Crossplane configuration · Gitlab 中文文檔

# Crossplane configuration > 原文：[https://docs.gitlab.com/ee/user/clusters/crossplane.html](https://docs.gitlab.com/ee/user/clusters/crossplane.html) * [Configure RBAC permissions](#configure-rbac-permissions) * [Configure Crossplane with a cloud provider](#configure-crossplane-with-a-cloud-provider) * [Configure Managed Service Access](#configure-managed-service-access) * [Setting up Resource classes](#setting-up-resource-classes) * [Auto DevOps Configuration Options](#auto-devops-configuration-options) * [Connect to the PostgreSQL instance](#connect-to-the-postgresql-instance) # Crossplane configuration[](#crossplane-configuration "Permalink") [安裝](applications.html#crossplane) Crossplane 后，必須對其進行配置以供使用. 配置 Crossplane 的過程包括： 1. [Configure RBAC permissions](#configure-rbac-permissions). 2. [Configure Crossplane with a cloud provider](#configure-crossplane-with-a-cloud-provider). 3. [Configure managed service access](#configure-managed-service-access). 4. [Set up Resource classes](#setting-up-resource-classes). 5. Use [Auto DevOps configuration options](#auto-devops-configuration-options). 6. [Connect to the PostgreSQL instance](#connect-to-the-postgresql-instance). 為了允許 Crossplane 設置諸如 PostgreSQL 之類的云服務，必須使用用戶帳戶配置云提供商堆棧. 例如： * GCP 的服務帳戶. * AWS 的 IAM 用戶. 一些重要的注意事項： * 本指南以 GCP 為例，但 AWS 和 Azure 的過程相似. * Crossplane 要求 Kubernetes 集群是啟用了 Alias IP 的 VPC 本機，因此可以在 GCP 網絡內路由 Pod 的 IP 地址. 首先，使用配置聲明一些環境變量以供本指南使用： ``` export PROJECT_ID=crossplane-playground # the GCP project where all resources reside. export NETWORK_NAME=default # the GCP network where your GKE is provisioned. export REGION=us-central1 # the GCP region where the GKE cluster is provisioned. ``` ## Configure RBAC permissions[](#configure-rbac-permissions "Permalink") 對于由 GitLab 管理的群集，將自動配置基于角色的訪問控制（RBAC）. 對于非 GitLab 管理的群集，請確保提供的令牌的服務帳戶可以管理`database.crossplane.io` API 組中的資源： 1. 將以下 YAML 保存為`crossplane-database-role.yaml` ： ``` apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: crossplane-database-role labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: - database.crossplane.io resources: - postgresqlinstances verbs: - get - list - create - update - delete - patch - watch ``` 2. 將集群角色應用于集群： ``` kubectl apply -f crossplane-database-role.yaml ``` ## Configure Crossplane with a cloud provider[](#configure-crossplane-with-a-cloud-provider "Permalink") 請參閱[配置您的云提供商帳戶](https://crossplane.github.io/docs/v0.4/cloud-providers.html)以使用用戶帳戶配置已安裝的云提供商堆棧. **注意：必須**將 Secret 和引用該 Secret 的 Provider 資源應用于指南中的`gitlab-managed-apps`命名空間. 請確保在執行該過程時進行更改. ## Configure Managed Service Access[](#configure-managed-service-access "Permalink") 接下來，通過以下任一方法配置 PostgreSQL 數據庫和 GKE 集群之間的連接： * 如下所示使用 Crossplane. * Directly in the GCP console by [configuring private services access](https://cloud.google.com/vpc/docs/configure-private-services-access). 1. 運行以下命令，這將創建一個`network.yaml`文件，并配置`GlobalAddress`和連接資源： ``` cat > network.yaml <<EOF --- # gitlab-ad-globaladdress defines the IP range that will be allocated # for cloud services connecting to the instances in the given Network. apiVersion: compute.gcp.crossplane.io/v1alpha3 kind: GlobalAddress metadata: name: gitlab-ad-globaladdress spec: providerRef: name: gcp-provider reclaimPolicy: Delete name: gitlab-ad-globaladdress purpose: VPC_PEERING addressType: INTERNAL prefixLength: 16 network: projects/$PROJECT_ID/global/networks/$NETWORK_NAME --- # gitlab-ad-connection is what allows cloud services to use the allocated # GlobalAddress for communication. Behind the scenes, it creates a VPC peering # to the network that those service instances actually live. apiVersion: servicenetworking.gcp.crossplane.io/v1alpha3 kind: Connection metadata: name: gitlab-ad-connection spec: providerRef: name: gcp-provider reclaimPolicy: Delete parent: services/servicenetworking.googleapis.com network: projects/$PROJECT_ID/global/networks/$NETWORK_NAME reservedPeeringRangeRefs: - name: gitlab-ad-globaladdress EOF ``` 2. 使用以下命令應用文件中指定的設置： ``` kubectl apply -f network.yaml ``` 3. 驗證網絡資源的創建，以及兩個資源均已準備就緒并已同步. ``` kubectl describe connection.servicenetworking.gcp.crossplane.io gitlab-ad-connection kubectl describe globaladdress.compute.gcp.crossplane.io gitlab-ad-globaladdress ``` ## Setting up Resource classes[](#setting-up-resource-classes "Permalink") 使用資源類為所需的托管服務定義配置. 這個例子定義了 PostgreSQL Resource 類： 1. 運行以下命令，該命令定義一個`gcp-postgres-standard.yaml`資源類，該資源類包含帶有標簽的默認`CloudSQLInstanceClass` ： ``` cat > gcp-postgres-standard.yaml <<EOF apiVersion: database.gcp.crossplane.io/v1beta1 kind: CloudSQLInstanceClass metadata: name: cloudsqlinstancepostgresql-standard labels: gitlab-ad-demo: "true" specTemplate: writeConnectionSecretsToNamespace: gitlab-managed-apps forProvider: databaseVersion: POSTGRES_11_7 region: $REGION settings: tier: db-custom-1-3840 dataDiskType: PD_SSD dataDiskSizeGb: 10 ipConfiguration: privateNetwork: projects/$PROJECT_ID/global/networks/$NETWORK_NAME # this should match the name of the provider created in the above step providerRef: name: gcp-provider reclaimPolicy: Delete --- apiVersion: database.gcp.crossplane.io/v1beta1 kind: CloudSQLInstanceClass metadata: name: cloudsqlinstancepostgresql-standard-default annotations: resourceclass.crossplane.io/is-default-class: "true" specTemplate: writeConnectionSecretsToNamespace: gitlab-managed-apps forProvider: databaseVersion: POSTGRES_11_7 region: $REGION settings: tier: db-custom-1-3840 dataDiskType: PD_SSD dataDiskSizeGb: 10 ipConfiguration: privateNetwork: projects/$PROJECT_ID/global/networks/$NETWORK_NAME # this should match the name of the provider created in the above step providerRef: name: gcp-provider reclaimPolicy: Delete EOF ``` 2. 使用以下命令應用資源類配置： ``` kubectl apply -f gcp-postgres-standard.yaml ``` 3. 使用以下命令驗證 Resource 類的創建： ``` kubectl get cloudsqlinstanceclasses ``` 資源類使您可以定義托管服務的服務類. 我們可以創建另一個`CloudSQLInstanceClass` ，以請求更大或更快速的磁盤. 它還可以請求特定版本的數據庫. ## Auto DevOps Configuration Options[](#auto-devops-configuration-options "Permalink") 您可以使用以下任一選項來運行 Auto DevOps 管道： * 設置環境變量`AUTO_DEVOPS_POSTGRES_MANAGED`和`AUTO_DEVOPS_POSTGRES_MANAGED_CLASS_SELECTOR`以使用 Crossplane 設置 PostgreSQL. * 舵圖的替代值： * 將`postgres.managed`設置為`true` ，這將選擇默認資源類. 用注釋`resourceclass.crossplane.io/is-default-class: "true"`標記資源類`resourceclass.crossplane.io/is-default-class: "true"` . CloudSQLInstanceClass `cloudsqlinstancepostgresql-standard-default`用于滿足聲明. * 使用`postgres.managedClassSelector`將`postgres.managed`設置為`true` ，以根據標簽提供要選擇的資源類. 在這種情況下， `postgres.managedClassSelector.matchLabels.gitlab-ad-demo="true"`選擇 CloudSQLInstance 類`cloudsqlinstancepostgresql-standard`以滿足聲明請求. Auto DevOps 管道在成功運行時應預配一個 PostgresqlInstance. 要驗證已創建 PostgreSQL 實例，請運行此命令. 當 PostgresqlInstance 的`STATUS`字段更改為`BOUND` ，它已成功配置： ``` $ kubectl get postgresqlinstance NAME STATUS CLASS-KIND CLASS-NAME RESOURCE-KIND RESOURCE-NAME AGE staging-test8 Bound CloudSQLInstanceClass cloudsqlinstancepostgresql-standard CloudSQLInstance xp-ad-demo-24-staging-staging-test8-jj55c 9m ``` PostgreSQL 實例的端點和用戶憑據位于同一項目名稱空間內的一個名為`app-postgres`的秘密中. 您可以使用以下命令來驗證機密： ``` $ kubectl describe secret app-postgres Name: app-postgres Namespace: xp-ad-demo-24-staging Labels: <none> Annotations: crossplane.io/propagate-from-name: 108e460e-06c7-11ea-b907-42010a8000bd crossplane.io/propagate-from-namespace: gitlab-managed-apps crossplane.io/propagate-from-uid: 10c79605-06c7-11ea-b907-42010a8000bd Type: Opaque Data ==== privateIP: 8 bytes publicIP: 13 bytes serverCACertificateCert: 1272 bytes serverCACertificateCertSerialNumber: 1 bytes serverCACertificateCreateTime: 24 bytes serverCACertificateExpirationTime: 24 bytes username: 8 bytes endpoint: 8 bytes password: 27 bytes serverCACertificateCommonName: 98 bytes serverCACertificateInstance: 41 bytes serverCACertificateSha1Fingerprint: 40 bytes ``` ## Connect to the PostgreSQL instance[](#connect-to-the-postgresql-instance "Permalink") 如果您想連接到 CloudSQL 上新配置的 PostgreSQL 數據庫實例，請遵循此[GCP 指南](https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine) .