ThinkChat2.0新版上线,更智能更精彩,支持会话、画图、阅读、搜索等,送10W Token,即刻开启你的AI之旅 广告
# Crossplane configuration > 原文:[https://docs.gitlab.com/ee/user/clusters/crossplane.html](https://docs.gitlab.com/ee/user/clusters/crossplane.html) * [Configure RBAC permissions](#configure-rbac-permissions) * [Configure Crossplane with a cloud provider](#configure-crossplane-with-a-cloud-provider) * [Configure Managed Service Access](#configure-managed-service-access) * [Setting up Resource classes](#setting-up-resource-classes) * [Auto DevOps Configuration Options](#auto-devops-configuration-options) * [Connect to the PostgreSQL instance](#connect-to-the-postgresql-instance) # Crossplane configuration[](#crossplane-configuration "Permalink") [安装](applications.html#crossplane) Crossplane 后,必须对其进行配置以供使用. 配置 Crossplane 的过程包括: 1. [Configure RBAC permissions](#configure-rbac-permissions). 2. [Configure Crossplane with a cloud provider](#configure-crossplane-with-a-cloud-provider). 3. [Configure managed service access](#configure-managed-service-access). 4. [Set up Resource classes](#setting-up-resource-classes). 5. Use [Auto DevOps configuration options](#auto-devops-configuration-options). 6. [Connect to the PostgreSQL instance](#connect-to-the-postgresql-instance). 为了允许 Crossplane 设置诸如 PostgreSQL 之类的云服务,必须使用用户帐户配置云提供商堆栈. 例如: * GCP 的服务帐户. * AWS 的 IAM 用户. 一些重要的注意事项: * 本指南以 GCP 为例,但 AWS 和 Azure 的过程相似. * Crossplane 要求 Kubernetes 集群是启用了 Alias IP 的 VPC 本机,因此可以在 GCP 网络内路由 Pod 的 IP 地址. 首先,使用配置声明一些环境变量以供本指南使用: ``` export PROJECT_ID=crossplane-playground # the GCP project where all resources reside. export NETWORK_NAME=default # the GCP network where your GKE is provisioned. export REGION=us-central1 # the GCP region where the GKE cluster is provisioned. ``` ## Configure RBAC permissions[](#configure-rbac-permissions "Permalink") 对于由 GitLab 管理的群集,将自动配置基于角色的访问控制(RBAC). 对于非 GitLab 管理的群集,请确保提供的令牌的服务帐户可以管理`database.crossplane.io` API 组中的资源: 1. 将以下 YAML 保存为`crossplane-database-role.yaml` : ``` apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: crossplane-database-role labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: - database.crossplane.io resources: - postgresqlinstances verbs: - get - list - create - update - delete - patch - watch ``` 2. 将集群角色应用于集群: ``` kubectl apply -f crossplane-database-role.yaml ``` ## Configure Crossplane with a cloud provider[](#configure-crossplane-with-a-cloud-provider "Permalink") 请参阅[配置您的云提供商帐户](https://crossplane.github.io/docs/v0.4/cloud-providers.html)以使用用户帐户配置已安装的云提供商堆栈. **注意:必须**将 Secret 和引用该 Secret 的 Provider 资源应用于指南中的`gitlab-managed-apps`命名空间. 请确保在执行该过程时进行更改. ## Configure Managed Service Access[](#configure-managed-service-access "Permalink") 接下来,通过以下任一方法配置 PostgreSQL 数据库和 GKE 集群之间的连接: * 如下所示使用 Crossplane. * Directly in the GCP console by [configuring private services access](https://cloud.google.com/vpc/docs/configure-private-services-access). 1. 运行以下命令,这将创建一个`network.yaml`文件,并配置`GlobalAddress`和连接资源: ``` cat > network.yaml <<EOF --- # gitlab-ad-globaladdress defines the IP range that will be allocated # for cloud services connecting to the instances in the given Network. apiVersion: compute.gcp.crossplane.io/v1alpha3 kind: GlobalAddress metadata: name: gitlab-ad-globaladdress spec: providerRef: name: gcp-provider reclaimPolicy: Delete name: gitlab-ad-globaladdress purpose: VPC_PEERING addressType: INTERNAL prefixLength: 16 network: projects/$PROJECT_ID/global/networks/$NETWORK_NAME --- # gitlab-ad-connection is what allows cloud services to use the allocated # GlobalAddress for communication. Behind the scenes, it creates a VPC peering # to the network that those service instances actually live. apiVersion: servicenetworking.gcp.crossplane.io/v1alpha3 kind: Connection metadata: name: gitlab-ad-connection spec: providerRef: name: gcp-provider reclaimPolicy: Delete parent: services/servicenetworking.googleapis.com network: projects/$PROJECT_ID/global/networks/$NETWORK_NAME reservedPeeringRangeRefs: - name: gitlab-ad-globaladdress EOF ``` 2. 使用以下命令应用文件中指定的设置: ``` kubectl apply -f network.yaml ``` 3. 验证网络资源的创建,以及两个资源均已准备就绪并已同步. ``` kubectl describe connection.servicenetworking.gcp.crossplane.io gitlab-ad-connection kubectl describe globaladdress.compute.gcp.crossplane.io gitlab-ad-globaladdress ``` ## Setting up Resource classes[](#setting-up-resource-classes "Permalink") 使用资源类为所需的托管服务定义配置. 这个例子定义了 PostgreSQL Resource 类: 1. 运行以下命令,该命令定义一个`gcp-postgres-standard.yaml`资源类,该资源类包含带有标签的默认`CloudSQLInstanceClass` : ``` cat > gcp-postgres-standard.yaml <<EOF apiVersion: database.gcp.crossplane.io/v1beta1 kind: CloudSQLInstanceClass metadata: name: cloudsqlinstancepostgresql-standard labels: gitlab-ad-demo: "true" specTemplate: writeConnectionSecretsToNamespace: gitlab-managed-apps forProvider: databaseVersion: POSTGRES_11_7 region: $REGION settings: tier: db-custom-1-3840 dataDiskType: PD_SSD dataDiskSizeGb: 10 ipConfiguration: privateNetwork: projects/$PROJECT_ID/global/networks/$NETWORK_NAME # this should match the name of the provider created in the above step providerRef: name: gcp-provider reclaimPolicy: Delete --- apiVersion: database.gcp.crossplane.io/v1beta1 kind: CloudSQLInstanceClass metadata: name: cloudsqlinstancepostgresql-standard-default annotations: resourceclass.crossplane.io/is-default-class: "true" specTemplate: writeConnectionSecretsToNamespace: gitlab-managed-apps forProvider: databaseVersion: POSTGRES_11_7 region: $REGION settings: tier: db-custom-1-3840 dataDiskType: PD_SSD dataDiskSizeGb: 10 ipConfiguration: privateNetwork: projects/$PROJECT_ID/global/networks/$NETWORK_NAME # this should match the name of the provider created in the above step providerRef: name: gcp-provider reclaimPolicy: Delete EOF ``` 2. 使用以下命令应用资源类配置: ``` kubectl apply -f gcp-postgres-standard.yaml ``` 3. 使用以下命令验证 Resource 类的创建: ``` kubectl get cloudsqlinstanceclasses ``` 资源类使您可以定义托管服务的服务类. 我们可以创建另一个`CloudSQLInstanceClass` ,以请求更大或更快速的磁盘. 它还可以请求特定版本的数据库. ## Auto DevOps Configuration Options[](#auto-devops-configuration-options "Permalink") 您可以使用以下任一选项来运行 Auto DevOps 管道: * 设置环境变量`AUTO_DEVOPS_POSTGRES_MANAGED`和`AUTO_DEVOPS_POSTGRES_MANAGED_CLASS_SELECTOR`以使用 Crossplane 设置 PostgreSQL. * 舵图的替代值: * 将`postgres.managed`设置为`true` ,这将选择默认资源类. 用注释`resourceclass.crossplane.io/is-default-class: "true"`标记资源类`resourceclass.crossplane.io/is-default-class: "true"` . CloudSQLInstanceClass `cloudsqlinstancepostgresql-standard-default`用于满足声明. * 使用`postgres.managedClassSelector`将`postgres.managed`设置为`true` ,以根据标签提供要选择的资源类. 在这种情况下, `postgres.managedClassSelector.matchLabels.gitlab-ad-demo="true"`选择 CloudSQLInstance 类`cloudsqlinstancepostgresql-standard`以满足声明请求. Auto DevOps 管道在成功运行时应预配一个 PostgresqlInstance. 要验证已创建 PostgreSQL 实例,请运行此命令. 当 PostgresqlInstance 的`STATUS`字段更改为`BOUND` ,它已成功配置: ``` $ kubectl get postgresqlinstance NAME STATUS CLASS-KIND CLASS-NAME RESOURCE-KIND RESOURCE-NAME AGE staging-test8 Bound CloudSQLInstanceClass cloudsqlinstancepostgresql-standard CloudSQLInstance xp-ad-demo-24-staging-staging-test8-jj55c 9m ``` PostgreSQL 实例的端点和用户凭据位于同一项目名称空间内的一个名为`app-postgres`的秘密中. 您可以使用以下命令来验证机密: ``` $ kubectl describe secret app-postgres Name: app-postgres Namespace: xp-ad-demo-24-staging Labels: <none> Annotations: crossplane.io/propagate-from-name: 108e460e-06c7-11ea-b907-42010a8000bd crossplane.io/propagate-from-namespace: gitlab-managed-apps crossplane.io/propagate-from-uid: 10c79605-06c7-11ea-b907-42010a8000bd Type: Opaque Data ==== privateIP: 8 bytes publicIP: 13 bytes serverCACertificateCert: 1272 bytes serverCACertificateCertSerialNumber: 1 bytes serverCACertificateCreateTime: 24 bytes serverCACertificateExpirationTime: 24 bytes username: 8 bytes endpoint: 8 bytes password: 27 bytes serverCACertificateCommonName: 98 bytes serverCACertificateInstance: 41 bytes serverCACertificateSha1Fingerprint: 40 bytes ``` ## Connect to the PostgreSQL instance[](#connect-to-the-postgresql-instance "Permalink") 如果您想连接到 CloudSQL 上新配置的 PostgreSQL 数据库实例,请遵循此[GCP 指南](https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine) .