Implantar o Kf Cloud Service Broker

Nesta página, mostramos como implantar o Cloud Service Broker do Kf para Google Cloud e usá-lo para provisionar ou desprovisionar recursos de backup. Leia sobre os conceitos e a arquitetura para saber mais sobre o Cloud Service Broker do Kf.

Criar variáveis de ambiente

export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export INSTANCE_NAME=cloud-service-broker
export COMPUTE_REGION=us-central1

Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_NAME -Value kf-cluster
Set-Variable -Name INSTANCE_NAME -Value cloud-service-broker
Set-Variable -Name COMPUTE_REGION -Value us-central1

Configurar o banco de dados do Cloud Service Broker do Kf

1. Crie uma instância do Cloud SQL para MySQL.

   gcloud sql instances create ${INSTANCE_NAME} --cpu=2 --memory=7680MB --require-ssl --region=${COMPUTE_REGION}

2. Crie um banco de dados chamado servicebroker na instância do Cloud SQL para MySQL.

   gcloud sql databases create servicebroker -i ${INSTANCE_NAME}

3. Crie um nome de usuário e uma senha a serem usados pelo Cloud Service Broker do Kf.

   gcloud sql users create csbuser -i ${INSTANCE_NAME} --password=csbpassword

Configurar uma conta de serviço do Google para o Cloud Service Broker do Kf

1. Crie uma conta de serviço do Google.

   gcloud iam service-accounts create csb-${CLUSTER_NAME}-sa \
     --project=${CLUSTER_PROJECT_ID} \
     --description="GSA for CSB at ${CLUSTER_NAME}" \
     --display-name="csb-${CLUSTER_NAME}"

2. Conceda as permissões de roles/cloudsql.client à conta de serviço. Isso é necessário para conectar o pod do Cloud Service Broker do Kf à instância do Cloud SQL para MySQL pelo proxy de autenticação do Cloud SQL.

   gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
     --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role="roles/cloudsql.client"

3. Conceda outras permissões do Google Cloud à conta de serviço.

   gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
     --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role="roles/compute.networkUser"

   gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
     --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role="roles/cloudsql.admin"

   gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
     --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --role="roles/redis.admin"

4. Verifique as permissões.

   gcloud projects get-iam-policy ${CLUSTER_PROJECT_ID} \
     --filter='bindings.members:serviceAccount:"CSB_SERVICE_ACCOUNT_NAME"' \
     --flatten="bindings[].members"

Configurar a identidade da carga de trabalho do Cloud Service Broker do Kf

1. Vincule a conta de serviço do Google à conta de serviço do Kubernetes.

   gcloud iam service-accounts add-iam-policy-binding "csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --project=${CLUSTER_PROJECT_ID} \
     --role="roles/iam.workloadIdentityUser" \
     --member="serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf-csb/csb-user]"

2. Confira a vinculação.

   gcloud iam service-accounts get-iam-policy "csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
     --project=${CLUSTER_PROJECT_ID}

Configurar um secret do Kubernetes para compartilhar a configuração com o Cloud Service Broker do Kf

1. Crie um arquivo config.yml.

   cat << EOF >> ./config.yml
   gcp:
     credentials: ""
     project: ${CLUSTER_PROJECT_ID}
   db:
     host: 127.0.0.1
     password: csbpassword
     user: csbuser
     tls: false
   api:
     user: servicebroker
     password: password
   EOF

2. Crie o namespace kf-csb:

   kubectl create ns kf-csb

3. Crie o Secret do Kubernetes:

   kubectl create secret generic csb-secret --from-file=config.yml -n kf-csb

Instalar o Cloud Service Broker do Kf

1. Faça o download do kf-csb.yml.

   gcloud storage cp gs://kf-releases/csb/v1.1.0/kf-csb.yaml /tmp/kf-csb.yaml

2. Edite /tmp/kf-csb.yaml e substitua os marcadores pelos valores finais. No exemplo abaixo, sed é usado.

   sed -i "s|<GSA_NAME>|csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com|g" /tmp/kf-csb.yaml
   sed -i "s|<INSTANCE_CONNECTION_NAME>|${CLUSTER_PROJECT_ID}:${COMPUTE_REGION}:${INSTANCE_NAME}|g" /tmp/kf-csb.yaml
   sed -i "s|<DB_PORT>|3306|g" /tmp/kf-csb.yaml

3. Aplique o yaml para o Cloud Service Broker do Kf.

   kubectl apply -f /tmp/kf-csb.yaml

4. Verifique o status de instalação do Cloud Service Broker do Kf.

   kubectl get pods -n kf-csb

Criar um agente de serviços

  kf create-service-broker cloud-service-broker servicebroker password http://csb-controller.kf-csb/

Validar a instalação

Verifique os serviços disponíveis no marketplace.

  kf marketplace

Se tudo estiver instalado e configurado corretamente, isto vai aparecer:

  $ kf marketplace

  Broker                Name                          Namespace  Description
  cloud-service-broker  csb-google-bigquery                      A fast, economical and fully managed data warehouse for large-scale data analytics.
  cloud-service-broker  csb-google-dataproc                      Dataproc is a fully-managed service for running Apache Spark and Apache Hadoop clusters in a simpler, more cost-efficient way.
  cloud-service-broker  csb-google-mysql                         Mysql is a fully managed service for the Google Cloud Platform.
  cloud-service-broker  csb-google-postgres                      PostgreSQL is a fully managed service for the Google Cloud Platform.
  cloud-service-broker  csb-google-redis                         Cloud Memorystore for Redis is a fully managed Redis service for the Google Cloud Platform.
  cloud-service-broker  csb-google-spanner                       Fully managed, scalable, relational database service for regional and global application data.
  cloud-service-broker  csb-google-stackdriver-trace             Distributed tracing service
  cloud-service-broker  csb-google-storage-bucket                Google Cloud Storage that uses the Terraform back-end and grants service accounts IAM permissions directly on the bucket.

Limpar

1. Exclua cloud-service-broker.

   kf delete-service-broker cloud-service-broker

2. Exclua os componentes do CSB.

   kubectl delete ns kf-csb

3. Exclua a instância do Cloud SQL para MySQL do Cloud Service Broker do Kf.

   gcloud sql instances delete ${INSTANCE_NAME} --project=${CLUSTER_PROJECT_ID}

4. Remova as vinculações da política de IAM.

   gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
   --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
   --role=roles/cloudsql.client

   gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
   --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
   --role=roles/compute.networkUser

   gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
   --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
   --role=roles/redis.admin

5. Remova o GSA.

   gcloud iam service-accounts delete csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com \
     --project=${CLUSTER_PROJECT_ID}

A seguir

• Teste o Cloud Service Broker do Kf com nosso Guia do Spring Music.