Set up Google Cloud
A few steps are required to prepare your Google Cloud project before you can manage Google Kubernetes Engine clusters with Astra Control Service.
If you do not start out using Google Cloud Volumes Service for Google Cloud as a storage backend but plan to use it at a later date, you should complete the necessary steps to configure Google Cloud Volumes Service for Google Cloud now. Creating a service account later means that you might lose access to your existing storage buckets. |
Quick start for setting up Google Cloud
Get started quickly by following these steps or scroll down to the remaining sections for full details.
Review Astra Control Service requirements for Google Kubernetes Engine
Ensure that clusters are healthy and running a supported Kubernetes version, that worker nodes are online and running a supported image type, and more. Learn more about this step.
(Optional): Purchase Cloud Volumes Service for Google Cloud
If you plan to use Cloud Volumes Service for Google Cloud as a storage backend, go to the NetApp Cloud Volumes Service page in the Google Cloud Marketplace and select Purchase. Learn more about this step.
Enable APIs in your Google Cloud project
Enable the following Google Cloud APIs:
-
Google Kubernetes Engine
-
Cloud Storage
-
Cloud Storage JSON API
-
Service Usage
-
Cloud Resource Manager API
-
NetApp Cloud Volumes Service
-
Required for Cloud Volumes Service for Google Cloud
-
Optional (but recommended) for Google Persistent Disk
-
-
Service Consumer Management API
-
Service Networking API
-
Service Management API
Create a service account that has the required permissions
Create a Google Cloud service account that has the following permissions:
-
Kubernetes Engine Admin
-
NetApp Cloud Volumes Admin
-
Required for Cloud Volumes Service for Google Cloud
-
Optional (but recommended) for Google Persistent Disk
-
-
Storage Admin
-
Service Usage Viewer
-
Compute Network Viewer
Create a service account key
Create a key for the service account and save the key file in a secure location. Follow step-by-step instructions.
(Optional): Set up network peering for your VPC
If you plan to use Cloud Volumes Service for Google Cloud as a storage backend, set up network peering from your VPC to Cloud Volumes Service for Google Cloud. Follow step-by-step instructions.
GKE cluster requirements
A Kubernetes cluster must meet the following requirements so you can discover and manage it from Astra Control Service. Note that some of these requirements only apply if you plan to use Cloud Volumes Service for Google Cloud as a storage backend.
- Kubernetes version
-
A cluster must be running a Kubernetes version in the range of 1.26 to 1.28.
- Image type
-
The image type for each worker node must be
COS_CONTAINERD
. - Cluster state
-
Clusters must be running in a healthy state and have at least one online worker node with no worker nodes in a failed state.
- Google Cloud region
-
If you plan to use Cloud Volumes Service for Google Cloud as a storage backend, clusters must be running in a Google Cloud region where Cloud Volumes Service for Google Cloud is supported. Note that Astra Control Service supports both service types: CVS and CVS-Performance. As a best practice, you should choose a region that supports Cloud Volumes Service for Google Cloud, even if you do not use it as a storage backend. This makes it easier to use Cloud Volumes Service for Google Cloud as a storage backend in the future if your performance requirements change.
- Networking
-
If you plan to use Cloud Volumes Service for Google Cloud as a storage backend, the cluster must reside in a VPC that is peered with Cloud Volumes Service for Google Cloud. This step is described below.
- Private clusters
-
If the cluster is private, the authorized networks must allow the Astra Control Service IP address:
52.188.218.166/32
- Mode of operation for a GKE cluster
-
You should use the Standard mode of operation. The Autopilot mode hasn't been tested at this time. Learn more about modes of operation.
- Storage pools
-
If you use NetApp Cloud Volumes Service as a storage backend with the CVS service type, you need to configure storage pools before you can provision volumes. Refer to Service type, storage classes, and PV size for GKE clusters for more information.
Optional: Purchase Cloud Volumes Service for Google Cloud
Astra Control Service can use Cloud Volumes Service for Google Cloud as the storage backend for your persistent volumes. If you plan to use this service, you need to purchase Cloud Volumes Service for Google Cloud from the Google Cloud Marketplace to enable billing for persistent volumes.
-
Go to the NetApp Cloud Volumes Service page in the Google Cloud Marketplace, select Purchase, and follow the prompts.
Enable APIs in your project
Your project needs permissions to access specific Google Cloud APIs. APIs are used to interact with Google Cloud resources, such as Google Kubernetes Engine (GKE) clusters and NetApp Cloud Volumes Service storage.
-
Use the Google Cloud console or gcloud CLI to enable the following APIs:
-
Google Kubernetes Engine
-
Cloud Storage
-
Cloud Storage JSON API
-
Service Usage
-
Cloud Resource Manager API
-
NetApp Cloud Volumes Service (Required for Cloud Volumes Service for Google Cloud)
-
Service Consumer Management API
-
Service Networking API
-
Service Management API
-
The following video shows how to enable the APIs from the Google Cloud console.
Create a service account
Astra Control Service uses a Google Cloud service account to facilitate Kubernetes application data management on your behalf.
-
Go to Google Cloud and create a service account by using the console, gcloud command, or another preferred method.
-
Grant the service account the following roles:
-
Kubernetes Engine Admin - Used to list clusters and create admin access to manage apps.
-
NetApp Cloud Volumes Admin - Used to manage persistent storage for apps.
-
Storage Admin - Used to manage buckets and objects for backups of apps.
-
Service Usage Viewer - Used to check if the required Cloud Volumes Service for Google Cloud APIs are enabled.
-
Compute Network Viewer - Used to check if the Kubernetes VPC is allowed to reach Cloud Volumes Service for Google Cloud.
-
If you'd like to use gcloud, you can follow steps from within the Astra Control interface. Select Account > Credentials > Add Credentials, and then select Instructions.
If you'd like to use the Google Cloud console, the following video shows how to create the service account from the console.
Configure the service account for a shared VPC
To manage GKE clusters that reside in one project, but use a VPC from a different project (a shared VPC), then you need to specify the Astra service account as a member of the host project with the Compute Network Viewer role.
-
From the Google Cloud console, go to IAM & Admin and select Service Accounts.
-
Find the Astra service account that has the required permissions and then copy the email address.
-
Go to your host project and then select IAM & Admin > IAM.
-
Select Add and add an entry for the service account.
-
New members: Enter the email address for the service account.
-
Role: Select Compute Network Viewer.
-
Select Save.
-
Adding a GKE cluster using a shared VPC will fully work with Astra.
Create a service account key
Instead of providing a user name and password to Astra Control Service, you'll provide a service account key when you add your first cluster. Astra Control Service uses the service account key to establish the identity of the service account that you just set up.
The service account key is plaintext stored in the JavaScript Object Notation (JSON) format. It contains information about the GCP resources that you have permission to access.
You can only view or download the JSON file when you create the key. However, you can create a new key at any time.
-
Go to Google Cloud and create a service account key by using the console, gcloud command, or another preferred method.
-
When prompted, save the service account key file in a secure location.
The following video shows how to create the service account key from the Google Cloud console.
Optional: Set up network peering for your VPC
If you plan to use Cloud Volumes Service for Google Cloud as a storage backend service, the final step is to set up networking peering from your VPC to Cloud Volumes Service for Google Cloud.
The easiest way to set up network peering is by obtaining the gcloud commands directly from Cloud Volumes Service. The commands are available from Cloud Volumes Service when creating a new file system.
-
Go to NetApp BlueXP Global Regions Maps and identify the service type that you'll be using in the Google Cloud region where your cluster resides.
Cloud Volumes Service provides two service types: CVS and CVS-Performance. Learn more about these service types.
-
On the Volumes page, select Create.
-
Under Service Type, select either CVS or CVS-Performance.
You need to choose the correct service type for your Google Cloud region. This is the service type that you identified in step 1. After you select a service type, the list of regions on the page updates with the regions where that service type is supported.
After this step, you'll only need to enter your networking information to obtain the commands.
-
Under Region, select your region and zone.
-
Under Network Details, select your VPC.
If you haven't set up network peering, you'll see the following notification:
-
Select the button to view the network peering set up commands.
-
Copy the commands and run them in Cloud Shell.
For more details about using these commands, refer to the Quickstart for Cloud Volumes Service for GCP.
-
After you're done, you can select cancel on the Create File System page.
We started creating this volume only to get the commands for network peering.