GCP+GKE Deep Dive Part 1: Initial App Development

GCP+GKE Deep Dive Part 1: Initial App Development

Part 2 바로가기: https://speakerdeck.com/premist/gcp-plus-gke-deep-dive-part-2-advanced-cluster-management/

처음 GKE를 사용하기 시작하면 난해할 수 있는 서비스 배포, GKE 클러스터를 생성하고 여러 GCP의 서비스를 이용하여 첫 애플리케이션을 배포하는 과정까지 자세하게 살펴봅니다. 또한 애플리케이션을 배포한 이후 안정적인 서비스 운영을 위해 활용할 수 있는 클러스터 관리 테크닉을 소개합니다.

Part 1: Initial App Deployment
Google Kubernetes Engine에 처음 애플리케이션을 배포할 때, 어디부터 시작해야 하는지, 클러스터를 생성하고 설정할 때 주의할 점은 무엇인지 난해한 경우가 많습니다. 또한 Google Cloud에서 제공하는 여러 서비스를 적절히 활용하려고 해도 사용 사례나 튜토리얼을 찾아보는 것에도 한계가 있기 마련입니다.

본 세션의 첫 번째 파트에서는 소스 코드 호스팅 및 협업 애플리케이션인 GitLab CE Omnibus를 Google Kubernetes Engine(GKE)에 배포하는 예시를 통해 적당히 규모가 있는 애플리케이션을 GKE에 배포하는 전략을 알아봅니다. 또한 PostgreSQL과 Redis를 GKE에 직접 호스팅하는 대신, Google Cloud에서 매니지드 형태로 제공하는 서비스인 Cloud SQL과 Cloud Memorystore 인스턴스를 각각 생성하고, GKE 내에서 각각의 서비스에 연결하는 방법을 자세하게 설명합니다.

필요 이해도: 컨테이너에 대한 이해와 통상적인 애플리케이션 배포 과정에 대한 이해를 전제로 진행되고, Google Cloud SDK와 Kubernetes CLI를 사용하므로 커맨드 라인 도구의 사용에 능숙한 경우 세션의 내용을 보다 쉽게 이해하실 수 있습니다.

91b2bf7b681403e98e6846677d9ca029?s=128

Minku Lee

June 29, 2018
Tweet

Transcript

  1. 3.

    PART 1 Initial App Deployment GitLab CEܳ GCP+GKEী ߓನ೧ࠇद׮ Advanced

    Cluster Management ৈ۞ ௿۞झఠ ਍৔ ప௼ץਸ ࣗѐ೤פ׮ PART 2 13:00-13:50 14:00-14:50
  2. 4.
  3. 5.
  4. 6.
  5. 10.
  6. 12.
  7. 14.
  8. 15.
  9. 19.

    GitLab Deployment Multiple Pods GitLab Deployment Multiple Pods GitLab Service

    GitLab Ingress GLBC Cloud HTTP(S) Load Balancer Postgres Cloud SQL Instance Redis Cloud Memorystore Instance Kubernetes Engine Google Cloud Platform
  10. 21.

    GitLab Deployment Multiple Pods GitLab Deployment Multiple Pods GitLab Service

    GitLab Ingress GLBC Cloud HTTP(S) Load Balancer Postgres Cloud SQL Instance Redis Cloud Memorystore Instance Kubernetes Engine Google Cloud Platform
  11. 22.
  12. 23.

    $ gcloud container clusters create hello-gke \ --project=shakr-openinfra-demo \ --zone=asia-northeast1-b

    \ --cluster-version=1.10.4-gke.2 \ --machine-type=n1-standard-1 \ --num-nodes=3 \ --enable-ip-alias \ --enable-autorepair
  13. 26.

    $ gcloud container clusters create hello-gke \ --project=shakr-openinfra-demo \ --zone=asia-east1-b

    \ --cluster-version=1.10.4-gke.2 \ --machine-type=n1-standard-1 \ --num-nodes=3 \ --enable-ip-alias \ --enable-autorepair
  14. 27.

    --project=shakr-openinfra-demo \ --zone=asia-east1-b \ --cluster-version=1.10.4-gke.2 \ --machine-type=n1-standard-1 \ --num-nodes=3 \

    --enable-ip-alias \ --enable-autorepair Creating cluster hello-gke...done. Created [https://container.googleapis.com/v1/projects/shakr- openinfra-demo/zones/asia-northeast1-b/clusters/hello-gke]. NAME LOCATION MASTER_VERSION MASTER_IP hello-gke asia-northeast1-b 1.10.4-gke.2 35.200.25.152
  15. 28.

    GitLab Deployment Multiple Pods GitLab Deployment Multiple Pods GitLab Service

    GitLab Ingress GLBC Cloud HTTP(S) Load Balancer Postgres Cloud SQL Instance Redis Cloud Memorystore Instance Kubernetes Engine Google Cloud Platform
  16. 29.

    $ gcloud sql instances create gitlab-postgresql \ --availability-type=regional \ --cpu=1

    --memory=4GiB \ --database-version=POSTGRES_9_6 \ --region=asia-east1 \ --storage-size=10GB \ --storage-type=SSD \ --storage-auto-increase $ gcloud sql users create gitlab % \ --instance=gitlab-postgresql --password=mySecurePassword! Cloud SQL핆큲큲캫컿
  17. 30.
  18. 34.

    $ gcloud projects add-iam-policy-binding $PROJECT \ --member="serviceAccount:$EMAIL"\ --role="roles/cloudsql.client" # Service

    Accountী Cloud Storage Admin Roleਸ ೡ׼ $ gcloud projects add-iam-policy-binding $PROJECT \ --member="serviceAccount:$EMAIL"\ --role="roles/storage.admin" 뭚쭎펺
  19. 36.

    { "type": "service_account", "project_id": "shakr-openinfra-demo", "private_key_id": "1234567890abcdef1234567890", "private_key": "-----BEGIN PRIVATE

    KEY-----\n....\n-----END PRIVATE KEY-----\n", "client_email": "gitlab@shakr-openinfra- demo.iam.gserviceaccount.com", "client_id": "12345678901234567890", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", JSON
  20. 38.

    GitLab Deployment Multiple Pods GitLab Deployment Multiple Pods GitLab Service

    GitLab Ingress GLBC Cloud HTTP(S) Load Balancer Postgres Cloud SQL Instance Redis Cloud Memorystore Instance Kubernetes Engine Google Cloud Platform
  21. 41.

    apiVersion: apps/v1 kind: Deployment metadata: name: gitlab labels: app: gitlab

    spec: replicas: 1 selector: matchLabels: app: gitlab template: metadata: labels: apps: gitlab spec: containers: - name: gitlab image: gitlab/gitlab-ce:latest resources: requests: cpu: "0.5" memory: 1Gi env: - name: GITLAB_OMNIBUS_CONFIG value: ... deployment.yml Deployment spec Pod spec
  22. 43.
  23. 44.

    Cloud SQL Proxy • Cloud SQL픎Memorystore퐎삲읂멚VPC IP옪짢옪헟믊쿦 펔몮몮헣*1샎펻픒whitelisting쁢짷킫핂않GKE얺큲펞컪 칺푷핂삲콚쭖 •

    Cloud SQL Proxy읊핂푷졂Service Account픦Cloud SQL Client Role옪옪옫킪읊폂쿦핖삲 • Google펞컪맪짪펺짢핂뻖읺짝Docker핂짆힎짾
  24. 45.
  25. 46.

    spec: containers: - name: gitlab image: gitlab/gitlab-ce:latest deployment.yml (pod spec)

    - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy command: ["/cloud_sql_proxy", "-instances=..."]
  26. 47.

    spec: containers: - name: gitlab image: gitlab/gitlab-ce:latest env: - name:

    GITLAB_OMNIBUS_CONFIG value: ... deployment.yml (pod spec) - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy command: ["/cloud_sql_proxy", "-instances=..."] env: - name: GOOGLE_APPLICATION_CREDENTIALS value: ... #
  27. 48.

    $

  28. 49.
  29. 51.
  30. 52.

    apiVersion: v1 kind: Secret metadata: name: my-secrets type: Opaque data:

    GOOGLE_CLOUD_KEYFILE_JSON: <base64 encoded string> SENTRY_DSN: <base64 encoded string> secret.example.yml
  31. 53.

    apiVersion: v1 kind: Secret metadata: name: my-secrets type: Opaque data:

    GOOGLE_CLOUD_KEYFILE_JSON: eyJseXJpY3MiOiAiV2UncmUgbm8gc3RyYW5nZXJzIHRvIGxvdmUNCllvdSBr
 bm93IHRoZSBydWxlcyBhbmQgc28gZG8gSQ0KQSBmdWxsIGNvbW1pdG1lbnQncyB3aGF0IEknbSB0aGlua2luZyBvZ g0KWW91IHdvdWxkbid0IGdldCB0aGlzIGZyb20gYW55IG90aGVyIGd1eQ0KSSBqdXN0IHdhbm5hIHRlbGwgeW91IG hvdyBJJ20gZmVlbGluZw0KR290dGEgbWFrZSB5b3UgdW5kZXJzdGFuZA0KTmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXA NCk5ldmVyIGdvbm5hIGxldCB5b3UgZG93bg0KTmV2ZXIgZ29ubmEgcnVuIGFyb3VuZCBhbmQgZGVzZXJ0IHlvdQ0K TmV2ZXIgZ29ubmEgbWFrZSB5b3UgY3J5DQpOZXZlciBnb25uYSBzYXkgZ29vZGJ5ZQ0KTmV2ZXIgZ29ubmEgdGVsb CBhIGxpZSBhbmQgaHVydCB5b3UifQ== SENTRY_DSN: aHR0cHM6Ly9yaWNrOmFzaGxleUBuZXZlcmdvbm5hZ2l2ZXlvdS51cDo1MzIxNA== secret.example.yml
  32. 54.

    $ kubectl create secret generic gitlab-config \ --from-literal=redis_host=10.0.0.3 \ --from-file=./artifacts/gitlab.rb

    \ --from-file=./artifacts/serviceaccount.json kubectl픒핂푷Secret캫컿
  33. 55.

    spec: containers: - name: gitlab image: gitlab/gitlab-ce:latest env: - name:

    GITLAB_OMNIBUS_CONFIG valueFrom: secretKeyRef: name: gitlab-config key: gitlab.rb deployment.yml (pod spec) - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy command: ["/cloud_sql_proxy", "-instances=..."] env: - name: GOOGLE_APPLICATION_CREDENTIALS value: /mnt/config/serviceaccount.json volumeMounts: - name: config mountPath: /mnt/config readOnly: true volumes: - name: config secret: secretName: gitlab-config #
  34. 58.
  35. 59.
  36. 60.
  37. 61.

    %

  38. 63.

    $ gcloud compute disks create my-disk \ --size=10GB \ --type=pd-ssd

    \ --zone asia-east1-a \ ... Compute Engine Persistent Disk 캫컿 &
  39. 67.
  40. 68.
  41. 69.
  42. 71.

    apiVersion: v1 kind: PersistentVolumeClaim metadata: name: gitlab-data spec: accessModes: -

    ReadWriteOnce storageClassName: ssd resources: requests: storage: 50Gi pvc.yml
  43. 72.

    spec: containers: - name: gitlab image: gitlab/gitlab-ce:latest env: - name:

    GITLAB_OMNIBUS_CONFIG valueFrom: secretKeyRef: name: gitlab-config key: gitlab.rb volumeMounts: - name: gitlab-data mountPath: /var/opt/gitlab volumes: - name: gitlab-data persistentVolumeClaim: claimName: gitlab-data deployment-with-pvc.yml (pod spec) - name: cloudsql-proxy image: gcr.io/cloudsql-docker/gce-proxy command: ["/cloud_sql_proxy", "-instances=..."] env: - name: GOOGLE_APPLICATION_CREDENTIALS value: /mnt/config/serviceaccount.json volumeMounts: - name: config mountPath: /mnt/config readOnly: true volumes: - name: config secret: secretName: gitlab-config
  44. 73.
  45. 75.
  46. 79.

    Service • ౠ੿ Pod ٜਸ Kubernetes 얺큲뺂펞컪펂쎉멚헟믊퍊쁢힎 헣픦쁢짷쩣 • NodePort핓Worker

    Node픦읊샇 • Loadbalancer핓TCP Load Balancer 캫컿(GCP) • Internal/External 졶숞힎풞
  47. 81.

    apiVersion: v1 kind: Service metadata: name: gitlab spec: selector: app:

    gitlab ports: - port: 80 protocol: TCP name: http type: NodePort service.yml
  48. 82.

    apiVersion: v1 kind: Service metadata: name: gitlab spec: selector: app:

    gitlab ports: - port: 80 protocol: TCP name: http type: NodePort service.yml
  49. 83.

    apiVersion: v1 kind: Service metadata: name: gitlab spec: selector: app:

    gitlab ports: - port: 80 protocol: TCP name: http - port: 443 protocol: TCP name: https type: NodePort service-multiport.yml
  50. 84.

    Ingress • Service৬ Public internet픒펾멾훊쁢읺콚큲 • Service펞type=LoadBalancer읊칺푷졂짦슪킪푢힎쁢팘픚 • 옲얺많않푾픒샂샇(NGINX, Traefik,

    …) • GKE펞컪쁢Cloud HTTP(S) Load Balancer읊칺푷 • IPv6/SSL Termination, CDN, HTTP->HTTPS Redirect슿
 삲퍟믾쁳힎풞 BETA
  51. 85.
  52. 86.

    apiVersion: extensions/v1beta1 kind: Ingress metadata: name: gitlab namespace: default spec:

    tls: - secretName: tls-gitlab backend: serviceName: gitlab servicePort: 80 ingress.yml
  53. 88.

    apiVersion: extensions/v1beta1 kind: Ingress metadata: name: gitlab namespace: default spec:

    tls: - secretName: tls-gitlab backend: serviceName: gitlab servicePort: 80 ingress.yml
  54. 89.

    apiVersion: extensions/v1beta1 kind: Ingress metadata: name: gitlab namespace: default annotations:

    kubernetes.io/ingress.allow-http: "false" spec: tls: - secretName: tls-gitlab backend: serviceName: gitlab servicePort: 80 ingress.yml '
  55. 90.

    apiVersion: extensions/v1beta1 kind: Ingress metadata: name: gitlab namespace: default annotations:

    kubernetes.io/ingress.allow-http: "false" kubernetes.io/ingress.global-static-ip-name: "gitlab" spec: tls: - secretName: tls-gitlab backend: serviceName: gitlab servicePort: 80 ingress.yml
  56. 91.
  57. 93.
  58. 94.
  59. 95.

    apiVersion: extensions/v1beta1 kind: Ingress metadata: name: gitlab namespace: default spec:

    tls: - secretName: tls-a - secretName: tls-b rules: - host: a.exmaple.com http: paths: - backend: serviceName: a servicePort: 80 - host: b.example.com http: paths: - backend: serviceName: b servicePort: 80 ingress-advanced.yml
  60. 96.
  61. 98.

    GitLab Deployment Multiple Pods GitLab Deployment Multiple Pods GitLab Service

    GitLab Ingress GLBC Cloud HTTP(S) Load Balancer Postgres Cloud SQL Instance Redis Cloud Memorystore Instance Kubernetes Engine Google Cloud Platform
  62. 99.
  63. 100.
  64. 101.
  65. 102.
  66. 103.
  67. 104.
  68. 105.