timfanda35/getting_start.md

## getting_start.md

      
    Raw
  

              getting_start.md
            
          
    GCP Service Broker Sample Demo

Environment: Mac OSX
References:


GCP Document - Installing service catalog


GitHub Repo - k8s-service-catalog


Installing the Service Catalog CLI


Service Catalog Sample - BigQuery


Update gcloud and active Application Default Credentials

$ gcloud components install beta
$ gcloud auth application-default login

Install Service Catalog and Register GCP Service Brocker

Download Service Catalog installer

$ wget https://github.com/GoogleCloudPlatform/k8s-service-catalog/releases/download/v1.0.0-beta.4/service-catalog-installer-v1.0.0-beta.4-osx.tgz
$ mkdir service-catalog-installer
$ tar zxvf *.tgz -C service-catalog-installer
$ cd service-catalog-installer

Check dependency
$ ./sc check

You should see Dependency check passed. You are good to go. message.
Set RBAC Permissions on your cluster

If you use non-GKE cluster, you can skip this step.
$ kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole=cluster-admin \
  --user=$(gcloud config get-value account)

Install the Service Catalog

$ ./sc install

Check installed deployments
$ kubectl get deployment -n service-catalog

You should see:
NAME                          DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
apiserver                     1         1         1            1           1m
controller-manager            1         1         1            1           59s
etcd-cluster-backup-sidecar   1         1         1            1           40s
etcd-operator                 1         1         1            1           1m

Register Google Cloud Platform Service Broker with the Service Catalog

$ ./sc add-gcp-broker

You should see The Service Broker has been added successfully. message.
Verify the Service Broker is available and ready
$ kubectl get clusterservicebrokers -o 'custom-columns=BROKER:.metadata.name,STATUS:.status.conditions[0].reason'

You should see:
BROKER       STATUS
gcp-broker   FetchedCatalog

If you see STATUS is ErrorFetchingCatalog. It maybe beacuse you forgot to run gcloud auth application-default login first.
Set the role for the project service account

The Service Account need permission to create service account and set iam policy.
$ GCP_PROJECT_ID=$(gcloud config get-value project)
$ GCP_PROJECT_NUMBER=$(gcloud projects describe $GCP_PROJECT_ID --format='value(projectNumber)')
$ gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
    --member serviceAccount:${GCP_PROJECT_NUMBER}@cloudservices.gserviceaccount.com \
    --role=roles/owner

Install svcat

$ brew update
$ brew install kubernetes-service-catalog-client

Test Service Catalog Sample - BigQuery

Clone the sample

$ git clone git@github.com:GoogleCloudPlatform/kubernetes-engine-samples.git
$ cd kubernetes-engine-samples/service-catalog/bigquery

Create a namespace

$ kubectl create namespace bigquery

Provision BigQuery dataset

$ kubectl create -f ./manifests/bigquery-instance.yaml

Check the provision status
$ svcat get instance --namespace bigquery bigquery-instance

Result:
        NAME          NAMESPACE    CLASS     PLAN   STATUS
+-------------------+-----------+----------+------+--------+
  bigquery-instance   bigquery    bigquery   beta   Ready

Create Binding for the Admin and Cleanup Jobs

$ kubectl create -f ./manifests/admin-bigquery-binding.yaml

Check the bind status
$ svcat get binding -n bigquery admin-bigquery-binding

Result:
           NAME            NAMESPACE       INSTANCE        STATUS
+------------------------+-----------+-------------------+--------+
  admin-bigquery-binding   bigquery    bigquery-instance   Ready

If you see STATUS is Failed,  It maybe beacuse you forgot to give the permission to ${GCP_PROJECT_NUMBER}@cloudservices.gserviceaccount.com.
See the secret
$ kubectl get secret -n bigquery admin-bigquery-binding -oyaml

Create the Admin Job

Load GitHub data into dataset.
$ kubectl create -f ./manifests/admin-job.yaml

Check the status
$ kubectl get job -n bigquery bigquery-admin-job

If you get error like this:
$ kubectl logs bigquery-admin-job-9r6gt -n bigquery
2019/04/14 07:09:56 Failed to start copy job: googleapi: Error 403: Access Denied: Project PROJECT_ID: The user bigquery-admin@PROJECT_ID.iam.gserviceaccount.com does not have bigquery.jobs.create permission in project PROJECT_ID., accessDenied

Delete binding, IAM role, and then recreate binding.
Application with user service account

Provision an user service account instance for multi binding.
Provision an user service account

$ kubectl create -f ./manifests/user-account-instance.yaml

Check the status
$ svcat get instance --namespace bigquery user-service-account

Bind user service account instance

$ kubectl create -f ./manifests/user-account-binding.yaml

Check the status
$ svcat get binding --namespace bigquery

See the secret
$ kubectl get secret --namespace bigquery user-service-account -oyaml

Bind user service account to bigquery instance

$ kubectl create -f ./manifests/user-bigquery-binding.yaml

Check the status
$ svcat get binding --namespace bigquery user-bigquery-binding

See the secret
$ kubectl get secret -n bigquery $(kubectl get servicebinding -n bigquery user-bigquery-binding -o=jsonpath='{.spec.secretName}') -oyaml

Deploy application

$ kubectl create -f ./manifests/app-deployment.yaml

Get IP
$ kubectl get service --namespace bigquery
$ IP=$(kubectl get service --namespace bigquery bigquery-app-service -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')

Test
$ curl http://${IP}/query

$  {"entries":[{"name":"Blake","message":"this actually works\n"},...]}

Clean Up

$ kubectl delete -f ./manifests/app-deployment.yaml
$ kubectl create -f ./manifests/cleanup-job.yaml
$ kubectl delete namespace bigquery

Delete the service account which is like: scg-xxxxxxxx@PROJECT_ID.iam.gserviceaccount.com
Delete the IAM role creadted with binding.