feat: Added Landing Zone example for an HTTPS Load Balancer. (GoogleC…

…loudPlatform#565) * Added Landing Zone example for an HTTPS Load Balancer. * Fixed new line character at the EOF linter errors. * Fixed new line character at the EOF linter error in setters.yaml
obriensystems · Oct 19, 2023 · 6260c22 · 6260c22
1 parent dde8eb7
commit 6260c22
Show file tree

Hide file tree

Showing 9 changed files with 280 additions and 0 deletions.
diff --git a/...es/landing-zone-v2/configconnector/tier3/https-external-load-balancer/README.md b/...es/landing-zone-v2/configconnector/tier3/https-external-load-balancer/README.md
@@ -0,0 +1,27 @@
+# External HTTPS Load Balancer
+
+This example creates components of a simple external HTTPS load balancer with its backend service provided by a managed instance group (created in tier4). The load balancer uses existing Cloud Armor policy, SSL Certificate, and SSL Policy.
+
+![img](https://cloud.google.com/static/load-balancing/images/https-load-balancer-simple.svg)
+
+[https://cloud.google.com/load-balancing/docs/https/setup-global-ext-https-compute](https://cloud.google.com/load-balancing/docs/https/setup-global-ext-https-compute)
+
+## IAM
+The following permissions are required on the project for the tier3-sa in order to manage load balancer resources:
+
+```yaml
+# iam-elb.yaml
+# Grant GCP role Compute Security Admin to tier3-sa GCP SA for load balancer resources
+apiVersion: iam.cnrm.cloud.google.com/v1beta1
+kind: IAMPolicyMember
+metadata:
+  name: project-id-tier3-sa-lbadmin-permissions # kpt-set: ${project-id}-tier3-sa-lbadmin-permissions
+  annotations:
+    cnrm.cloud.google.com/ignore-clusterless: "true"
+spec:
+  resourceRef:
+    kind: Project
+    external: projects/project-id # kpt-set: projects/${project-id}
+  role: roles/compute.loadBalancerAdmin
+  member: "serviceAccount:[email protected]" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com
+```
diff --git a/examples/landing-zone-v2/configconnector/tier3/https-external-load-balancer/address.yaml b/examples/landing-zone-v2/configconnector/tier3/https-external-load-balancer/address.yaml
@@ -0,0 +1,27 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#########
+# reserve an external IP address for the load balancer
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeAddress
+metadata:
+  name: workload-name-external-ip # kpt-set: ${workload-name}-external-ip
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+spec:
+  resourceID: workload-name-external-ip # kpt-set: ${workload-name}-external-ip
+  description: external IP for workload-name # kpt-set: external IP for ${workload-name}
+  addressType: EXTERNAL
+  ipVersion: IPV4
+  location: global
diff --git a/...s/landing-zone-v2/configconnector/tier3/https-external-load-balancer/backend-service.yaml b/...s/landing-zone-v2/configconnector/tier3/https-external-load-balancer/backend-service.yaml
@@ -0,0 +1,60 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#########
+# create the backend service to attach to an existing mig and cloud armor policy
+# also configure CDN defaults
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeBackendService
+metadata:
+  name: workload-name-backend-service # kpt-set: ${workload-name}-backend-service
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+spec:
+  resourceID: workload-name-backend-service # kpt-set: ${workload-name}-backend-service
+  # set a mig created from tier4 as backend
+  backend:
+    - balancingMode: RATE
+      capacityScaler: 0.9
+      maxRate: 10000
+      group:
+        instanceGroupRef:
+          # when using a MIG, the external ref must be used and is pointing to its 'instanceGroup' value
+          external: https://www.googleapis.com/compute/v1/projects/project-id/zones/northamerica-northeast1-a/instanceGroups/workload-name-instance-group-manager # kpt-set: https://www.googleapis.com/compute/beta/projects/${project-id}/zones/northamerica-northeast1-a/instanceGroups/${workload-name}-instance-group-manager
+  cdnPolicy:
+    cacheKeyPolicy:
+      includeHost: true
+      includeProtocol: true
+      includeQueryString: true
+    cacheMode: CACHE_ALL_STATIC
+    clientTtl: 3600
+    defaultTtl: 3600
+    maxTtl: 86400
+    signedUrlCacheMaxAgeSec: 0
+  connectionDrainingTimeoutSec: 300
+  healthChecks:
+    - healthCheckRef:
+        name: workload-name-health-check-http # kpt-set: ${workload-name}-health-check-http
+  loadBalancingScheme: EXTERNAL_MANAGED
+  localityLbPolicy: ROUND_ROBIN
+  location: global
+  logConfig:
+    enable: true
+    sampleRate: 1
+  portName: http
+  protocol: HTTP
+  # set as target to an existing cloud armor policy
+  securityPolicyRef:
+    name: workload-name-security-policy # kpt-set: ${workload-name}-security-policy
+  sessionAffinity: NONE
+  timeoutSec: 30
diff --git a/examples/landing-zone-v2/configconnector/tier3/https-external-load-balancer/elb.yaml b/examples/landing-zone-v2/configconnector/tier3/https-external-load-balancer/elb.yaml
@@ -0,0 +1,27 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#########
+# create the external load balancer's URL map
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeURLMap
+metadata:
+  name: workload-name-elb # kpt-set: ${workload-name}-elb
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+spec:
+  resourceID: workload-name-elb # kpt-set: ${workload-name}-elb
+  defaultService:
+    backendServiceRef:
+      name: workload-name-backend-service # kpt-set: ${workload-name}-backend-service
+  location: global
diff --git a/examples/landing-zone-v2/configconnector/tier3/https-external-load-balancer/firewall.yaml b/examples/landing-zone-v2/configconnector/tier3/https-external-load-balancer/firewall.yaml
@@ -0,0 +1,38 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#########
+# fw rule for lb health check
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata:
+  name: project-id-workload-name-lb-health-check # kpt-set: ${project-id}-${workload-name}-lb-health-check
+  annotations:
+    cnrm.cloud.google.com/project-id: host-project-id # kpt-set: ${host-project-id}
+spec:
+  resourceID: project-id-workload-name-lb-health-check # kpt-set: ${project-id}-${workload-name}-lb-health-check
+  allow:
+    - protocol: tcp
+      ports:
+        - "80"
+  networkRef:
+    name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
+    namespace: client-name-networking # kpt-set: ${client-name}-networking
+  sourceRanges:
+    - "35.191.0.0/16"
+    - "130.211.0.0/22"
+  targetServiceAccounts:
+    - name: workload-name-sa # kpt-set: ${workload-name}-sa
+      namespace: project-id-tier4 # kpt-set: ${project-id}-tier4
+  logConfig:
+    metadata: "INCLUDE_ALL_METADATA"
diff --git a/...s/landing-zone-v2/configconnector/tier3/https-external-load-balancer/forwarding-rule.yaml b/...s/landing-zone-v2/configconnector/tier3/https-external-load-balancer/forwarding-rule.yaml
@@ -0,0 +1,34 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#########
+# the load balancer's forwarding rule
+# an org policy exception may be required depending on the loadBalancingScheme
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeForwardingRule
+metadata:
+  name: workload-name-forwarding-rule # kpt-set: ${workload-name}-forwarding-rule
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+spec:
+  resourceID: workload-name-forwarding-rule # kpt-set: ${workload-name}-forwarding-rule
+  ipAddress:
+    addressRef:
+      name: workload-name-external-ip # kpt-set: ${workload-name}-external-ip
+  ipProtocol: SSL
+  loadBalancingScheme: EXTERNAL_MANAGED
+  location: global
+  portRange: "443"
+  target:
+    targetHTTPSProxyRef:
+      name: workload-name-target-https-proxy # kpt-set: ${workload-name}-target-https-proxy
diff --git a/...ples/landing-zone-v2/configconnector/tier3/https-external-load-balancer/health-check.yaml b/...ples/landing-zone-v2/configconnector/tier3/https-external-load-balancer/health-check.yaml
@@ -0,0 +1,32 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#########
+# the backend service health check
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeHealthCheck
+metadata:
+  name: workload-name-health-check-http # kpt-set: ${workload-name}-health-check-http
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+spec:
+  resourceID: workload-name-health-check-http # kpt-set: ${workload-name}-health-check-http
+  checkIntervalSec: 15
+  healthyThreshold: 1
+  location: global
+  httpHealthCheck:
+    portSpecification: USE_SERVING_PORT
+    proxyHeader: NONE
+    requestPath: "/"
+  timeoutSec: 15
+  unhealthyThreshold: 3
diff --git a/...anding-zone-v2/configconnector/tier3/https-external-load-balancer/target-https-proxy.yaml b/...anding-zone-v2/configconnector/tier3/https-external-load-balancer/target-https-proxy.yaml
@@ -0,0 +1,33 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#########
+# the target proxy for the forwarding rule
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeTargetHTTPProxy
+metadata:
+  name: workload-name-target-https-proxy # kpt-set: ${workload-name}-target-https-proxy
+  annotations:
+    cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id}
+spec:
+  location: global
+  # Disable QUIC - it is not in the current GoC/TBS/CSE list of approved technologies.
+  quicOverride: DISABLE
+  urlMapRef:
+    name: workload-name-elb # kpt-set: ${workload-name}-elb
+  # Use an existing SSL Certificate
+  sslCertificates:
+    - external: https://www.googleapis.com/compute/v1/projects/project-id/global/sslCertificates/cert-name # kpt-set: https://www.googleapis.com/compute/v1/projects/${project-id}/global/sslCertificates/${cert-name}
+  sslPolicyRef:
+    name: tls-1-2-computesslpolicy
+    namespace: project-id-tier3 # kpt-set: ${project-id}-tier3
diff --git a/examples/landing-zone-v2/setters.yaml b/examples/landing-zone-v2/setters.yaml
@@ -31,3 +31,5 @@ data:
   dns-name: "workload1.example.domain.com."
   # the name of the workload, lowercase only
   workload-name: workload1
+  # the name of the SSL certificate
+  cert-name: sample-cert