我使用单个 Terraform 脚本来部署 AKS 和应用程序网关。到目前为止,一切都按预期工作,我需要的最后一件事是在 AKS 和应用程序网关之间配置 vnet 对等互连。
根据 Terraform 的文档,vnet 对等互连需要 AKS vnet 名称和 ID:
# AppGw to AKS
resource "azurerm_virtual_network_peering" "appgw_aks_peering" {
name = "appgw-aks-peer"
resource_group_name = "my-appgw-rg"
virtual_network_name = azurerm_virtual_network.my_vnet.name
remote_virtual_network_id = ???
}
# AKS to AppGw
resource "azurerm_virtual_network_peering" "aks_appgw_peering" {
name = "aks-appgw-peer"
resource_group_name = "my-aksnode-rg"
virtual_network_name = ???
remote_virtual_network_id = azurerm_virtual_network.my_vnet.id
}
resource "azurerm_kubernetes_cluster" "my_cluster" {
name = "my-aks"
location = "australiaeast"
resource_group_name = "my-aks-rg"
node_resource_group = "my-aksnode-rg"
addon_profile {
ingress_application_gateway {
enabled = true
gateway_id = azurerm_application_gateway.my_appgw.id
}
}
default_node_pool {
name = "np01"
node_count = 1
os_disk_size_gb = 30
vm_size = var.aks_np_vm_sku
}
...
}
我遇到的问题是创建 AKS 时会自动创建 AKS vnet,并且名称或 ID 都不会导出到任何地方。我找不到使用 Terraform 获取 AKS vnet 名称或 ID 的方法。有人可以指出我正确的方向或建议替代解决方案吗?
由于无法从 AKS 集群的资源块中获取 Vnet ID,因此您也可以为 AKS 创建一个 vnet 和子网,并在默认节点池块中创建集群时使用它,如下所示:
default_node_pool {
name = "np01"
node_count = 1
os_disk_size_gb = 30
vm_size = var.aks_np_vm_sku
vnet_subnet_id = azurerm_subnet.aks.id
}
因此,根据您的要求,.tf 文件将如下所示:
provider "azurerm" {
features{}
}
data "azurerm_resource_group" "name" {
name = "resourcegroupname"
}
resource "azurerm_virtual_network" "aks" {
name = "aks-vnet"
location = data.azurerm_resource_group.name.location
resource_group_name = data.azurerm_resource_group.name.name
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "aks" {
name = "aks-subnet"
resource_group_name = data.azurerm_resource_group.name.name
virtual_network_name = data.azurerm_resource_group.name.location
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_virtual_network" "appgw" {
name = "appgw-vnet"
location = data.azurerm_resource_group.name.location
resource_group_name = data.azurerm_resource_group.name.name
address_space = ["10.254.0.0/16"]
}
resource "azurerm_subnet" "frontend" {
name = "frontend"
resource_group_name = data.azurerm_resource_group.name.name
virtual_network_name = azurerm_virtual_network.appgw.name
address_prefixes = ["10.254.0.0/24"]
}
resource "azurerm_subnet" "backend" {
name = "backend"
resource_group_name = data.azurerm_resource_group.name.name
virtual_network_name = azurerm_virtual_network.appgw.name
address_prefixes = ["10.254.2.0/24"]
}
resource "azurerm_public_ip" "example" {
name = "example-pip"
resource_group_name = data.azurerm_resource_group.name.name
location = data.azurerm_resource_group.name.location
allocation_method = "Dynamic"
}
# since these variables are re-used - a locals block makes this more maintainable
locals {
backend_address_pool_name = "${azurerm_virtual_network.appgw.name}-beap"
frontend_port_name = "${azurerm_virtual_network.appgw.name}-feport"
frontend_ip_configuration_name = "${azurerm_virtual_network.appgw.name}-feip"
http_setting_name = "${azurerm_virtual_network.appgw.name}-be-htst"
listener_name = "${azurerm_virtual_network.appgw.name}-httplstn"
request_routing_rule_name = "${azurerm_virtual_network.appgw.name}-rqrt"
redirect_configuration_name = "${azurerm_virtual_network.appgw.name}-rdrcfg"
}
resource "azurerm_application_gateway" "network" {
name = "example-appgateway"
resource_group_name = data.azurerm_resource_group.name.name
location = data.azurerm_resource_group.name.location
sku {
name = "Standard_Small"
tier = "Standard"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = azurerm_subnet.frontend.id
}
frontend_port {
name = local.frontend_port_name
port = 80
}
frontend_ip_configuration {
name = local.frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.example.id
}
backend_address_pool {
name = local.backend_address_pool_name
}
backend_http_settings {
name = local.http_setting_name
cookie_based_affinity = "Disabled"
path = "/path1/"
port = 80
protocol = "Http"
request_timeout = 60
}
http_listener {
name = local.listener_name
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.frontend_port_name
protocol = "Http"
}
request_routing_rule {
name = local.request_routing_rule_name
rule_type = "Basic"
http_listener_name = local.listener_name
backend_address_pool_name = local.backend_address_pool_name
backend_http_settings_name = local.http_setting_name
}
}
resource "azurerm_virtual_network_peering" "appgw_aks_peering" {
name = "appgw-aks-peer"
resource_group_name = data.azurerm_resource_group.name.name
virtual_network_name = azurerm_virtual_network.appgw.id
remote_virtual_network_id = azurerm_virtual_network.aks.id
}
# AKS to AppGw
resource "azurerm_virtual_network_peering" "aks_appgw_peering" {
name = "aks-appgw-peer"
resource_group_name = data.azurerm_resource_group.name.name
virtual_network_name = azurerm_virtual_network.aks.id
remote_virtual_network_id = azurerm_virtual_network.appgw.id
}
resource "azurerm_kubernetes_cluster" "my_cluster" {
name = "my-aks"
location = data.azurerm_resource_group.name.location
resource_group_name = data.azurerm_resource_group.name.name
dns_prefix = "dns-myaks"
addon_profile {
ingress_application_gateway {
enabled = true
gateway_id = azurerm_application_gateway.network.id
}
}
default_node_pool {
name = "np01"
node_count = 1
os_disk_size_gb = 30
vm_size = "Standard_D2_v2"
vnet_subnet_id = azurerm_subnet.aks.id
}
identity {
type = "SystemAssigned"
}
}
输出:
AFAIK,只能从 Kubernetes 资源获取子网 ID。最好的方法是使用 Terraform 创建 vnet 和子网,并将 Kubernetes 分配到该子网。然后您可以添加对等互连。
# AppGw to AKS
resource "azurerm_virtual_network_peering" "appgw_aks_peering" {
name = "appgw-aks-peer"
resource_group_name = "my-appgw-rg"
virtual_network_name = azurerm_virtual_network.my_vnet.name
remote_virtual_network_id = azurerm_virtual_network.aks.id
}
# AKS to AppGw
resource "azurerm_virtual_network_peering" "aks_appgw_peering" {
name = "aks-appgw-peer"
resource_group_name = "my-aksnode-rg"
virtual_network_name = azurerm_virtual_network.aks.name
remote_virtual_network_id = azurerm_virtual_network.my_vnet.id
}
这适用于想要找出您的 AKS 集群属于哪个虚拟网络的读者。
运行此命令,
az aks show -g portal-eu -n xxxxxx
,然后在返回的 JSON 中查找 networkProfile.vnetSubnetId
。
其中
xxxxxx
是集群名称。
我希望这有帮助。
你可以通过一些摆弄来做到这一点。只有当您有一个 aks vnet 时,它才会起作用,因为代码会查找包含字符串“aks-vnet-”的 vnet。
# ---------------------------------------------- #
# Get the spoke vnet.
data "azurerm_virtual_network" "vn" {
name = "vnet-prd-spoke-nteu-01"
resource_group_name = "rg-core-01"
}
# ---------------------------------------------- #
# Get the aks vnet.
resource "null_resource" "nr" {
provisioner "local-exec" {
command = <<COMMAND
az login --service-principal --tenant $env:ARM_TENANT_ID --username $env:ARM_CLIENT_ID --password $env:ARM_CLIENT_SECRET
$vnet = (az network vnet list --query "[?contains(name, 'aks-vnet-')].name" -o tsv)
$vnet | set-content -path "${path.module}/vnet.txt" -force
$vnetid = (az network vnet show --resource-group ${var.tw5_resource_group_aks} --name $vnet --query 'id' --output tsv)
$vnetid | set-content -path "${path.module}/vnetid.txt" -force
COMMAND
interpreter = ["PowerShell", "-Command"]
}
}
data "local_file" "vnet" {
depends_on = [null_resource.nr]
filename = "${path.module}/vnet.txt"
}
data "local_file" "vnetid" {
depends_on = [null_resource.nr]
filename = "${path.module}/vnetid.txt"
}
# ---------------------------------------------- #
resource "azurerm_virtual_network_peering" "vnp_a" {
name = "spoke-to-aks"
resource_group_name = data.azurerm_virtual_network.vn.resource_group_name
virtual_network_name = data.azurerm_virtual_network.vn.name
remote_virtual_network_id = trimspace(data.local_file.vnetid.content)
allow_virtual_network_access = true
allow_forwarded_traffic = true
}
resource "azurerm_virtual_network_peering" "vnp_b" {
name = "aks-to-spoke"
resource_group_name = var.resource_group_aks
virtual_network_name = trimspace(data.local_file.vnet.content)
remote_virtual_network_id = data.azurerm_virtual_network.vn.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
}
# ---------------------------------------------- #