Prepare to setup the Gateway API for Cloud Service Mesh
This page describes how to install the required custom resource definitions for the gateway into your cluster.
Limitations
- Having a mix of
gateway
config-api andistio
config-api clusters in the same fleet is not supported. - Multi-cluster service discovery and load balancing is not supported for
gateway
config-api clusters. - If a cluster is onboarded using the existing
--management automatic
flag then the cluster starts using theistio
configuration API and cannot change togateway
API. - Only FQDNs are supported. Short names are not supported.
Prerequisites
As a starting point, this guide assumes that you have already
created a Google Cloud project and
installed kubectl
.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Kubernetes Engine, GKE Hub, and Cloud Service Mesh APIs.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Kubernetes Engine, GKE Hub, and Cloud Service Mesh APIs.
Create and register a GKE cluster
gcloud
Create a GKE cluster:
gcloud container clusters create CLUSTER_NAME \
--location=LOCATION \
--enable-ip-alias \
--scopes=https://www.googleapis.com/auth/cloud-platform \
--release-channel=regular \
--project=PROJECT_ID \
--gateway-api=standard
--workload-pool=PROJECT_ID.svc.id.goog
where:
- CLUSTER_NAME is the name of your cluster
- LOCATION is the location of your cluster
- PROJECT_ID is the project ID of your cluster
Console
Go to the Google Kubernetes Engine page in the Google Cloud console.
Click add_box Create.
In the Standard section, click Configure.
In the Cluster basics section, complete the following:
- Enter the Name for your cluster.
- For the Location type, select a Compute Engine region for your cluster.
In the navigation pane, click default-pool under Node Pools section, and select Security.
In the Access scopes list, select Set access for each API, and set Cloud Platform as Enabled.
In the navigation pane, click Networking under Cluster section.
In the Cluster Networking list, select Enable Gateway API.
In the navigation pane, click Security under Cluster section.
In the Security list, select Enable Workload Identity.
Click Create.
After the cluster is created,
Run the GKE Metadata Server on your node:
gcloud container node-pools update default-pool \ --cluster=CLUSTER_NAME \ --location=LOCATION \ --workload-metadata=GKE_METADATA
Register your cluster to a fleet:
gcloud container hub memberships register CLUSTER_NAME \ --gke-cluster LOCATION/CLUSTER_NAME \ --project=PROJECT_ID
Verify that the cluster is registered to the fleet:
gcloud container hub memberships list --project=PROJECT_ID
The output is similar to:
NAME EXTERNAL_ID LOCATION my-cluster 91980bb9-593c-4b36-9170-96445c9edd39 us-west1
Set up permissions
Note that the following commands grant permission to all authenticated users, but you can use Workload Identity Federation for GKE to grant permission to only select accounts.
Grant the
trafficdirector.client
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member "group:PROJECT_ID.svc.id.goog:/allAuthenticatedUsers/" \ --role "roles/trafficdirector.client"
Grant the
container.developer
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com" \ --role "roles/container.developer"
where PROJECT_NUMBER is your project number.
Grant the
compute.networkAdmin
role:gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com" \ --role "roles/compute.networkAdmin"
where PROJECT_NUMBER is your project number.
Enable Cloud Service Mesh
Enable the mesh feature:
gcloud container hub mesh enable --project PROJECT_ID
Update the mesh to use the Gateway API:
gcloud alpha container fleet mesh update \ --config-api gateway \ --memberships CLUSTER_NAME \ --project PROJECT_ID
Verify the update by describing the status of Cloud Service Mesh resource:
gcloud alpha container fleet mesh describe
Set your fleet new memberships to use the Gateway API by default (optional)
Alternatively, you can create fleet-level default settings for new GKE clusters registered to the fleet during cluster creation to be automatically configured with Gateway API.
Create a YAML file specifying using Gateway API:
echo "configapi: gateway" > mesh.yaml
Update your mesh:
gcloud alpha container fleet mesh update --project FLEET_PROJECT_ID \ --fleet-default-member-config mesh.yaml
Create a cluster and register them to your fleet in one step to use the default configuration:
gcloud container clusters create CLUSTER_NAME \ --project PROJECT_ID \ --fleet-project FLEET_PROJECT_ID \ --location=LOCATION \
Enable Workload Identity Federation for GKE and run the GKE Metadata Server on your node.
Install custom resource definitions
Generate a kubeconfig entry for your cluster:
gcloud container clusters get-credentials CLUSTER_NAME --location LOCATION --project PROJECT_ID
where:
- CLUSTER_NAME is the name of your cluster
- LOCATION is the location of your cluster
- PROJECT_ID is the project ID of your cluster
Install the GRPCRoute custom resource definition (CRD):
curl https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.1.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml \
| kubectl apply -f -
The output is similar to:
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created