Installing, upgrading, and uninstalling Config Connector

This topic describes how to install Config Connector on your cluster.

Prerequisites

To prepare for this task, perform the following steps:

Ensure that you have enabled the Google Kubernetes Engine API.

Ensure that you have installed the Cloud SDK.
Set your default project ID:
```
gcloud config set project [PROJECT_ID]
```
If you are working with zonal clusters, set your default compute zone:
```
gcloud config set compute/zone [COMPUTE_ZONE]
```
If you are working with regional clusters, set your default compute region:
```
gcloud config set compute/region [COMPUTE_REGION]
```
Update gcloud to the latest version:
```
gcloud components update
```

Note: You can override these default settings in gcloud commands using the --project, --zone, and --region operational flags.

You must configure kubectl to connect to your clusters. Follow the steps for GKE clusters or GKE On-Prem clusters.

Creating the ClusterRoleBinding

Config Connector needs permission to create Kubernetes Roles before it can create resources.

Verify that you can create Roles by running the following command.

kubectl auth can-i create roles

If the output is yes, continue to Create an Identity.

If the output is no, create a ClusterRoleBinding in your cluster. This allows you to create Roles. Replace [ACCOUNT_EMAIL] with the email associated with your GCP account.

kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole cluster-admin \
  --user [ACCOUNT_EMAIL]

The outputs should contain the phrase cluster-admin-binding created. If it does not, contact your account or cluster administrator.

Create an Identity

A Config Connector cluster needs a GCP identity to communicate with other resources. To set up the identity, do the following in order, once per cluster:

Creating an Cloud Identity and Access Management (Cloud IAM) Service Account.
Creating a Service Account Key.
Importing the Key's credentials to your cluster as a Secret.

Create the cnrm-system Service Account with gcloud:
```
gcloud iam service-accounts create cnrm-system
```
Give the IAM Service Account elevated permissions on your project. Replace [PROJECT_ID] with your project ID.

Note: If you prefer to grant editor access to the project replace roles/owner with roles/editor. Granting the editor role allows most Config Connector functionality except [project/organization] wide configurations such as Cloud IAM modifications.
```
gcloud projects add-iam-policy-binding [PROJECT_ID] \
  --member serviceAccount:cnrm-system@[PROJECT_ID].iam.gserviceaccount.com \
  --role roles/owner
```
Create a Service Account Key and export its credentials to a file. Replace [PROJECT_ID] with your project ID and run the following:
```
gcloud iam service-accounts keys create --iam-account \
 cnrm-system@[PROJECT_ID].iam.gserviceaccount.com key.json
```
Create the cnrm-system namespace.
```
kubectl create namespace cnrm-system
```

Import the key's credentials as a Secret.

 kubectl create secret generic gcp-key --from-file key.json --namespace cnrm-system

Remove the credentials from your system.
```
rm key.json
```

Installing Config Connector

You can install Config Connector on your cluster using kubectl.

Installing manually

To manually install Config Connector, download the installation tar file and extract it, then apply the contents to your cluster.

Download the latest installation bundle tar file:

curl -X GET -sLO \
  -H "Authorization: Bearer $(gcloud auth print-access-token)" \
  --location-trusted \
  https://us-central1-cnrm-eap.cloudfunctions.net/download/latest/infra/install-bundle.tar.gz

Extract the tar file:
```
tar zxvf install-bundle.tar.gz
```
Apply the manifests to your cluster:
```
kubectl apply -f install-bundle/
```

Verify Your Installation

Config Connector runs a single system process. You can verify the pod for this process has a STATUS of Running, by executing the following command:

kubectl --namespace cnrm-system get pods

Troubleshooting

Q: The installation bundle or samples archive is empty or seems to be corrupted. A: Verify your authorization token with gcloud auth print-access-token. A valid token is a long string beginning with text similar to ya29.XXXXXXX...X.

gcloud auth print-access-token

If the token is not valid, re-authenticate to GCP.

After authenticating, re-deploy Config Connector.

Uninstalling Config Connector

Manually uninstall Config Connector

To manually uninstall, delete the installation bundle from your cluster.

From the same folder containing the contents of the unpacked tarball from the manual installation, run this command to delete:

kubectl delete -f install-bundle/crds.yaml \
kubectl delete -f install-bundle/0-cnrm-system.yaml

Upgrading Config Connector

Before you begin

Before beginning an upgrade, add the following annotation to each of your Config Connector resources:

...
metadata:
  annotations:
    cnrm.cloud.google.com/deletion-policy: abandon
...

Manual Upgrade

To manually upgrade Config Connector:

Run the manual uninstall steps
Run the manual install steps

What's next

Get started with Config Connector.

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated August 15, 2019.

Installing, upgrading, and uninstalling Config Connector

Prerequisites

Creating the ClusterRoleBinding

Create an Identity

Installing Config Connector

Installing manually

Verify Your Installation

Troubleshooting

Uninstalling Config Connector

Manually uninstall Config Connector

Upgrading Config Connector

Before you begin

Manual Upgrade

What's next

Send feedback about...