Last active
January 13, 2022 16:28
-
-
Save mikesparr/7362ea23f16216c4890caadf47f15b15 to your computer and use it in GitHub Desktop.
Google Cloud Kubernetes Config Connector Test (working)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# ref: https://cloud.google.com/config-connector/docs/how-to/getting-started | |
export PROJECT_ID=$(gcloud config get-value project) | |
export PROJECT_USER=$(gcloud config get-value core/account) # set current user | |
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)") | |
export IDNS=${PROJECT_ID}.svc.id.goog # workload identity domain | |
export GCP_REGION="us-central1" | |
export GCP_ZONE="us-central1-a" | |
export CLUSTER_NAME="central" | |
export CC_SA_NAME="configconnector" | |
export CC_NAMESPACE=$PROJECT_ID # CHANGEME (optional) | |
export SQL_INSTANCE_NAME="mike-test-cloudsql1" # CHANGEME | |
export BUCKET_NAME="mike-test-cc-generated-bucket1" # CHANGEME | |
# confirm they are installing in right project | |
while true; do | |
read -p "Create Config Connector on project ${PROJECT_ID} as user ${PROJECT_USER}? " -n 1 -r yn | |
echo | |
case $yn in | |
[Yy]* ) break;; | |
[Nn]* ) exit;; | |
* ) echo "Please answer yes or no.";; | |
esac | |
done | |
# enable apis | |
gcloud services enable compute.googleapis.com \ | |
container.googleapis.com \ | |
logging.googleapis.com \ | |
stackdriver.googleapis.com \ | |
cloudresourcemanager.googleapis.com | |
# create cluster with config connector | |
gcloud beta container --project $PROJECT_ID clusters create $CLUSTER_NAME \ | |
--region $GCP_REGION \ | |
--no-enable-basic-auth \ | |
--cluster-version "1.17.13-gke.2001" \ | |
--release-channel "regular" \ | |
--machine-type "e2-small" \ | |
--image-type "COS" \ | |
--disk-type "pd-standard" \ | |
--disk-size "100" \ | |
--metadata disable-legacy-endpoints=true \ | |
--scopes "https://www.googleapis.com/auth/cloud-platform" \ | |
--preemptible \ | |
--num-nodes "1" \ | |
--enable-stackdriver-kubernetes \ | |
--enable-ip-alias \ | |
--network "projects/mike-test-gke-tickets/global/networks/default" \ | |
--subnetwork "projects/mike-test-gke-tickets/regions/us-central1/subnetworks/default" \ | |
--default-max-pods-per-node "110" \ | |
--enable-autoscaling --min-nodes "0" --max-nodes "3" \ | |
--enable-master-authorized-networks --master-authorized-networks 174.45.73.139/32 \ | |
--addons HorizontalPodAutoscaling,HttpLoadBalancing,NodeLocalDNS,ConfigConnector \ | |
--enable-autoupgrade --enable-autorepair \ | |
--max-surge-upgrade 2 --max-unavailable-upgrade 1 \ | |
--workload-pool $IDNS \ | |
--enable-shielded-nodes \ | |
--shielded-secure-boot | |
# create config connector identity | |
# ref: https://cloud.google.com/config-connector/docs/how-to/install-upgrade-uninstall#identity | |
gcloud iam service-accounts create $CC_SA_NAME | |
# grant service account desired role (owner | editor) | |
gcloud projects add-iam-policy-binding $PROJECT_ID \ | |
--member="serviceAccount:${CC_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \ | |
--role="roles/editor" | |
# grant service account workload identity policy binding | |
gcloud iam service-accounts add-iam-policy-binding \ | |
${CC_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \ | |
--member="serviceAccount:${PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]" \ | |
--role="roles/iam.workloadIdentityUser" | |
# create config connector | |
cat > configconnector.yaml << EOF | |
# configconnector.yaml | |
apiVersion: core.cnrm.cloud.google.com/v1beta1 | |
kind: ConfigConnector | |
metadata: | |
# the name is restricted to ensure that there is only one | |
# ConfigConnector instance installed in your cluster | |
name: configconnector.core.cnrm.cloud.google.com | |
spec: | |
mode: cluster | |
googleServiceAccount: "${CC_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" | |
EOF | |
kubectl apply -f configconnector.yaml | |
sleep 10 | |
# create namespace | |
kubectl create ns $CC_NAMESPACE | |
# annotate namespace for config connector | |
kubectl annotate namespace \ | |
$CC_NAMESPACE cnrm.cloud.google.com/project-id=${PROJECT_ID} | |
# list config connector crds | |
kubectl get crds --selector cnrm.cloud.google.com/managed-by-kcc=true | |
# describe a crd | |
kubectl describe crd storagebuckets.storage.cnrm.cloud.google.com | |
# create manifest for storage service | |
cat > enable-storage.yaml << EOF | |
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 | |
kind: Service | |
metadata: | |
name: storage.googleapis.com | |
EOF | |
# apply manifest | |
kubectl apply -f enable-storage.yaml -n $CC_NAMESPACE | |
sleep 10 | |
# create manifest for storage bucket | |
cat > storage-bucket.yaml << EOF | |
apiVersion: storage.cnrm.cloud.google.com/v1beta1 | |
kind: StorageBucket | |
metadata: | |
annotations: | |
cnrm.cloud.google.com/project-id : $PROJECT_ID | |
name: $BUCKET_NAME | |
spec: | |
lifecycleRule: | |
- action: | |
type: Delete | |
condition: | |
age: 7 | |
EOF | |
# apply manifest | |
kubectl apply -f storage-bucket.yaml -n $CC_NAMESPACE | |
sleep 10 | |
# describe storage bucket | |
kubectl describe storagebuckets -n $CC_NAMESPACE | |
# check whether bucket exists | |
gsutil ls # gs://mike-test-cc-generated-bucket1/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Should see this if everything set up correctly (with your respective names of course):
![Screen Shot 2020-12-09 at 6 10 46 PM](https://user-images.githubusercontent.com/5553105/101709357-8a785700-3a4c-11eb-9cbd-412f0bab66d0.png)