Environment: Mac OSX
References:
$ gcloud components install beta
$ gcloud auth application-default login
$ wget https://github.com/GoogleCloudPlatform/k8s-service-catalog/releases/download/v1.0.0-beta.4/service-catalog-installer-v1.0.0-beta.4-osx.tgz
$ mkdir service-catalog-installer
$ tar zxvf *.tgz -C service-catalog-installer
$ cd service-catalog-installer
Check dependency
$ ./sc check
You should see Dependency check passed. You are good to go.
message.
If you use non-GKE cluster, you can skip this step.
$ kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value account)
$ ./sc install
Check installed deployments
$ kubectl get deployment -n service-catalog
You should see:
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
apiserver 1 1 1 1 1m
controller-manager 1 1 1 1 59s
etcd-cluster-backup-sidecar 1 1 1 1 40s
etcd-operator 1 1 1 1 1m
$ ./sc add-gcp-broker
You should see The Service Broker has been added successfully.
message.
Verify the Service Broker is available and ready
$ kubectl get clusterservicebrokers -o 'custom-columns=BROKER:.metadata.name,STATUS:.status.conditions[0].reason'
You should see:
BROKER STATUS
gcp-broker FetchedCatalog
If you see STATUS
is ErrorFetchingCatalog
. It maybe beacuse you forgot to run gcloud auth application-default login
first.
The Service Account need permission to create service account and set iam policy.
$ GCP_PROJECT_ID=$(gcloud config get-value project)
$ GCP_PROJECT_NUMBER=$(gcloud projects describe $GCP_PROJECT_ID --format='value(projectNumber)')
$ gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
--member serviceAccount:${GCP_PROJECT_NUMBER}@cloudservices.gserviceaccount.com \
--role=roles/owner
$ brew update
$ brew install kubernetes-service-catalog-client
$ git clone git@github.com:GoogleCloudPlatform/kubernetes-engine-samples.git
$ cd kubernetes-engine-samples/service-catalog/bigquery
$ kubectl create namespace bigquery
$ kubectl create -f ./manifests/bigquery-instance.yaml
Check the provision status
$ svcat get instance --namespace bigquery bigquery-instance
Result:
NAME NAMESPACE CLASS PLAN STATUS
+-------------------+-----------+----------+------+--------+
bigquery-instance bigquery bigquery beta Ready
$ kubectl create -f ./manifests/admin-bigquery-binding.yaml
Check the bind status
$ svcat get binding -n bigquery admin-bigquery-binding
Result:
NAME NAMESPACE INSTANCE STATUS
+------------------------+-----------+-------------------+--------+
admin-bigquery-binding bigquery bigquery-instance Ready
If you see STATUS
is Failed
, It maybe beacuse you forgot to give the permission to ${GCP_PROJECT_NUMBER}@cloudservices.gserviceaccount.com
.
See the secret
$ kubectl get secret -n bigquery admin-bigquery-binding -oyaml
Load GitHub data into dataset.
$ kubectl create -f ./manifests/admin-job.yaml
Check the status
$ kubectl get job -n bigquery bigquery-admin-job
If you get error like this:
$ kubectl logs bigquery-admin-job-9r6gt -n bigquery
2019/04/14 07:09:56 Failed to start copy job: googleapi: Error 403: Access Denied: Project PROJECT_ID: The user bigquery-admin@PROJECT_ID.iam.gserviceaccount.com does not have bigquery.jobs.create permission in project PROJECT_ID., accessDenied
Delete binding, IAM role, and then recreate binding.
Provision an user service account instance for multi binding.
$ kubectl create -f ./manifests/user-account-instance.yaml
Check the status
$ svcat get instance --namespace bigquery user-service-account
$ kubectl create -f ./manifests/user-account-binding.yaml
Check the status
$ svcat get binding --namespace bigquery
See the secret
$ kubectl get secret --namespace bigquery user-service-account -oyaml
$ kubectl create -f ./manifests/user-bigquery-binding.yaml
Check the status
$ svcat get binding --namespace bigquery user-bigquery-binding
See the secret
$ kubectl get secret -n bigquery $(kubectl get servicebinding -n bigquery user-bigquery-binding -o=jsonpath='{.spec.secretName}') -oyaml
$ kubectl create -f ./manifests/app-deployment.yaml
Get IP
$ kubectl get service --namespace bigquery
$ IP=$(kubectl get service --namespace bigquery bigquery-app-service -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
Test
$ curl http://${IP}/query
$ {"entries":[{"name":"Blake","message":"this actually works\n"},...]}
$ kubectl delete -f ./manifests/app-deployment.yaml
$ kubectl create -f ./manifests/cleanup-job.yaml
$ kubectl delete namespace bigquery
Delete the service account which is like: scg-xxxxxxxx@PROJECT_ID.iam.gserviceaccount.com
Delete the IAM role creadted with binding.