I've been into DevOps for barely two years now, and have just started using GCP due to a new client that we now have. Your videos are a lifesaver brother, thank you so much for the clear explanations and all the tutorials!
Super super video Anton !!! Thank you for your effort in making up this kind of videos. If you allow me I would like to suggest you to make a video on how to deploy Google Anthos using Ansible / Terraform, it will be a great addition to the very useful collection of videos. Currently I'm struggling to learn how to deal with all the init part of Google SDK by using Ansible. Best regards !
Very informative. Very informative. I tried to create a GKE auto pilot cluster with shared VPC. But I got this exception repeatedly as “ Error in creating a cluster; 0 nodes were created out of 1, cluster may be unhealthy”… I have verified the permissions on the GKE project service account, verified the terraform module and I have assigned the right permissions. But I got the above exception. Any thoughts and suggestions on this error ?
i would focus on the permissions, make sure you have network and other access from the GKE and service project. also when granting permissions use "*iam_member" terraform resource, it's Non-authoritative and help to add additional permissions in the future
@@AntonPutraI have created a service project and assigned the necessary permission (container.googleapis.com) and i tried to create With the assigned IP range for the GKE auto pilot resource, here I’m able to create a GKE standard cluster with out any issues. But while creating a GKE auto pilot cluster within the same service project with the same shared IP range I’m getting the exception “Error: Error waiting for creating GKE Cluster: All cluster resources were brought up , but only 0 nodes out of 1 have registered; cluster may be unhealthy “. Any references or directions to overcome this issue?
how would i get the value master_ipv4_cidr_block in the private_cluster_config ? is this a predefined subnet in the host project ? Thank you for a great video. It was very helpful
sorry but how this is best practice with "private endpoint disabled"? your master totally open to attackers. Also i should emphasize that "bastion host" should be used in a private cluster with vpc native network. thanks for the video btw.
It’s a good point, I always use private endpoints with OpenVPN server set up that I can access private IP. It was too much for one video to configure VPN, that’s why I decided to leave it out. My next tutorial is about OpenVPN.
@@AntonPutra thanks for sharing all this, your videos and source code are great! Would you be able to elaborate a bit more on this particular topic? (security concerns when private endpoint is disabled). I'm planning to use a very similar setup as the one you shared here for a staging deployment; and then create a separate GCP project for production. You said in another comment in this video that bastion might not be needed in GCP; what would then be the security suggestion to protect the k8s cluster when using a setup like the one you shared here? I don't see a problem if you keep GCP credentials secured, but maybe I'm missing something. Thanks!
It depends on your setup and your future goals. If you have a small infrastructure and team, keep it under a single project. If you have a lot of VM and other services that you use in GCP. The best practice is to create shared VPC and share subnets with other projects. In that way, you can centralize network management/security in one place/group. Also, projects help you to keep billing under control; it's match easy to get a total bill for Kubernetes that you run if it is in a dedicated project. There are other benefits. If it's for your personal project, keep it in 1 project for enterprise, follow multi-project/shared VPC setup.
Hi Sasidhar, I don't think that you need bastion in gcp at all. To ssh just use gcloud compute ssh command, also about to wrap up OpenVPN tutorial that lets you connect to gcp VPC including resolving private hosted zones.
@@AntonPutra Thanks for the quick replies 😺 Oh for that one I did it already. And i put the loadBalancerIP: "x.x.x.x" in my nginx yaml service.. But after i deploy it and run kubectl get svc nginx, the column external-ip is always in state. Am I doing woring ? 🙇
thanks bro, I really liked your video. but I want to asked something, so If I want to use subnet from host project, do I need to create service account in service project first ? so when the service account already created, I just need to add that service account in members resource google_compute_subnetwork_iam_binding host project ?
🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
👉 How to Manage Secrets in Terraform - ruclips.net/video/3N0tGKwvBdA/видео.html
👉 Terraform Tips & Tricks - ruclips.net/video/7S94oUTy2z4/видео.html
👉 ArgoCD Tutorial - ruclips.net/video/zGndgdGa1Tc/видео.html
I've been into DevOps for barely two years now, and have just started using GCP due to a new client that we now have. Your videos are a lifesaver brother, thank you so much for the clear explanations and all the tutorials!
thank you so much, I'll refresh them soon
RUclips still processing HD version of this video, the quality should improve soon...
⏱️TIMESTAMPS⏱️
0:00 Intro
0:24 Define Terraform Google Provider
01:41 Create Terraform Locals Variables
04:42 Create Google Projects Using Terraform
06:06 Create Terraform google_compute_network
06:50 Create Terraform google_compute_subnetwork
08:10 Create Terraform google_compute_router
08:56 Create Terraform google_compute_router_nat
10:27 Create Terraform google_compute_shared_vpc_host_project
10:58 Create Terraform google_compute_shared_vpc_service_project
11:09 Create Terraform google_compute_subnetwork_iam_binding
11:38 Create Terraform google_project_iam_binding
12:05 Create Terraform google_service_account
12:48 Create Terraform google_container_cluster
14:53 Create Terraform google_container_node_pool
19:35 Deploy Nginx and Create Public Loadbalancer
22:25 Create Terraform google_compute_firewall
🔴UPDATED🔴 How to Create GKE Cluster Using TERRAFORM? (Google Kubernetes Engine & Workload Identity) - ruclips.net/video/X_IK0GBbBTw/видео.html
Very good content and presentation. Just necessary details!
Thanks
Super super video Anton !!! Thank you for your effort in making up this kind of videos. If you allow me I would like to suggest you to make a video on how to deploy Google Anthos using Ansible / Terraform, it will be a great addition to the very useful collection of videos. Currently I'm struggling to learn how to deal with all the init part of Google SDK by using Ansible. Best regards !
Thank you! I'll add it to my list :)
This is an amazing content. Thank you for your hard work and sharing. Keep it up!
Thank you Ersan! Will do :)
Thank so much, this is very good content
Glad you think so!
Very good stuff! Thanks!!
My pleasure! Code is here - github.com/antonputra/tutorials/tree/main/lessons/069
Very informative. Very informative. I tried to create a GKE auto pilot cluster with shared VPC. But I got this exception repeatedly as “ Error in creating a cluster; 0 nodes were created out of 1, cluster may be unhealthy”… I have verified the permissions on the GKE project service account, verified the terraform module and I have assigned the right permissions. But I got the above exception. Any thoughts and suggestions on this error ?
i would focus on the permissions, make sure you have network and other access from the GKE and service project. also when granting permissions use "*iam_member" terraform resource, it's Non-authoritative and help to add additional permissions in the future
@@AntonPutraI have created a service project and assigned the necessary permission (container.googleapis.com) and i tried to create With the assigned IP range for the GKE auto pilot resource, here I’m able to create a GKE standard cluster with out any issues. But while creating a GKE auto pilot cluster within the same service project with the same shared IP range I’m getting the exception “Error: Error waiting for creating GKE Cluster: All cluster resources were brought up , but only 0 nodes out of 1 have registered; cluster may be unhealthy “. Any references or directions to overcome this issue?
how would i get the value master_ipv4_cidr_block in the private_cluster_config ? is this a predefined subnet in the host project ? Thank you for a great video. It was very helpful
It's not, it's arbitrary private subnet with /28 that google use to create control plane for your GKE cluster.
sorry but how this is best practice with "private endpoint disabled"? your master totally open to attackers. Also i should emphasize that "bastion host" should be used in a private cluster with vpc native network. thanks for the video btw.
It’s a good point, I always use private endpoints with OpenVPN server set up that I can access private IP. It was too much for one video to configure VPN, that’s why I decided to leave it out. My next tutorial is about OpenVPN.
@@AntonPutra i see, fair enough. it would be good then to mention referring "gke hardening guide" at least. waiting for your next video.
@@arnoldwolfstein yeah, my mistake
@@AntonPutra no no, just a reminder.
@@AntonPutra thanks for sharing all this, your videos and source code are great! Would you be able to elaborate a bit more on this particular topic? (security concerns when private endpoint is disabled). I'm planning to use a very similar setup as the one you shared here for a staging deployment; and then create a separate GCP project for production. You said in another comment in this video that bastion might not be needed in GCP; what would then be the security suggestion to protect the k8s cluster when using a setup like the one you shared here? I don't see a problem if you keep GCP credentials secured, but maybe I'm missing something. Thanks!
Very inspiring my friend. :)
Thanks so much!
Why is it necessary to create a "host-staging" and a separate "k8s-staging"?
It depends on your setup and your future goals. If you have a small infrastructure and team, keep it under a single project. If you have a lot of VM and other services that you use in GCP. The best practice is to create shared VPC and share subnets with other projects. In that way, you can centralize network management/security in one place/group. Also, projects help you to keep billing under control; it's match easy to get a total bill for Kubernetes that you run if it is in a dedicated project. There are other benefits. If it's for your personal project, keep it in 1 project for enterprise, follow multi-project/shared VPC setup.
Hi @anton,Thank you so much man,You were really amazing .Can you please tell me about creating a Private GKE cluster .Usng bastion if possible
Hi Sasidhar, I don't think that you need bastion in gcp at all. To ssh just use gcloud compute ssh command, also about to wrap up OpenVPN tutorial that lets you connect to gcp VPC including resolving private hosted zones.
This is so amazing. thanks for sharing this video..
Im wondering how to reserve an external static IP address in GCP for our nginx. Many thanks 🙇
You can reserve static IP from "external ip address" section. Click reserve static address
@@AntonPutra Thanks for the quick replies 😺
Oh for that one I did it already. And i put the loadBalancerIP: "x.x.x.x" in my nginx yaml service..
But after i deploy it and run kubectl get svc nginx, the column external-ip is always in state. Am I doing woring ? 🙇
@@imamulakhyarakhyar3537 You can patch it - kubectl patch svc -n -p '{"spec": {"type": "LoadBalancer", "externalIPs":["XX.XX.XX.XX"]}}'
"Error 403: The caller does not have permission, forbidden." 😕
🤔
Clarity of the video is not good.
Sorry about that, youtube still processing HD quality...
thanks bro, I really liked your video. but I want to asked something, so If I want to use subnet from host project, do I need to create service account in service project first ? so when the service account already created, I just need to add that service account in members resource google_compute_subnetwork_iam_binding host project ?
yes you need service account and also enable k8s in both host and service project
@@AntonPutra new subscribers here, I hope that share vpc will work in my production. Thanks