English

Complete Anthos Prerequisites

Contributors netapp-dorianh Download PDF of this page

Now that the physical environment is set up, you can begin Anthos deployment. This starts with several prerequisites that you must meet to deploy the solution and access it afterward. Each of these steps are discussed in depth in the Anthos GKE On-Prem Guide.

To prepare your environment for the deployment of Anthos on VMware, complete the following steps:

  1. Create a Google Cloud project following the instructions available here.

    Your organization might already have a project in place intended for this purpose. Check with your cloud administration team to see if a project exists and is already configured for access to Anthos on VMware. All projects intended for use with Anthos must be whitelisted by Google. This includes the primary user account, additional team members, and the access service account created in a later step.
  2. Create a deployment workstation from which to manage the installation of Anthos on VMware. The deployment workstation can be Linux, MacOS, or Windows. For the purposes of this validated deployment, Red Hat Enterprise Linux 7 was used.

    This workstation can be hosted either internal or external to the NetApp HCI deployment. The only requirement is that it must be able to successfully communicate with the deployed VMware vCenter Server and the internet to function correctly.
  3. Install Google Cloud SDK for interactions with Google Cloud. It can be downloaded as an archive of binaries for manual install or installed by either the apt-get (Ubuntu/Debian) or yum (RHEL) package managers.

    [user@rhel7 ~]$ sudo yum install google-cloud-sdk
    Failed to set locale, defaulting to C
    Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
    Resolving Dependencies
    --> Running transaction check
    ---> Package google-cloud-sdk.noarch 0:270.0.0-1 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    =================================================================================================
    Package                   Arch            Version             Repository                Size
    =================================================================================================
    Installing:
    google-cloud-sdk         noarch          270.0.0-1       google-cloud-sdk               36 M
    
    Transaction Summary
    =================================================================================================
    Install  1 Package
    
    Total download size: 36 M
    Installed size: 174 M
    Is this ok [y/d/N]: y
    Downloading packages:
    6d81c821884ae40244c746f6044fc1bcd801143a0d9c8da06767036b8d090a24-google-cloud-sdk-270.0.0-1.noar |  36 MB  00:00:00
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : google-cloud-sdk-270.0.0-1.noarch                                      1/1
      Verifying  : google-cloud-sdk-270.0.0-1.noarch                                      1/1
    
    Installed:
      google-cloud-sdk.noarch 0:270.0.0-1
    
    Complete!
    The gcloud binary must be at least version 265.0.0. You can update a manual install with a gcloud components update. However, if SDK was installed by a package manager, future updates must also be performed using that same package manager.
  4. Install govc, the CLI for VMware vSphere. Installing govc allows you to interact directly with the management of VMware vCenter. Govc is available as a pre-packaged binary available in a gzip format for download. For installation, a user must download the gzip archive, unzip, and copy the resulting binary to a local path directory such as /usr/local/bin.

    [user@rhel7 ~]$ wget https://github.com/vmware/govmomi/releases/download/v0.20.0/govc_linux_amd64.gz
    --2019-11-06 09:06:10--  https://github.com/vmware/govmomi/releases/download/v0.20.0/govc_linux_amd64.gz
    Resolving github.com (github.com)... 13.250.177.223
    Connecting to github.com (github.com)|13.250.177.223|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 7650188 (7.3M) [application/octet-stream]
    Saving to: 'govc_linux_amd64.gz.1'
    
    100%[=======================================================================================================================================>] 7,650,188   --.-K/s   in 0.1s
    
    2019-11-06 09:06:12 (76.4 MB/s) - 'govc_linux_amd64.gz' saved [7650188/7650188]
    
    [user@rhel7 ~]$ gunzip govc_linux_amd64.gz
    [user@rhel7 ~]$ sudo cp govc_linux_amd64 /usr/local/bin/govc
    [user@rhel7 ~]$ which govc
    /usr/local/bin/govc
  5. Install Hashicorp Terraform. Terraform enables the automated deployment of VMs in a VMware vSphere environment and is used to deploy the Anthos admin workstation in a later step. Like the govc install, Terraform can be downloaded as a zip archive and unzipped, and the resulting binary can be copied to a directory in the local user’s path.

    [user@rhel7 ~]$ wget https://releases.hashicorp.com/terraform/0.12.13/terraform_0.12.13_linux_amd64.zip
    --2019-11-06 09:13:40--  https://releases.hashicorp.com/terraform/0.12.13/terraform_0.12.13_linux_amd64.zip
    Resolving releases.hashicorp.com (releases.hashicorp.com)... 151.101.193.183, 151.101.1.183, 151.101.65.183, ...
    Connecting to releases.hashicorp.com (releases.hashicorp.com)|151.101.193.183|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 16341595 (16M) [application/zip]
    Saving to: 'terraform_0.12.13_linux_amd64.zip.1'
    
    100%[=======================================================================================================================================>] 16,341,595  --.-K/s   in 0.1s
    
    2019-11-06 09:13:40 (141 MB/s) - 'terraform_0.12.13_linux_amd64.zip.1' saved [16341595/16341595]
    
    [user@rhel7 ~]$ unzip terraform_0.12.13_linux_amd64.zip
    Archive:  terraform_0.12.13_linux_amd64.zip
      inflating: terraform
    [user@rhel7 ~]$ cp terraform /usr/local/bin
    [user@rhel7 ~]$ which terraform
    /usr/local/bin/terraform
  6. With the workstation configured, log in to Google Cloud with your credentials. To do so, enter the login command from the deployment workstation and retrieve a link that can be copied and pasted into a browser to allow interactive sign-in to Google services. After you have logged in, the web page presents a code that you can copy and paste back into the deployment workstation when prompted.

    [user@rhel7 ~]$ gcloud auth login
    Go to the following link in your browser:
    
        https://accounts.google.com/o/oauth2/auth?code_challenge=-7oPNSySHr_Sd2ZZ4K83koIeGTLVcdbjc8omr6zCbAI&prompt=select_account&code_challenge_method=S256&access_type=offline&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&client_id=32655940559.apps.googleusercontent.com&scope=https%3A%3F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%6F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth
    
    
    Enter verification code: 6/swGAh52VVgB-TRS5LVrSvP79ZdDlb9V6ObyUGqoY67a3zp9NPciIKsM
    You are now logged in as [user@netapp.com].
    Your current project is [anthos-dev].  You can change this setting by running:
      $ gcloud config set project PROJECT_ID
  7. Before you can install Anthos on VMware, you must create four service accounts, each with a specific purpose in interacting with Google Cloud. The following table lists the accounts and their purposes.

    Table 1. Google Cloud Service Accounts
    Account Name Purpose

    access-service-account

    Used to download the Anthos binaries from Cloud Storage.

    register-service-account

    Used to register Anthos clusters to the Google Cloud console.

    connect-service-account

    Used to maintain the connection between user clusters and the Google Cloud.

    stackdriver-service-account

    Used to write logging and monitoring data to Stackdriver.

    Each account is assigned an email address that references your approved Google Cloud project name. The examples below all list the project Anthos-Dev which was used during the NetApp validation. Make sure to substitute your appropriate project name in syntax examples where necessary.
    [user@rhel7 ~]$ gcloud iam service-accounts create access-service-account
    [user@rhel7 ~]$ gcloud iam service-accounts create register-service-account
    [user@rhel7 ~]$ gcloud iam service-accounts create connect-service-account
    [user@rhel7 ~]$ gcloud iam service-accounts create stackdriver-service-account
    [user@rhel7 ~]$ gcloud iam service-accounts list
    NAME           EMAIL                                                                  DISABLED
                   stackdriver-service-account@anthos-dev.iam.gserviceaccount.com         False
                   register-service-account@anthos-dev.iam.gserviceaccount.com            False
                   access-service-account@anthos-dev.iam.gserviceaccount.com              False
                   connect-service-account@anthos-dev.iam.gserviceaccount.com             False
  8. Enable several APIs so that your environment can communicate with Google Cloud. The pods deployed in your clusters must be able to access https://www.googleapis.com and https://gkeconnect.googleapis.com to function as expected. Therefore, the VM_Network that the worker nodes are attached to must have internet access. To enable the necessary APIs, run the following command from the deployment workstation:

    [user@rhel7 ~]$ gcloud services enable \
    cloudresourcemanager.googleapis.com \
    container.googleapis.com \
    gkeconnect.googleapis.com \
    gkehub.googleapis.com \
    serviceusage.googleapis.com \
    stackdriver.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com
  9. The final step needed to prepare your environment to deploy Anthos is to limit certain privileges to your service accounts. You need the associated email address for each service account listed in Step 7.

    1. Using the register service account, assign the roles for gkehub.admin and serviceuseage.serviceUsageViewer.

      [user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \
      --member "serviceAccount: register-service-account@anthos-dev.iam.gserviceaccount.com”\
      --role "roles/gkehub.admin"
      
      [user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \
      --member "serviceAccount: register-service-account@anthos-dev.iam.gserviceaccount.com”\
      --role "roles/serviceusage.serviceUsageViewer”
    2. Using the connect service account, assign the roles for gkehub.connect.

      [user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \
      --member "serviceAccount: connect-service-account@anthos-dev.iam.gserviceaccount.com”\
      --role "roles/gkehub.connect”
    3. With the stackdriver service account, assign the roles for stackdriver.resourceMetadata.writer, logging.logWriter, and monitoring.metricWriter.

       [user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \
      --member "serviceAccount: stackdriver-service-account@anthos-dev.iam.gserviceaccount.com”\
      --role "roles/stackdriver.resourceMetadata.writer"
      
      [user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \
      --member "serviceAccount: stackdriver-service-account@anthos-dev.iam.gserviceaccount.com”\
      --role "roles/logging.logWriter”
      
      [user@rhel7 ~]$ gcloud projects add-iam-policy-binding anthos-dev \
      --member "serviceAccount: stackdriver-service-account@anthos-dev.iam.gserviceaccount.com”\
      --role "roles/monitoring.metricWriter”