newcohospitality.com

Integrate Google Cloud Resources with Config Connector in Kubernetes

Written on

Config Connector: Seamlessly Manage Your Google Cloud Resources

Managing diverse configurations? Config Connector is your solution!

Many applications deployed on Kubernetes utilize Google-managed services such as CloudSQL for relational databases or PubSub. These services are typically managed through infrastructure-as-code tools like Terraform. This often leads to the challenge of managing separate lifecycles for the infrastructure and applications.

Kubernetes enables you to define resources via a set of API objects, which can be expanded by incorporating custom resources and controllers.

By the end of this article, you will learn:

  • What Config Connector is and how it can assist you
  • Steps to deploy it on your Google Kubernetes Engine (GKE) cluster
  • How to set up Config Connector on any Kubernetes distribution
  • How to treat Google Cloud resources as native Kubernetes objects

What is Config Connector?

Config Connector is an open-source extension for Kubernetes that deploys a controller along with Custom Resource Definitions (CRDs):

  • CRDs enable you to define resources with your desired configurations.
  • The controller interprets CRDs and communicates with Google APIs to manage these resources.

The following diagram illustrates how Config Connector operates during the creation of a storage bucket:

When deploying a StorageBucket, the Config Connector controller identifies the resource. Based on its status, the controller knows how to manage (create/delete/update) the bucket according to your specifications.

As demonstrated, Config Connector effectively addresses mixed configuration challenges. For instance, you can include both the storage bucket and your application manifest without needing additional tools for deployment.

Config Connector also offers several benefits, including:

  • Enhanced RBAC management with IAM resources
  • Events for observability and simplified desired state management
  • A unified source for configuration and desired state management
  • Eventual consistency for loosely coupled dependencies

How to Configure Config Connector on GKE

Setting up Config Connector on GKE is straightforward through an addon. The primary requirement is to enable Workload Identity on your GKE cluster, which allows it to impersonate Identity and Access Management (IAM) service accounts for accessing Google Cloud services.

Enable Workload Identity on your cluster using this command:

$ gcloud container node-pools update <NODE_POOL>

--workload-metadata=<GKE_METADATA>

—cluster <CLUSTER_NAME>

Next, enable Config Connector on your cluster:

$ gcloud container clusters update <CLUSTER_NAME>

--update-addons ConfigConnector=ENABLED

Create a service account for Config Connector:

$ gcloud iam service-accounts create <SERVICE_ACCOUNT_NAME>

Grant the IAM service account elevated permissions on your project:

$ gcloud projects add-iam-policy-binding PROJECT_ID

--member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"

—role="roles/editor"

Establish an IAM policy binding between the IAM service account and the predefined Kubernetes service account for Config Connector:

$ gcloud iam service-accounts add-iam-policy-binding

SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

—member="serviceAccount:PROJECT_ID.svc.id.goog[cnrm-system/cnrm-controller-manager]"

--role="roles/iam.workloadIdentityUser"

Verify that Config Connector is ready in the namespace cnrm-system:

$ kubectl wait -n cnrm-system --for=condition=Ready pod --all

If Config Connector is correctly installed, the output will resemble:

pod/cnrm-controller-manager-0 condition met

Create the following configuration to link Google and Kubernetes service accounts:

# configconnector.yaml

apiVersion: core.cnrm.cloud.google.com/v1beta1

kind: ConfigConnector

metadata:

name: configconnector.core.cnrm.cloud.google.com

spec:

mode: cluster

googleServiceAccount: "SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"

Apply the configuration:

$ kubectl apply -f configconnector.yaml

How to Configure Config Connector on Other Kubernetes Distributions

If you're utilizing a different platform than GKE for your Kubernetes clusters, you can still use Config Connector with the official operator.

Config Connector requires permission to create Kubernetes roles before it can manage resources. Check if you have this permission:

$ kubectl auth can-i create roles

If the output is no, create a ClusterRoleBinding in your cluster to allow role creation:

$ kubectl create clusterrolebinding cluster-admin-binding

--clusterrole cluster-admin

—user <ACCOUNT_EMAIL>

Create a service account:

$ gcloud iam service-accounts create <SERVICE_ACCOUNT_NAME>

Assign the IAM service account elevated permissions on your project:

$ gcloud projects add-iam-policy-binding PROJECT_ID

--member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"

—role="roles/owner"

Generate a service account key and export its credentials to a file:

$ gcloud iam service-accounts keys create --iam-account

SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com key.json

Create the cnrm-system namespace:

$ kubectl create namespace cnrm-system

Import the key’s credentials as a Secret:

$ kubectl create secret generic SECRET_NAME

--from-file key.json

—namespace cnrm-system

Remove the credentials from your system:

$ rm key.json

Download the latest Config Connector Operator archive:

$ gsutil cp gs://configconnector-operator/latest/release-bundle.tar.gz release-bundle.tar.gz

Extract the archive file:

tar zxvf release-bundle.tar.gz

Install the Config Connector Operator on your cluster:

$ kubectl apply -f operator-system/configconnector-operator.yaml

Check the installation status of Config Connector:

$ kubectl wait -n cnrm-system --for=condition=Ready pod --all

The output should be similar to:

pod/cnrm-controller-manager-0 condition met

Configure Config Connector through the operator:

apiVersion: core.cnrm.cloud.google.com/v1beta1

kind: ConfigConnector

metadata:

name: configconnector.core.cnrm.cloud.google.com

spec:

mode: cluster

credentialSecretName: SECRET_NAME

Apply this configuration to your cluster:

$ kubectl apply -f configconnector.yaml

Deploy Your First Google Resource Using Config Connector

Now that Config Connector is set up on your Kubernetes cluster, let's get started with a practical example. You will learn how to deploy a storage bucket using Config Connector!

You can configure the resource definition as per your requirements. Below is a sample bucket configuration named storage-bucket.yaml:

apiVersion: storage.cnrm.cloud.google.com/v1beta1

kind: StorageBucket

metadata:

name: example-bucket

spec:

location: US

storageClass: STANDARD

Apply the configuration in your Kubernetes cluster:

$ kubectl apply -f storage-bucket.yaml

You can retrieve information about the storage bucket resource:

$ kubectl get StorageBucket

The output will show details such as the name, age, and status of the storage bucket.

The storage bucket will also be visible in the Google Cloud Console:

Additionally, the storage bucket will be deleted when you remove the Kubernetes resource, provided that cnrm.cloud.google.com/force-destroy is set to true:

$ kubectl delete -f storage-bucket.yaml

The bucket has now been removed from GCP!

Conclusion

You now understand how Config Connector can effectively manage the Google Cloud infrastructure dependencies required by your applications. Config Connector can be added to GKE via an addon or utilized on other Kubernetes distributions through the official operator.

Once installed, you can define Google resources just like any other Kubernetes resources, allowing you to integrate Google resources within your Helm charts for unified deployment.

With the example of the storage bucket, you are now prepared to utilize Config Connector to meet your resource management needs!