Men-deploy Kf Cloud Service Broker

Halaman ini menunjukkan cara men-deploy Kf Cloud Service Broker untuk Google Cloud dan menggunakannya untuk menyediakan atau membatalkan penyediaan resource pendukung. Baca konsep dan arsitektur untuk mempelajari Perantara Layanan Cloud Kf lebih lanjut.

Membuat variabel lingkungan

Linux

export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export INSTANCE_NAME=cloud-service-broker
export COMPUTE_REGION=us-central1

Windows Powershell

Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_NAME -Value kf-cluster
Set-Variable -Name INSTANCE_NAME -Value cloud-service-broker
Set-Variable -Name COMPUTE_REGION -Value us-central1

Menyiapkan database Kf Cloud Service Broker

  1. Membuat instance Cloud SQL untuk MySQL

    gcloud sql instances create ${INSTANCE_NAME} --cpu=2 --memory=7680MB --require-ssl --region=${COMPUTE_REGION}
  2. Buat database bernama servicebroker di instance Cloud SQL untuk MySQL.

    gcloud sql databases create servicebroker -i ${INSTANCE_NAME}
  3. Buat nama pengguna dan sandi yang akan digunakan oleh Kf Cloud Service Broker.

    gcloud sql users create csbuser -i ${INSTANCE_NAME} --password=csbpassword

Menyiapkan Akun Layanan Google (GSA) untuk Kf Cloud Service Broker

  1. Buat Akun Layanan Google.

    gcloud iam service-accounts create csb-${CLUSTER_NAME}-sa \
      --project=${CLUSTER_PROJECT_ID} \
      --description="GSA for CSB at ${CLUSTER_NAME}" \
      --display-name="csb-${CLUSTER_NAME}"
  2. Berikan izin roles/cloudsql.client ke Akun Layanan. Hal ini diperlukan untuk menghubungkan pod Kf Cloud Service Broker ke instance Cloud SQL untuk MySQL melalui proxy Auth Cloud SQL.

    gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
      --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --role="roles/cloudsql.client"
  3. Berikan izin Google Cloud tambahan ke Akun Layanan.

    gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
      --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --role="roles/compute.networkUser"
    gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
      --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --role="roles/cloudsql.admin"
    gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
      --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --role="roles/redis.admin"
  4. Verifikasi izin.

    gcloud projects get-iam-policy ${CLUSTER_PROJECT_ID} \
      --filter='bindings.members:serviceAccount:"CSB_SERVICE_ACCOUNT_NAME"' \
      --flatten="bindings[].members"

Menyiapkan Workload Identity untuk Kf Cloud Service Broker

  1. Ikat Akun Layanan Google dengan Akun Layanan Kubernetes.

    gcloud iam service-accounts add-iam-policy-binding "csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --project=${CLUSTER_PROJECT_ID} \
      --role="roles/iam.workloadIdentityUser" \
      --member="serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf-csb/csb-user]"
  2. Verifikasi binding.

    gcloud iam service-accounts get-iam-policy "csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --project=${CLUSTER_PROJECT_ID}

Menyiapkan Secret Kubernetes untuk berbagi konfigurasi dengan Kf Cloud Service Broker

  1. Buat file config.yml.

    cat << EOF >> ./config.yml
    gcp:
      credentials: ""
      project: ${CLUSTER_PROJECT_ID}
    db:
      host: 127.0.0.1
      password: csbpassword
      user: csbuser
      tls: false
    api:
      user: servicebroker
      password: password
    EOF
  2. Buat namespace kf-csb.

    kubectl create ns kf-csb
  3. Buat Secret Kubernetes.

    kubectl create secret generic csb-secret --from-file=config.yml -n kf-csb

Menginstal Kf Cloud Service Broker

  1. Download kf-csb.yml.

    gcloud storage cp gs://kf-releases/csb/v1.0.0/kf-csb.yaml /tmp/kf-csb.yaml
  2. Edit /tmp/kf-csb.yaml dan ganti placeholder dengan nilai akhir. Dalam contoh di bawah, sed digunakan.

    sed -i "s|<GSA_NAME>|csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com|g" /tmp/kf-csb.yaml
    sed -i "s|<INSTANCE_CONNECTION_NAME>|${CLUSTER_PROJECT_ID}:${COMPUTE_REGION}:${INSTANCE_NAME}|g" /tmp/kf-csb.yaml
    sed -i "s|<DB_PORT>|3306|g" /tmp/kf-csb.yaml
  3. Menerapkan yaml untuk Kf Cloud Service Broker.

    kubectl apply -f /tmp/kf-csb.yaml
  4. Verifikasi status penginstalan Kf Cloud Service Broker.

    kubectl get pods -n kf-csb

Membuat Agen Layanan

  kf create-service-broker cloud-service-broker servicebroker password http://csb-controller.kf-csb/

Memvalidasi penginstalan

Periksa layanan yang tersedia di marketplace.

  kf marketplace

Jika semuanya diinstal dan dikonfigurasi dengan benar, Anda akan melihat hal berikut:

  $ kf marketplace

  Broker                Name                          Namespace  Description
  cloud-service-broker  csb-google-bigquery                      A fast, economical and fully managed data warehouse for large-scale data analytics.
  cloud-service-broker  csb-google-dataproc                      Dataproc is a fully-managed service for running Apache Spark and Apache Hadoop clusters in a simpler, more cost-efficient way.
  cloud-service-broker  csb-google-mysql                         Mysql is a fully managed service for the Google Cloud Platform.
  cloud-service-broker  csb-google-postgres                      PostgreSQL is a fully managed service for the Google Cloud Platform.
  cloud-service-broker  csb-google-redis                         Cloud Memorystore for Redis is a fully managed Redis service for the Google Cloud Platform.
  cloud-service-broker  csb-google-spanner                       Fully managed, scalable, relational database service for regional and global application data.
  cloud-service-broker  csb-google-stackdriver-trace             Distributed tracing service
  cloud-service-broker  csb-google-storage-bucket                Google Cloud Storage that uses the Terraform back-end and grants service accounts IAM permissions directly on the bucket.

Apa langkah selanjutnya?

Pembersihan

  1. Hapus cloud-service-broker.

    kf delete-service-broker cloud-service-broker
  2. Menghapus komponen CSB.

    kubectl delete ns kf-csb
  3. Hapus instance Cloud SQL untuk MySQL Kf Cloud Service Broker.

    gcloud sql instances delete ${INSTANCE_NAME} --project=${CLUSTER_PROJECT_ID}
  4. Hapus binding kebijakan IAM.

    gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
    --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
    --role=roles/cloudsql.client
    gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
    --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
    --role=roles/compute.networkUser
    gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
    --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
    --role=roles/redis.admin
  5. Hapus GSA.

    gcloud iam service-accounts delete csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com \
      --project=${CLUSTER_PROJECT_ID}