder contains tool for generating GKE Connect Agent manifests for clusters in a fleet. The Agent is required for Connect Gateway operation.
- gke-connect-gateway-generator folder contains tool for generating
Anthos Connect Gateway
ClusterRoleandClusterRoleBindingmanifests required for Connect Gateway operation.
-
Provision demo infrastructure with Terraform
- enter terraform directory
- create
terraform.tfvarsfile (check terraform README for more details) - run
terrafrom apply
-
Set you GKE fleet project identifier in gcloud and as env variable
gcloud config set project my-project-id export FLEET_PROJECT_ID=my-project-id
-
Clone Anthos Config Management repository
gcloud source repos clone gke-config-management -
Use
gke-connect-agent-generatorscript to generate manifest files for Connect Agentpython gke-connect-agent-generator/gke-connect-agent-generator.py -p $FLEET_PROJECT_ID -d gke-config-management -
Use
gke-connect-gateway-generatorscript to generate manifest files for Connect Gateway authenticationNOTE: adjust Google Account identifiers of your users in a below example
python gke-connect-gateway-generator/gke-connect-gateway-generator.py -u john@mydomian.com -u jane@mydomain.com -d gke-config-management
-
Commit generated files to the config management repository
cd gke-config-management git add . git commit -m "connect-gateway-demo" git push -u origin main
-
Wait for GKE clusters to synchronize configuration
-
Get cluster credentials from GKE Hub and enjoy!
gcloud container hub memberships get-credentials cluster-one gcloud container hub memberships get-credentials cluster-two
The infrastructure consists of N private GKE clusters that are registered fleet members. The fleet uses Config Sync with a GIT repository provided by Source Code Repositories.
Optionally, a bastion host with a public IP address can be provisioned in the same VPC network for troubleshooting purposes.