Install CRD and optional demos - GoogleCloudPlatform/anthos-appconfig GitHub Wiki
-
Anthos Subscription (to use Anthos Configuration Management - ACM
-
GCP Project
- define environment variables used by the installer script(s)
Environment Variable | Description | Sample Value |
---|---|---|
PROJECT_NAME | GCP Project Name | appcrd-demo-v61-20191006-a |
ZONE | Zone for Cluster | us-central1-a |
REGION | Region for Cluster | us-central1-a |
CLUSTER_NAME | Cluster Name | my-cluster |
AUTHORIZED_NETWORK | CIDR we are accessing the private master from | <use curl ifconfig.me as /32) |
RELEASE_NAME | Application Config CRD Release | v0.6.1 |
export PROJECT_NAME='appcrd-demo-v61-20191006-a'
export ZONE='us-central1-f'
export REGION='us-central1'
export CLUSTER_NAME='cl-demo-a'
#export AUTHORIZED_NETWORK <per specific environment>
export RELEASE_NAME='v0.6.1'
Make sure you enable billing in your project
gcloud services enable compute.googleapis.com --project "$PROJECT_NAME" --quiet
gcloud services enable container.googleapis.com --project "$PROJECT_NAME" --quiet
gcloud services enable sourcerepo.googleapis.com --project "$PROJECT_NAME" --quiet
gcloud services enable monitoring.googleapis.com --project "$PROJECT_NAME" --quiet
gcloud services enable logging.googleapis.com --project "$PROJECT_NAME" --quiet
gcloud services enable pubsub.googleapis.com --project "$PROJECT_NAME" --quiet
gcloud beta container clusters create "${CLUSTER_NAME}" \
--project "${PROJECT_NAME}" \
--disk-size "500" \
--disk-type "pd-standard" \
--enable-autorepair \
--enable-cloud-logging \
--enable-cloud-monitoring \
--enable-ip-alias \
--enable-master-authorized-networks \
--enable-network-policy \
--enable-private-nodes \
--enable-stackdriver-kubernetes \
--image-type "COS" \
--machine-type "n1-standard-4" \
--master-ipv4-cidr "172.28.0.0/28" \
--metadata disable-legacy-endpoints=true \
--no-enable-autoupgrade \
--no-enable-basic-auth \
--no-issue-client-certificate \
--num-nodes "3" \
--network "projects/$PROJECT_NAME/global/networks/default" \
--subnetwork "projects/$PROJECT_NAME/regions/$REGION/subnetworks/default" \
--identity-namespace "$PROJECT_NAME.svc.id.goog" \
--zone "$ZONE"
Create NAT
gcloud beta compute routers create "r$REGION" --network=default --region "$REGION" --project "$PROJECT_NAME"
gcloud beta compute routers nats create "n$REGION" --router "r$REGION" --region "$REGION" --project "$PROJECT_NAME" \
--auto-allocate-nat-external-ips --nat-all-subnet-ip-ranges --router-region "$REGION"
- If private make sure you have enabled and allowed your IP to the cluster via "master-authorized-networks"
gcloud container clusters get-credentials --zone $ZONE $CLUSTER_NAME --project $PROJECT_NAME
gcloud container clusters update $CLUSTER_NAME \
--enable-master-authorized-networks \
--master-authorized-networks $AUTHORIZED_NETWORK --zone $ZONE --project $PROJECT_NAME
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user $(gcloud config get-value core/account)
curl -Lo crd-setup-helper.sh \
https://storage.googleapis.com/anthos-appconfig_public/install/scripts/${RELEASE_NAME}/crd-setup-helper.sh
curl -Lo vault-setup-helper-vault-gcp-sa.sh \
https://storage.googleapis.com/anthos-appconfig_public/install/scripts/${RELEASE_NAME}/vault-setup-helper-vault-gcp-sa.sh
curl -Lo uc-secrets-vault-k8s-vault-roles-policy.sh \
https://storage.googleapis.com/anthos-appconfig_public/install/scripts/${RELEASE_NAME}/uc-secrets-vault-k8s-vault-roles-policy.sh
- Provide istio version (we are using 1.1.x the latest to default)
- Mac Only
- Might not have checksum util (answer y), sha256sum command not found; skip checksum validation? (y/N)y
- Need [a compatible Git repository] (https://cloud.google.com/anthos-config-management/docs/how-to/installing#git-creds-secret) created and cloned in your environment
- If want a new repository created, add the -c option in front of the repository path.
crd-setup-helper.sh install
crd-setup-helper.sh init-repo </path/to/repo>
- Optional create a Cloud Source Repository (if don't have your own repository)
crd-setup-helper.sh init-repo -c </path/to/repo>
- Complete Setup (SSH Keys)
Follow instructions of some environment specifics
crd-setup-helper.sh status
kubectl logs -n kube-system -l 'k8s-app=config-management-operator'
kubectl logs -n config-management-system -l 'app=git-importer' --all-containers
Example Output:
config-management-crds: config-management-crds(status): 8
OK
config-management-operator: config-management-operator(status): 1
OK
COMPONENT LAST_UPDATE TOKEN
source - fe08a6725ceeaa7ac27968220e5b550a25dd173e
git_importer 2019-08-12T19:05:55Z fe08a6725ceeaa7ac27968220e5b550a25dd173e
git_syncer 2019-08-12T19:05:57Z fe08a6725ceeaa7ac27968220e5b550a25dd173e
Verify ACM Operator - https://cloud.google.com/anthos-config-management/docs/how-to/installing#verify
kubectl get ns
Example Output:
NAME STATUS AGE
appconfigmgrv2-system Active 49s
config-management-system Active 16m
default Active 23m
gatekeeper-system Active 15m
istio-system Active 15m
kube-public Active 23m
kube-system Active 23m
Congratulations you can now use that. We have some demos to illustrate the ability.
Next Step Install Use Cases
Git sync fails 'with unexpected error syncing repo: command timed out: signal: killed: "Cloning into '/repo'..."'
Cloning from a Cloud Source Repository requires internet egress, either an external IP or Cloud NAT and doesn't work only with "Google Private Access". A solution for this is to use [Cloud NAT] (https://cloud.google.com/nat/docs/using-nat).