Déployer Kf Cloud Service Broker

Cette page vous explique comment déployer Kf Cloud Service Broker pour Google Cloud et l'utiliser pour provisionner ou annuler la gestion des ressources de sauvegarde. Découvrez les concepts et l'architecture pour en savoir plus sur Kf Cloud Service Broker.

Créez des variables d'environnement

Linux

export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export INSTANCE_NAME=cloud-service-broker
export COMPUTE_REGION=us-central1

Windows Powershell

Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_NAME -Value kf-cluster
Set-Variable -Name INSTANCE_NAME -Value cloud-service-broker
Set-Variable -Name COMPUTE_REGION -Value us-central1

Configurer la base de données Kf Cloud Service Broker

  1. Créer une instance Cloud SQL pour MySQL

    gcloud sql instances create ${INSTANCE_NAME} --cpu=2 --memory=7680MB --require-ssl --region=${COMPUTE_REGION}
  2. Créez une base de données nommée servicebroker dans l'instance Cloud SQL pour MySQL.

    gcloud sql databases create servicebroker -i ${INSTANCE_NAME}
  3. Créez un nom d'utilisateur et un mot de passe pour Kf Cloud Service Broker.

    gcloud sql users create csbuser -i ${INSTANCE_NAME} --password=csbpassword

Configurer un compte de service Google (GSA) pour Kf Cloud Service Broker

  1. Créez un compte de service Google.

    gcloud iam service-accounts create csb-${CLUSTER_NAME}-sa \
      --project=${CLUSTER_PROJECT_ID} \
      --description="GSA for CSB at ${CLUSTER_NAME}" \
      --display-name="csb-${CLUSTER_NAME}"
  2. Accordez des autorisations roles/cloudsql.client au compte de service. Cette opération est nécessaire pour connecter le pod Kf Cloud Service Broker à l'instance Cloud SQL pour MySQL via le proxy d'authentification Cloud SQL.

    gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
      --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --role="roles/cloudsql.client"
  3. Accordez des autorisations Google Cloud supplémentaires au compte de service.

    gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
      --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --role="roles/compute.networkUser"
    gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
      --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --role="roles/cloudsql.admin"
    gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
      --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --role="roles/redis.admin"
  4. Validez les autorisations.

    gcloud projects get-iam-policy ${CLUSTER_PROJECT_ID} \
      --filter='bindings.members:serviceAccount:"CSB_SERVICE_ACCOUNT_NAME"' \
      --flatten="bindings[].members"

Configurer Workload Identity pour Kf Cloud Service Broker

  1. Associez le compte de service Google au compte de service Kubernetes.

    gcloud iam service-accounts add-iam-policy-binding "csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --project=${CLUSTER_PROJECT_ID} \
      --role="roles/iam.workloadIdentityUser" \
      --member="serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf-csb/csb-user]"
  2. Validez la liaison.

    gcloud iam service-accounts get-iam-policy "csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
      --project=${CLUSTER_PROJECT_ID}

Configurer un secret Kubernetes pour partager la configuration avec Kf Cloud Service Broker

  1. Créez un fichier config.yml.

    cat << EOF >> ./config.yml
    gcp:
      credentials: ""
      project: ${CLUSTER_PROJECT_ID}
    db:
      host: 127.0.0.1
      password: csbpassword
      user: csbuser
      tls: false
    api:
      user: servicebroker
      password: password
    EOF
  2. Créez l'espace de noms kf-csb.

    kubectl create ns kf-csb
  3. Créez le secret Kubernetes.

    kubectl create secret generic csb-secret --from-file=config.yml -n kf-csb

Installer Kf Cloud Service Broker

  1. Téléchargez le fichier kf-csb.yml.

    gcloud storage cp gs://kf-releases/csb/v1.0.0/kf-csb.yaml /tmp/kf-csb.yaml
  2. Modifiez /tmp/kf-csb.yaml et remplacez les espaces réservés par les valeurs finales. Dans l'exemple ci-dessous, sed est utilisé.

    sed -i "s|<GSA_NAME>|csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com|g" /tmp/kf-csb.yaml
    sed -i "s|<INSTANCE_CONNECTION_NAME>|${CLUSTER_PROJECT_ID}:${COMPUTE_REGION}:${INSTANCE_NAME}|g" /tmp/kf-csb.yaml
    sed -i "s|<DB_PORT>|3306|g" /tmp/kf-csb.yaml
  3. Appliquez le fichier yaml pour Kf Cloud Service Broker.

    kubectl apply -f /tmp/kf-csb.yaml
  4. Vérifiez l'état d'installation de Kf Cloud Service Broker.

    kubectl get pods -n kf-csb

Créer un agent de service

  kf create-service-broker cloud-service-broker servicebroker password http://csb-controller.kf-csb/

Valider l'installation

Vérifiez les services disponibles sur la place de marché.

  kf marketplace

Si tous les éléments sont correctement installés et configurés, vous devriez obtenir le résultat suivant :

  $ kf marketplace

  Broker                Name                          Namespace  Description
  cloud-service-broker  csb-google-bigquery                      A fast, economical and fully managed data warehouse for large-scale data analytics.
  cloud-service-broker  csb-google-dataproc                      Dataproc is a fully-managed service for running Apache Spark and Apache Hadoop clusters in a simpler, more cost-efficient way.
  cloud-service-broker  csb-google-mysql                         Mysql is a fully managed service for the Google Cloud Platform.
  cloud-service-broker  csb-google-postgres                      PostgreSQL is a fully managed service for the Google Cloud Platform.
  cloud-service-broker  csb-google-redis                         Cloud Memorystore for Redis is a fully managed Redis service for the Google Cloud Platform.
  cloud-service-broker  csb-google-spanner                       Fully managed, scalable, relational database service for regional and global application data.
  cloud-service-broker  csb-google-stackdriver-trace             Distributed tracing service
  cloud-service-broker  csb-google-storage-bucket                Google Cloud Storage that uses the Terraform back-end and grants service accounts IAM permissions directly on the bucket.

Étape suivante

Nettoyer

  1. Supprimez cloud-service-broker.

    kf delete-service-broker cloud-service-broker
  2. Supprimez les composants CSB.

    kubectl delete ns kf-csb
  3. Supprimez l'instance Cloud SQL pour MySQL Kf Cloud Service Broker.

    gcloud sql instances delete ${INSTANCE_NAME} --project=${CLUSTER_PROJECT_ID}
  4. Supprimez les liaisons de stratégie IAM.

    gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
    --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
    --role=roles/cloudsql.client
    gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
    --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
    --role=roles/compute.networkUser
    gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \
    --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \
    --role=roles/redis.admin
  5. Supprimez le GSA.

    gcloud iam service-accounts delete csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com \
      --project=${CLUSTER_PROJECT_ID}