Crossplane configuration

原文:https://docs.gitlab.com/ee/user/clusters/crossplane.html

Crossplane configuration

安装 Crossplane 后,必须对其进行配置以供使用. 配置 Crossplane 的过程包括:

  1. Configure RBAC permissions.
  2. Configure Crossplane with a cloud provider.
  3. Configure managed service access.
  4. Set up Resource classes.
  5. Use Auto DevOps configuration options.
  6. Connect to the PostgreSQL instance.

为了允许 Crossplane 设置诸如 PostgreSQL 之类的云服务,必须使用用户帐户配置云提供商堆栈. 例如:

  • GCP 的服务帐户.
  • AWS 的 IAM 用户.

一些重要的注意事项:

  • 本指南以 GCP 为例,但 AWS 和 Azure 的过程相似.
  • Crossplane 要求 Kubernetes 集群是启用了 Alias IP 的 VPC 本机,因此可以在 GCP 网络内路由 Pod 的 IP 地址.

首先,使用配置声明一些环境变量以供本指南使用:

  1. export PROJECT_ID=crossplane-playground # the GCP project where all resources reside.
  2. export NETWORK_NAME=default # the GCP network where your GKE is provisioned.
  3. export REGION=us-central1 # the GCP region where the GKE cluster is provisioned.

Configure RBAC permissions

对于由 GitLab 管理的群集,将自动配置基于角色的访问控制(RBAC).

对于非 GitLab 管理的群集,请确保提供的令牌的服务帐户可以管理database.crossplane.io API 组中的资源:

  1. 将以下 YAML 保存为crossplane-database-role.yaml

    1. apiVersion: rbac.authorization.k8s.io/v1
    2. kind: ClusterRole
    3. metadata:
    4.   name: crossplane-database-role
    5.   labels:
    6.     rbac.authorization.k8s.io/aggregate-to-edit: "true"
    7. rules:
    8.   - apiGroups:
    9.       - database.crossplane.io
    10.     resources:
    11.       - postgresqlinstances
    12.     verbs:
    13.       - get
    14.       - list
    15.       - create
    16.       - update
    17.       - delete
    18.       - patch
    19.       - watch

  2. 将集群角色应用于集群:

    1. kubectl apply -f crossplane-database-role.yaml

Configure Crossplane with a cloud provider

请参阅配置您的云提供商帐户以使用用户帐户配置已安装的云提供商堆栈.

注意:必须将 Secret 和引用该 Secret 的 Provider 资源应用于指南中的gitlab-managed-apps命名空间. 请确保在执行该过程时进行更改.

Configure Managed Service Access

接下来,通过以下任一方法配置 PostgreSQL 数据库和 GKE 集群之间的连接:

  1. 运行以下命令,这将创建一个network.yaml文件,并配置GlobalAddress和连接资源:

    1. cat > network.yaml <<EOF
    2. ---
    3. # gitlab-ad-globaladdress defines the IP range that will be allocated
    4. # for cloud services connecting to the instances in the given Network.
    6. apiVersion: compute.gcp.crossplane.io/v1alpha3
    7. kind: GlobalAddress
    8. metadata:
    9.   name: gitlab-ad-globaladdress
    10. spec:
    11.   providerRef:
    12.     name: gcp-provider
    13.   reclaimPolicy: Delete
    14.   name: gitlab-ad-globaladdress
    15.   purpose: VPC_PEERING
    16.   addressType: INTERNAL
    17.   prefixLength: 16
    18.   network: projects/$PROJECT_ID/global/networks/$NETWORK_NAME
    19. ---
    20. # gitlab-ad-connection is what allows cloud services to use the allocated
    21. # GlobalAddress for communication. Behind the scenes, it creates a VPC peering
    22. # to the network that those service instances actually live.
    24. apiVersion: servicenetworking.gcp.crossplane.io/v1alpha3
    25. kind: Connection
    26. metadata:
    27.   name: gitlab-ad-connection
    28. spec:
    29.   providerRef:
    30.     name: gcp-provider
    31.   reclaimPolicy: Delete
    32.   parent: services/servicenetworking.googleapis.com
    33.   network: projects/$PROJECT_ID/global/networks/$NETWORK_NAME
    34.   reservedPeeringRangeRefs:
    35.     - name: gitlab-ad-globaladdress
    36. EOF

  2. 使用以下命令应用文件中指定的设置:

    1. kubectl apply -f network.yaml

  3. 验证网络资源的创建,以及两个资源均已准备就绪并已同步.

    1. kubectl describe connection.servicenetworking.gcp.crossplane.io gitlab-ad-connection
    2. kubectl describe globaladdress.compute.gcp.crossplane.io gitlab-ad-globaladdress

Setting up Resource classes

使用资源类为所需的托管服务定义配置. 这个例子定义了 PostgreSQL Resource 类:

  1. 运行以下命令,该命令定义一个gcp-postgres-standard.yaml资源类,该资源类包含带有标签的默认CloudSQLInstanceClass

    1. cat > gcp-postgres-standard.yaml <<EOF
    2. apiVersion: database.gcp.crossplane.io/v1beta1
    3. kind: CloudSQLInstanceClass
    4. metadata:
    5.   name: cloudsqlinstancepostgresql-standard
    6.   labels:
    7.     gitlab-ad-demo: "true"
    8. specTemplate:
    9.   writeConnectionSecretsToNamespace: gitlab-managed-apps
    10.   forProvider:
    11.     databaseVersion: POSTGRES_11_7
    12.     region: $REGION
    13.     settings:
    14.       tier: db-custom-1-3840
    15.       dataDiskType: PD_SSD
    16.       dataDiskSizeGb: 10
    17.       ipConfiguration:
    18.         privateNetwork: projects/$PROJECT_ID/global/networks/$NETWORK_NAME
    19.   # this should match the name of the provider created in the above step
    20.   providerRef:
    21.     name: gcp-provider
    22.   reclaimPolicy: Delete
    23. ---
    24. apiVersion: database.gcp.crossplane.io/v1beta1
    25. kind: CloudSQLInstanceClass
    26. metadata:
    27.   name: cloudsqlinstancepostgresql-standard-default
    28.   annotations:
    29.     resourceclass.crossplane.io/is-default-class: "true"
    30. specTemplate:
    31.   writeConnectionSecretsToNamespace: gitlab-managed-apps
    32.   forProvider:
    33.     databaseVersion: POSTGRES_11_7
    34.     region: $REGION
    35.     settings:
    36.       tier: db-custom-1-3840
    37.       dataDiskType: PD_SSD
    38.       dataDiskSizeGb: 10
    39.       ipConfiguration:
    40.         privateNetwork: projects/$PROJECT_ID/global/networks/$NETWORK_NAME
    41.   # this should match the name of the provider created in the above step
    42.   providerRef:
    43.     name: gcp-provider
    44.   reclaimPolicy: Delete
    45. EOF

  2. 使用以下命令应用资源类配置:

    1. kubectl apply -f gcp-postgres-standard.yaml

  3. 使用以下命令验证 Resource 类的创建:

    1. kubectl get cloudsqlinstanceclasses

资源类使您可以定义托管服务的服务类. 我们可以创建另一个CloudSQLInstanceClass ,以请求更大或更快速的磁盘. 它还可以请求特定版本的数据库.

Auto DevOps Configuration Options

您可以使用以下任一选项来运行 Auto DevOps 管道:

  • 设置环境变量AUTO_DEVOPS_POSTGRES_MANAGEDAUTO_DEVOPS_POSTGRES_MANAGED_CLASS_SELECTOR以使用 Crossplane 设置 PostgreSQL.
  • 舵图的替代值:
    • postgres.managed设置为true ,这将选择默认资源类. 用注释resourceclass.crossplane.io/is-default-class: "true"标记资源类resourceclass.crossplane.io/is-default-class: "true" . CloudSQLInstanceClass cloudsqlinstancepostgresql-standard-default用于满足声明.
    • 使用postgres.managedClassSelectorpostgres.managed设置为true ,以根据标签提供要选择的资源类. 在这种情况下, postgres.managedClassSelector.matchLabels.gitlab-ad-demo="true"选择 CloudSQLInstance 类cloudsqlinstancepostgresql-standard以满足声明请求.

Auto DevOps 管道在成功运行时应预配一个 PostgresqlInstance.

要验证已创建 PostgreSQL 实例,请运行此命令. 当 PostgresqlInstance 的STATUS字段更改为BOUND ,它已成功配置:

  1. $ kubectl get postgresqlinstance
  3. NAME            STATUS   CLASS-KIND              CLASS-NAME                            RESOURCE-KIND      RESOURCE-NAME                               AGE
  4. staging-test8   Bound    CloudSQLInstanceClass   cloudsqlinstancepostgresql-standard   CloudSQLInstance   xp-ad-demo-24-staging-staging-test8-jj55c   9m

PostgreSQL 实例的端点和用户凭据位于同一项目名称空间内的一个名为app-postgres的秘密中. 您可以使用以下命令来验证机密:

  1. $ kubectl describe secret app-postgres
  3. Name:         app-postgres
  4. Namespace:    xp-ad-demo-24-staging
  5. Labels:       <none>
  6. Annotations:  crossplane.io/propagate-from-name: 108e460e-06c7-11ea-b907-42010a8000bd
  7.               crossplane.io/propagate-from-namespace: gitlab-managed-apps
  8.               crossplane.io/propagate-from-uid: 10c79605-06c7-11ea-b907-42010a8000bd
  10. Type:  Opaque
  12. Data
  13. ====
  14. privateIP:                            8 bytes
  15. publicIP:                             13 bytes
  16. serverCACertificateCert:              1272 bytes
  17. serverCACertificateCertSerialNumber:  1 bytes
  18. serverCACertificateCreateTime:        24 bytes
  19. serverCACertificateExpirationTime:    24 bytes
  20. username:                             8 bytes
  21. endpoint:                             8 bytes
  22. password:                             27 bytes
  23. serverCACertificateCommonName:        98 bytes
  24. serverCACertificateInstance:          41 bytes
  25. serverCACertificateSha1Fingerprint:   40 bytes

Connect to the PostgreSQL instance

如果您想连接到 CloudSQL 上新配置的 PostgreSQL 数据库实例,请遵循此GCP 指南 .