{GCP GKE}Config Connector を使ってみる

 

https://cloud.google.com/config-connector/docs/how-to/getting-started?hl=ja

https://cloud.google.com/config-connector/docs/how-to/install-manually?hl=ja

https://cloud.google.com/apigee/docs/hybrid/v1.12/install-workload-identity?hl=ja

 


-- 1. 前作業

gcloud init
gcloud auth list

gcloud --version

gcloud projects create project01-9999999 \
--name="project01"

gcloud config list
gcloud config set project project01-9999999
gcloud config set compute/region asia-northeast1 --quiet
gcloud config set compute/zone asia-northeast1-a --quiet

gcloud beta billing accounts list
gcloud beta billing projects link project01-9999999 --billing-account=111111-111111-111111

gcloud services enable compute.googleapis.com --project project01-9999999

gcloud components update

 


-- 2. Google Kubernetes Engine API, Service Usage AP を有効化

gcloud services list --enabled


gcloud services enable container.googleapis.com \
--project project01-9999999

gcloud services enable serviceusage.googleapis.com \
--project project01-9999999

 


-- 3. kubectlインストール

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/darwin/amd64/kubectl"

chmod +x ./kubectl

sudo mv ./kubectl /usr/local/bin/kubectl
sudo chown root: /usr/local/bin/kubectl

kubectl version --client

 

-- 4. Autopilot GKE クラスターの作成

Workload Identity と Kubernetes Engine Monitoring を有効にした GKE クラスタの作成


gcloud container clusters create-auto gke01 \
--region asia-northeast1 \
--project project01-9999999 \
--monitoring=SYSTEM 

 

gcloud container clusters list

gcloud container clusters describe gke01 --region asia-northeast1 | grep -A3 autopilot


gcloud container clusters describe gke01 \
--region asia-northeast1 \
--project project01-9999999 \
--flatten 'workloadIdentityConfig'

 

 

-- 5. クラスターに接続する

gcloud container clusters get-credentials gke01 --region=asia-northeast1 --project=project01-9999999


kubectl get node -o wide
kubectl get pods -n kube-system

 

-- 6. Config Connector Operator のインストール

gcloud storage cp gs://configconnector-operator/latest/release-bundle.tar.gz release-bundle.tar.gz

tar zxvf release-bundle.tar.gz

kubectl apply -f operator-system/autopilot-configconnector-operator.yaml


-- 7. ID を作成

gcloud iam service-accounts create sa99999999


gcloud projects add-iam-policy-binding project01-9999999 \
--member="serviceAccount:sa99999999@project01-9999999.iam.gserviceaccount.com" \
--role="roles/editor"

 

gcloud iam service-accounts add-iam-policy-binding \
sa99999999@project01-9999999.iam.gserviceaccount.com \
--member="serviceAccount:project01-9999999.svc.id.goog[cnrm-system/cnrm-controller-manager]" \
--role="roles/iam.workloadIdentityUser"

 

-- 8. Config Connector を構成

vim configconnector.yaml

# configconnector.yaml
apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnector
metadata:
  # the name is restricted to ensure that there is only one
  # ConfigConnector resource installed in your cluster
  name: configconnector.core.cnrm.cloud.google.com
spec:
  mode: cluster
  googleServiceAccount: "sa99999999@project01-9999999.iam.gserviceaccount.com"
  # Setting `stateIntoSpec` to `Absent` is recommended. It means setting `cnrm.cloud.google.com/state-into-spec`
  # annotation to `absent` for all Config Connector resources created in the cluster in the future.
  # It prevents Config Connector from populating unspecified fields into the spec.
  stateIntoSpec: Absent


kubectl apply -f configconnector.yaml


-- 9. リソースを作成する場所の指定

kubectl create namespace ns01


kubectl annotate namespace \
ns01 cnrm.cloud.google.com/project-id=project01-9999999


-- 10. インストールの確認

kubectl wait -n cnrm-system \
--for=condition=Ready pod --all

 

 

-- 11. 利用可能な Google Cloud リソースの確認

kubectl get crds --selector cnrm.cloud.google.com/managed-by-kcc=true

kubectl describe crd pubsubtopics.pubsub.cnrm.cloud.google.com


-- 12. Pub/Sub サービスの有効化

vi enable-pubsub.yaml

apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
  name: pubsub.googleapis.com
spec:
  projectRef:
    external: projects/project01-9999999


kubectl apply -f enable-pubsub.yaml


-- 13. Pub/Sub インスタンスの作成

vi pubsub-topic.yaml

apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
kind: PubSubTopic
metadata:
  annotations:
    cnrm.cloud.google.com/project-id: project01-9999999
  labels:
    environment: dev
  name: topic01


kubectl apply -f pubsub-topic.yaml 


kubectl describe pubsubtopics

kubectl wait --for=condition=READY pubsubtopics topic01

gcloud pubsub topics list

 

-- 14. クリーンアップ

kubectl delete -f pubsub-topic.yaml

 

gcloud container clusters delete gke01 \
--region asia-northeast1 \
--quiet

 


gcloud projects list

gcloud projects delete project01-9999999 \
--quiet

gcloud beta billing projects unlink project01-9999999