Halaman ini menunjukkan cara men-deploy Kf Cloud Service Broker untuk Google Cloud dan menggunakannya untuk menyediakan atau mencabut akses resource pendukung. Baca konsep dan arsitektur untuk mempelajari lebih lanjut Kf Cloud Service Broker.
Membuat variabel lingkungan
Linux
export PROJECT_ID=YOUR_PROJECT_ID export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID export CLUSTER_NAME=kf-cluster export INSTANCE_NAME=cloud-service-broker export COMPUTE_REGION=us-central1
Windows Powershell
Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID Set-Variable -Name CLUSTER_NAME -Value kf-cluster Set-Variable -Name INSTANCE_NAME -Value cloud-service-broker Set-Variable -Name COMPUTE_REGION -Value us-central1
Menyiapkan database Kf Cloud Service Broker
Membuat instance Cloud SQL untuk MySQL
gcloud sql instances create ${INSTANCE_NAME} --cpu=2 --memory=7680MB --require-ssl --region=${COMPUTE_REGION}
Buat database bernama
servicebroker
di instance Cloud SQL untuk MySQL.gcloud sql databases create servicebroker -i ${INSTANCE_NAME}
Buat nama pengguna dan sandi yang akan digunakan oleh Kf Cloud Service Broker.
gcloud sql users create csbuser -i ${INSTANCE_NAME} --password=csbpassword
Menyiapkan Akun Layanan Google (GSA) untuk Kf Cloud Service Broker
Buat Akun Layanan Google.
gcloud iam service-accounts create csb-${CLUSTER_NAME}-sa \ --project=${CLUSTER_PROJECT_ID} \ --description="GSA for CSB at ${CLUSTER_NAME}" \ --display-name="csb-${CLUSTER_NAME}"
Beri
roles/cloudsql.client
izin ke Akun Layanan. Langkah ini diperlukan untuk menghubungkan pod Kf Cloud Service Broker ke instance Cloud SQL untuk MySQL melalui proxy Cloud SQL Auth.gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/cloudsql.client"
Memberikan izin Google Cloud tambahan ke Akun Layanan.
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/compute.networkUser"
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/cloudsql.admin"
gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member="serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/redis.admin"
Verifikasi izin.
gcloud projects get-iam-policy ${CLUSTER_PROJECT_ID} \ --filter='bindings.members:serviceAccount:"CSB_SERVICE_ACCOUNT_NAME"' \ --flatten="bindings[].members"
Menyiapkan Workload Identity untuk Kf Cloud Service Broker
Ikat Akun Layanan Google dengan Akun Layanan Kubernetes.
gcloud iam service-accounts add-iam-policy-binding "csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --project=${CLUSTER_PROJECT_ID} \ --role="roles/iam.workloadIdentityUser" \ --member="serviceAccount:${CLUSTER_PROJECT_ID}.svc.id.goog[kf-csb/csb-user]"
Verifikasi binding.
gcloud iam service-accounts get-iam-policy "csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \ --project=${CLUSTER_PROJECT_ID}
Siapkan Kubernete Secret untuk berbagi konfigurasi dengan Kf Cloud Service Broker
Buat file config.yml.
cat << EOF >> ./config.yml gcp: credentials: "" project: ${CLUSTER_PROJECT_ID}
db: host: 127.0.0.1 password: csbpassword user: csbuser tls: false api: user: servicebroker password: password EOF
Buat namespace
kf-csb
.kubectl create ns kf-csb
Membuat Secret Kubernetes.
kubectl create secret generic csb-secret --from-file=config.yml -n kf-csb
Instal Broker Layanan Cloud Kf
Download
kf-csb.yml
.gsutil cp gs://kf-releases/csb/v1.0.0/kf-csb.yaml /tmp/kf-csb.yaml
Mengedit
/tmp/kf-csb.yaml
dan mengganti placeholder dengan nilai akhir. Dalam contoh di bawah ini,sed
digunakan.sed -i "s|<GSA_NAME>|csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com|g" /tmp/kf-csb.yaml
sed -i "s|<INSTANCE_CONNECTION_NAME>|${CLUSTER_PROJECT_ID}:${COMPUTE_REGION}:${INSTANCE_NAME}|g" /tmp/kf-csb.yaml
sed -i "s|<DB_PORT>|3306|g" /tmp/kf-csb.yaml
Terapkan yaml untuk Kf Cloud Service Broker.
kubectl apply -f /tmp/kf-csb.yaml
Verifikasi status penginstalan Kf Cloud Service Broker.
kubectl get pods -n kf-csb
Membuat Perantara Layanan
kf create-service-broker cloud-service-broker servicebroker password http://csb-controller.kf-csb/
Memvalidasi penginstalan
Memeriksa layanan yang tersedia di marketplace.
kf marketplace
Jika semuanya sudah diinstal dan dikonfigurasi dengan benar, Anda akan melihat berikut ini:
$ kf marketplace
Broker Name Namespace Description
cloud-service-broker csb-google-bigquery A fast, economical and fully managed data warehouse for large-scale data analytics.
cloud-service-broker csb-google-dataproc Dataproc is a fully-managed service for running Apache Spark and Apache Hadoop clusters in a simpler, more cost-efficient way.
cloud-service-broker csb-google-mysql Mysql is a fully managed service for the Google Cloud Platform.
cloud-service-broker csb-google-postgres PostgreSQL is a fully managed service for the Google Cloud Platform.
cloud-service-broker csb-google-redis Cloud Memorystore for Redis is a fully managed Redis service for the Google Cloud Platform.
cloud-service-broker csb-google-spanner Fully managed, scalable, relational database service for regional and global application data.
cloud-service-broker csb-google-stackdriver-trace Distributed tracing service
cloud-service-broker csb-google-storage-bucket Google Cloud Storage that uses the Terraform back-end and grants service accounts IAM permissions directly on the bucket.
Apa langkah selanjutnya?
- Uji Kf Cloud Service Broker dengan panduan Spring Music kami.
Pembersihan
Hapus broker-layanan cloud.
kf delete-service-broker cloud-service-broker
Menghapus komponen CSB.
kubectl delete ns kf-csb
Hapus instance Cloud SQL untuk MySQL Service Broker Kf Cloud.
gcloud sql instances delete ${INSTANCE_NAME} --project=${CLUSTER_PROJECT_ID}
Menghapus binding kebijakan IAM.
gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \ --role=roles/cloudsql.client
gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \ --role=roles/compute.networkUser
gcloud projects remove-iam-policy-binding ${CLUSTER_PROJECT_ID} \ --member='serviceAccount:csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com' \ --role=roles/redis.admin
Hapus GSA.
gcloud iam service-accounts delete csb-${CLUSTER_NAME}-sa@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com \ --project=${CLUSTER_PROJECT_ID}