6. Complete Anthos Prerequisites: NetApp HCI with Anthos
Contributors Download PDF of this topic
Now that the physical environment is set up, you can begin Anthos deployment. This starts with several prerequisites that you must meet to deploy the solution and access it afterward. Each of these steps are discussed in depth in the Anthos GKE On-Prem Guide.
To prepare your environment for the deployment of Anthos on VMware, complete the following steps:
Create a Google Cloud project following the instructions available here.
Your organization might already have a project in place intended for this purpose. Check with your cloud administration team to see if a project exists and is already configured for access to Anthos on VMware. All projects intended for use with Anthos must be whitelisted by Google. This includes the primary user account, additional team members, and the access service account created in a later step.
Create a deployment workstation from which to manage the installation of Anthos on VMware. The deployment workstation can be Linux, MacOS, or Windows. For the purposes of this validated deployment, Red Hat Enterprise Linux 7 was used.
This workstation can be hosted either internal or external to the NetApp HCI deployment. The only requirement is that it must be able to successfully communicate with the deployed VMware vCenter Server and the internet to function correctly.
Install Google Cloud SDK for interactions with Google Cloud. It can be downloaded as an archive of binaries for manual install or installed by either the apt-get (Ubuntu/Debian) or yum (RHEL) package managers.
[user@rhel7 ~]$ sudo yum install google-cloud-sdk Failed to set locale, defaulting to C Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager Resolving Dependencies --> Running transaction check ---> Package google-cloud-sdk.noarch 0:270.0.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================= Package Arch Version Repository Size ================================================================================================= Installing: google-cloud-sdk noarch 270.0.0-1 google-cloud-sdk 36 M Transaction Summary ================================================================================================= Install 1 Package Total download size: 36 M Installed size: 174 M Is this ok [y/d/N]: y Downloading packages: 6d81c821884ae40244c746f6044fc1bcd801143a0d9c8da06767036b8d090a24-google-cloud-sdk-270.0.0-1.noar | 36 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : google-cloud-sdk-270.0.0-1.noarch 1/1 Verifying : google-cloud-sdk-270.0.0-1.noarch 1/1 Installed: google-cloud-sdk.noarch 0:270.0.0-1 Complete!
The gcloud binary must be at least version 265.0.0. You can update a manual install with a gcloud components update. However, if SDK was installed by a package manager, future updates must also be performed using that same package manager.
Install govc, the CLI for VMware vSphere. Installing govc allows you to interact directly with the management of VMware vCenter. Govc is available as a pre-packaged binary available in a gzip format for download. For installation, a user must download the gzip archive, unzip, and copy the resulting binary to a local path directory such as /usr/local/bin.
[user@rhel7 ~]$ wget https://github.com/vmware/govmomi/releases/download/v0.20.0/govc_linux_amd64.gz --2019-11-06 09:06:10-- https://github.com/vmware/govmomi/releases/download/v0.20.0/govc_linux_amd64.gz Resolving github.com (github.com)... 18.104.22.168 Connecting to github.com (github.com)|22.214.171.124|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 7650188 (7.3M) [application/octet-stream] Saving to: 'govc_linux_amd64.gz.1' 100%[=======================================================================================================================================>] 7,650,188 --.-K/s in 0.1s 2019-11-06 09:06:12 (76.4 MB/s) - 'govc_linux_amd64.gz' saved [7650188/7650188] [user@rhel7 ~]$ gunzip govc_linux_amd64.gz [user@rhel7 ~]$ sudo cp govc_linux_amd64 /usr/local/bin/govc [user@rhel7 ~]$ which govc /usr/local/bin/govc
Install Hashicorp Terraform. Terraform enables the automated deployment of VMs in a VMware vSphere environment and is used to deploy the Anthos admin workstation in a later step. Like the govc install, Terraform can be downloaded as a zip archive and unzipped, and the resulting binary can be copied to a directory in the local user’s path.
[user@rhel7 ~]$ wget https://releases.hashicorp.com/terraform/0.12.13/terraform_0.12.13_linux_amd64.zip --2019-11-06 09:13:40-- https://releases.hashicorp.com/terraform/0.12.13/terraform_0.12.13_linux_amd64.zip Resolving releases.hashicorp.com (releases.hashicorp.com)... 126.96.36.199, 188.8.131.52, 184.108.40.206, ... Connecting to releases.hashicorp.com (releases.hashicorp.com)|220.127.116.11|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 16341595 (16M) [application/zip] Saving to: 'terraform_0.12.13_linux_amd64.zip.1' 100%[=======================================================================================================================================>] 16,341,595 --.-K/s in 0.1s 2019-11-06 09:13:40 (141 MB/s) - 'terraform_0.12.13_linux_amd64.zip.1' saved [16341595/16341595] [user@rhel7 ~]$ unzip terraform_0.12.13_linux_amd64.zip Archive: terraform_0.12.13_linux_amd64.zip inflating: terraform [user@rhel7 ~]$ cp terraform /usr/local/bin [user@rhel7 ~]$ which terraform /usr/local/bin/terraform
With the workstation configured, log in to Google Cloud with your credentials. To do so, enter the login command from the deployment workstation and retrieve a link that can be copied and pasted into a browser to allow interactive sign-in to Google services. After you have logged in, the web page presents a code that you can copy and paste back into the deployment workstation when prompted.
[user@rhel7 ~]$ gcloud auth login Go to the following link in your browser: https://accounts.google.com/o/oauth2/auth?code_challenge=-7oPNSySHr_Sd2ZZ4K83koIeGTLVcdbjc8omr6zCbAI&prompt=select_account&code_challenge_method=S256&access_type=offline&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&client_id=32655940559.apps.googleusercontent.com&scope=https%3A%3F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%6F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth Enter verification code: 6/swGAh52VVgB-TRS5LVrSvP79ZdDlb9V6ObyUGqoY67a3zp9NPciIKsM You are now logged in as [firstname.lastname@example.org]. Your current project is [anthos-dev]. You can change this setting by running: $ gcloud config set project PROJECT_ID
Before you can install Anthos on VMware, you must create four service accounts, each with a specific purpose in interacting with Google Cloud. The following table lists the accounts and their purposes.
Table 1. Google Cloud Service Accounts Account Name Purpose
Used to download the Anthos binaries from Cloud Storage.
Used to register Anthos clusters to the Google Cloud console.
Used to maintain the connection between user clusters and the Google Cloud.
Used to write logging and monitoring data to Stackdriver.
Each account is assigned an email address that references your approved Google Cloud project name. The examples below all list the project Anthos-Dev which was used during the NetApp validation. Make sure to substitute your appropriate project name in syntax examples where necessary.
[user@rhel7 ~]$ gcloud iam service-accounts create access-service-account [user@rhel7 ~]$ gcloud iam service-accounts create register-service-account [user@rhel7 ~]$ gcloud iam service-accounts create connect-service-account [user@rhel7 ~]$ gcloud iam service-accounts create stackdriver-service-account [user@rhel7 ~]$ gcloud iam service-accounts list NAME EMAIL DISABLED email@example.com False firstname.lastname@example.org False email@example.com False firstname.lastname@example.org False
Enable several APIs so that your environment can communicate with Google Cloud. The pods deployed in your clusters must be able to access https://www.googleapis.com and https://gkeconnect.googleapis.com to function as expected. Therefore, the VM_Network that the worker nodes are attached to must have internet access. To enable the necessary APIs, run the following command from the deployment workstation:
[user@rhel7 ~]$ gcloud services enable \ cloudresourcemanager.googleapis.com \ container.googleapis.com \ gkeconnect.googleapis.com \ gkehub.googleapis.com \ serviceusage.googleapis.com \ stackdriver.googleapis.com \ monitoring.googleapis.com \ logging.googleapis.com
The final step needed to prepare your environment to deploy Anthos is to limit certain privileges to your service accounts. You need the associated email address for each service account listed in Step 7.
Using the register service account, assign the roles for
[user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \ --member "serviceAccount: email@example.com”\ --role "roles/gkehub.admin" [user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \ --member "serviceAccount: firstname.lastname@example.org”\ --role "roles/serviceusage.serviceUsageViewer”
Using the connect service account, assign the roles for
[user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \ --member "serviceAccount: email@example.com”\ --role "roles/gkehub.connect”
With the stackdriver service account, assign the roles for
[user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \ --member "serviceAccount: firstname.lastname@example.org”\ --role "roles/stackdriver.resourceMetadata.writer" [user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \ --member "serviceAccount: email@example.com”\ --role "roles/logging.logWriter” [user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \ --member "serviceAccount: firstname.lastname@example.org”\ --role "roles/monitoring.metricWriter”