Deploy a GKE cluster - PaloAltoNetworks/cn-series-deploy GitHub Wiki

The /gke folder contains a Terraform plan that deploys a Kubernetes cluster in Google Kubernetes Engine (GKE). This cluster meets the minimum requirements to support a CN-Series Next-Generation Firewall and will deploy regionally to span across multiple availability zones for maximum redundancy and scalability.

1. Define and configure the GCP project.

   1. Log into Google Cloud Platform using its CLI interface.

      $ gcloud auth login
      

   2. Create a new project in Google Cloud Platform and make it your default project.

      $ gcloud projects create cnseries-deployment
      Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/cnseries-deployment].
      Waiting for [operations/cp.8399975532101480302] to finish...done.
      Enabling service [cloudapis.googleapis.com] on project [cnseries-deployment]...
      Operation "operations/acf.7db11421-7961-43d0-94c3-9063cadc40c9" finished successfully.
      
      $ gcloud config set project cnseries-deployment
      Updated property [core/project].
      

   3. Map the newly defined project to your billing account.

      $ gcloud beta billing accounts list
      ACCOUNT_ID            NAME                OPEN  MASTER_ACCOUNT_ID
      012356-A12345-B12345  My Billing Account  True
      
      $ gcloud beta billing projects link cnseries-deployment --billing-account=012356-A12345-B12345
      billingAccountName: billingAccounts/012356-A12345-B12345
      billingEnabled: true
      name: projects/cnseries-deployment/billingInfo
      projectId: cnseries-deployment
      

2. Deploy the cluster using Terraform

   1. Create a terraform.tfvars file and add the following variables and their associated values.

      project = ""                           # The GCP project ID
      region = ""                            # The GCP region
      

   2. Initialize the Terraform providers.

      $ terraform init
      

   3. Validate the Terraform plan.

      $ terraform plan
      

   4. Apply the Terraform plan.

      $ terraform apply
      

3. Access the Kubernetes cluster

   1. Update the kubeconfig file with the new cluster's information.

      $ gcloud container clusters get-credentials $(terraform output cluster_name) --region $(terraform output cluster_location) --project $(terraform output cluster_project)
      

   2. Verify the cluster nodes have been built and are in a Ready status.

      $ kubectl get nodes
      NAME                                                  STATUS   ROLES    AGE     VERSION
      gke-cnseries-testing-cnseries-testing-1e1ebbe6-6d3s   Ready    <none>   7m21s   v1.14.10-gke.36
      gke-cnseries-testing-cnseries-testing-c89de143-0710   Ready    <none>   7m53s   v1.14.10-gke.36
      gke-cnseries-testing-cnseries-testing-d320cbc7-rtm2   Ready    <none>   7m51s   v1.14.10-gke.36
      

4. You are now ready to deploy the CN‐Series Firewall.