Created
July 22, 2021 19:11
-
-
Save lmakarov/6b83ecd29443dabf1645925576b09ce2 to your computer and use it in GitHub Desktop.
Set up a GKE Standard cluster with Config Connector
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Configuring gcloud | |
| export PROJECT_ID=my-project-12345 | |
| export COMPUTE_REGION=us-central1 | |
| gcloud components update | |
| gcloud config set project ${PROJECT_ID} | |
| gcloud config set compute/region ${COMPUTE_REGION} | |
| # Setting up a GKE cluster | |
| export CLUSTER_NAME=cnrm-cluster-1 | |
| export CHANNEL=stable | |
| # # Creating GKE Standard cluster | |
| # # Note: Config Connector does not work with Autopilot clusters. | |
| # gcloud container clusters create ${CLUSTER_NAME} \ | |
| # --release-channel=${CHANNEL} \ | |
| # --addons=ConfigConnector \ | |
| # --workload-pool=${PROJECT_ID}.svc.id.goog \ | |
| # --enable-stackdriver-kubernetes \ | |
| # --async | |
| # Enable Config Connector as an addon in an existing GKE Standard cluster | |
| gcloud container clusters update ${CLUSTER_NAME} \ | |
| --update-addons ConfigConnector=ENABLED | |
| # Creating an identity | |
| export SERVICE_ACCOUNT_NAME=cnrm-system | |
| gcloud iam service-accounts create ${SERVICE_ACCOUNT_NAME} | |
| # Option 1: Assigning scope/role to the identity (PROJECT) | |
| gcloud projects add-iam-policy-binding ${PROJECT_ID} \ | |
| --member="serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \ | |
| --role="roles/owner" | |
| # Option 2: Assigning scope/role to the identity (FODLER) | |
| export FODLER=1234567890 | |
| gcloud resource-manager folders add-iam-policy-binding ${FOLDER} \ | |
| --member="serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \ | |
| --role="roles/owner" | |
| # Binding GCP Identity to GKE identity | |
| gcloud iam service-accounts add-iam-policy-binding \ | |
| ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \ | |
| --member="serviceAccount:${PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]" \ | |
| --role="roles/iam.workloadIdentityUser" | |
| # Configuring Config Connector operator | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: core.cnrm.cloud.google.com/v1beta1 | |
| kind: ConfigConnector | |
| metadata: | |
| # the name is restricted to ensure that there is only one | |
| # ConfigConnector resource installed in your cluster | |
| name: configconnector.core.cnrm.cloud.google.com | |
| spec: | |
| mode: cluster | |
| googleServiceAccount: "${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" | |
| EOF | |
| # Defining scopes for Config Connector | |
| export NAMESPACE=${PROJECT_ID} | |
| kubectl create namespace ${NAMESPACE} | |
| kubectl annotate namespace ${NAMESPACE} cnrm.cloud.google.com/project-id=${PROJECT_ID} | |
| # Create a StorageBucket resource using Config Connector | |
| # See https://cloud.google.com/config-connector/docs/reference/resource-docs/storage/storagebucket#typical_use_case | |
| cat <<EOF | kubectl apply -n ${PROJECT_ID} -f - | |
| apiVersion: storage.cnrm.cloud.google.com/v1beta1 | |
| kind: StorageBucket | |
| metadata: | |
| # StorageBucket names must be globally unique. | |
| name: ${PROJECT_ID}-sample | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment