https://cloud.google.com/config-connector/docs/how-to/getting-started?hl=ja
https://cloud.google.com/config-connector/docs/how-to/install-manually?hl=ja
https://cloud.google.com/apigee/docs/hybrid/v1.12/install-workload-identity?hl=ja
-- 1. 前作業
gcloud init
gcloud auth list
gcloud --version
gcloud projects create project01-9999999 \
--name="project01"
gcloud config list
gcloud config set project project01-9999999
gcloud config set compute/region asia-northeast1 --quiet
gcloud config set compute/zone asia-northeast1-a --quiet
gcloud beta billing accounts list
gcloud beta billing projects link project01-9999999 --billing-account=111111-111111-111111
gcloud services enable compute.googleapis.com --project project01-9999999
gcloud components update
-- 2. Google Kubernetes Engine API, Service Usage AP を有効化
gcloud services list --enabled
gcloud services enable container.googleapis.com \
--project project01-9999999
gcloud services enable serviceusage.googleapis.com \
--project project01-9999999
-- 3. kubectlインストール
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/darwin/amd64/kubectl"
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl
sudo chown root: /usr/local/bin/kubectl
kubectl version --client
-- 4. Autopilot GKE クラスターの作成
Workload Identity と Kubernetes Engine Monitoring を有効にした GKE クラスタの作成
gcloud container clusters create-auto gke01 \
--region asia-northeast1 \
--project project01-9999999 \
--monitoring=SYSTEM
gcloud container clusters list
gcloud container clusters describe gke01 --region asia-northeast1 | grep -A3 autopilot
gcloud container clusters describe gke01 \
--region asia-northeast1 \
--project project01-9999999 \
--flatten 'workloadIdentityConfig'
-- 5. クラスターに接続する
gcloud container clusters get-credentials gke01 --region=asia-northeast1 --project=project01-9999999
kubectl get node -o wide
kubectl get pods -n kube-system
-- 6. Config Connector Operator のインストール
gcloud storage cp gs://configconnector-operator/latest/release-bundle.tar.gz release-bundle.tar.gz
tar zxvf release-bundle.tar.gz
kubectl apply -f operator-system/autopilot-configconnector-operator.yaml
-- 7. ID を作成
gcloud iam service-accounts create sa99999999
gcloud projects add-iam-policy-binding project01-9999999 \
--member="serviceAccount:sa99999999@project01-9999999.iam.gserviceaccount.com" \
--role="roles/editor"
gcloud iam service-accounts add-iam-policy-binding \
sa99999999@project01-9999999.iam.gserviceaccount.com \
--member="serviceAccount:project01-9999999.svc.id.goog[cnrm-system/cnrm-controller-manager]" \
--role="roles/iam.workloadIdentityUser"
-- 8. Config Connector を構成
# configconnector.yaml
apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnector
metadata:
# the name is restricted to ensure that there is only one
# ConfigConnector resource installed in your cluster
name: configconnector.core.cnrm.cloud.google.com
spec:
mode: cluster
googleServiceAccount: "sa99999999@project01-9999999.iam.gserviceaccount.com"
# Setting `stateIntoSpec` to `Absent` is recommended. It means setting `cnrm.cloud.google.com/state-into-spec`
# annotation to `absent` for all Config Connector resources created in the cluster in the future.
# It prevents Config Connector from populating unspecified fields into the spec.
stateIntoSpec: Absent
kubectl apply -f configconnector.yaml
-- 9. リソースを作成する場所の指定
kubectl create namespace ns01
kubectl annotate namespace \
ns01 cnrm.cloud.google.com/project-id=project01-9999999
-- 10. インストールの確認
kubectl wait -n cnrm-system \
--for=condition=Ready pod --all
-- 11. 利用可能な Google Cloud リソースの確認
kubectl get crds --selector cnrm.cloud.google.com/managed-by-kcc=true
kubectl describe crd pubsubtopics.pubsub.cnrm.cloud.google.com
-- 12. Pub/Sub サービスの有効化
vi enable-pubsub.yaml
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
name: pubsub.googleapis.com
spec:
projectRef:
external: projects/project01-9999999
kubectl apply -f enable-pubsub.yaml
-- 13. Pub/Sub インスタンスの作成
vi pubsub-topic.yaml
apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
annotations:
cnrm.cloud.google.com/project-id: project01-9999999
labels:
environment: dev
name: topic01
kubectl apply -f pubsub-topic.yaml
kubectl describe pubsubtopics
kubectl wait --for=condition=READY pubsubtopics topic01
gcloud pubsub topics list
-- 14. クリーンアップ
kubectl delete -f pubsub-topic.yaml
gcloud container clusters delete gke01 \
--region asia-northeast1 \
--quiet
gcloud projects list
gcloud projects delete project01-9999999 \
--quiet
gcloud beta billing projects unlink project01-9999999