Complete Anthos prerequisites
Now that the physical environment is set up, you can begin Anthos deployment. This starts with several prerequisites that you must meet to deploy the solution and access it afterward. Each of these steps are discussed in depth in the Anthos GKE On-Prem Guide.
To prepare your environment for the deployment of Anthos on VMware, complete the following steps:
-
Create a Google Cloud project following the instructions available here.
Your organization might already have a project in place intended for this purpose. Check with your cloud administration team to see if a project exists and is already configured for access to Anthos on VMware. All projects intended for use with Anthos must be whitelisted by Google. This includes the primary user account, additional team members, and the access service account created in a later step. -
Create a deployment workstation from which to manage the installation of Anthos on VMware. The deployment workstation can be Linux, MacOS, or Windows. For the purposes of this validated deployment, Red Hat Enterprise Linux 7 was used.
This workstation can be hosted either internal or external to the NetApp HCI deployment. The only requirement is that it must be able to successfully communicate with the deployed VMware vCenter Server and the internet to function correctly. -
Install Google Cloud SDK for interactions with Google Cloud. It can be downloaded as an archive of binaries for manual install or installed by either the apt-get (Ubuntu/Debian) or yum (RHEL) package managers.
[user@rhel7 ~]$ sudo yum install google-cloud-sdk Failed to set locale, defaulting to C Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager Resolving Dependencies --> Running transaction check ---> Package google-cloud-sdk.noarch 0:270.0.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================= Package Arch Version Repository Size ================================================================================================= Installing: google-cloud-sdk noarch 270.0.0-1 google-cloud-sdk 36 M Transaction Summary ================================================================================================= Install 1 Package Total download size: 36 M Installed size: 174 M Is this ok [y/d/N]: y Downloading packages: 6d81c821884ae40244c746f6044fc1bcd801143a0d9c8da06767036b8d090a24-google-cloud-sdk-270.0.0-1.noar | 36 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : google-cloud-sdk-270.0.0-1.noarch 1/1 Verifying : google-cloud-sdk-270.0.0-1.noarch 1/1 Installed: google-cloud-sdk.noarch 0:270.0.0-1 Complete!
The gcloud binary must be at least version 265.0.0. You can update a manual install with a gcloud components update. However, if SDK was installed by a package manager, future updates must also be performed using that same package manager. -
With the workstation configured, log in to Google Cloud with your credentials. To do so, enter the login command from the deployment workstation and retrieve a link that can be copied and pasted into a browser to allow interactive sign-in to Google services. After you have logged in, the web page presents a code that you can copy and paste back into the deployment workstation when prompted.
[user@rhel7 ~]$ gcloud auth login Go to the following link in your browser: https://accounts.google.com/o/oauth2/auth?code_challenge=-7oPNSySHr_Sd2ZZ4K83koIeGTLVcdbjc8omr6zCbAI&prompt=select_account&code_challenge_method=S256&access_type=offline&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&client_id=32655940559.apps.googleusercontent.com&scope=https%3A%3F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%6F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth Enter verification code: 6/swGAh52VVgB-TRS5LVrSvP79ZdDlb9V6ObyUGqoY67a3zp9NPciIKsM You are now logged in as [user@netapp.com]. Your current project is [anthos-dev]. You can change this setting by running: $ gcloud config set project PROJECT_ID
-
Enable several APIs so that your environment can communicate with Google Cloud. The pods deployed in your clusters must be able to access https://www.googleapis.com and https://gkeconnect.googleapis.com to function as expected. Therefore, the VM_Network that the worker nodes are attached to must have internet access. To enable the necessary APIs, run the following command from the deployment workstation:
[user@rhel7 ~]$ gcloud services enable --project anthos-dev \ cloudresourcemanager.googleapis.com \ container.googleapis.com \ gkeconnect.googleapis.com \ gkehub.googleapis.com \ serviceusage.googleapis.com \ stackdriver.googleapis.com \ monitoring.googleapis.com \ logging.googleapis.com
-
Create a working directory called anthos-install, and change into that directory.
[user@rhel7 ~]$ mkdir anthos-install && cd anthos-install [user@rhel7 anthos-install]$
-
Before you can install Anthos on VMware, you must create four service accounts, each with a specific purpose in interacting with Google Cloud. The following table lists the accounts and their purposes.
Account Name Purpose component-access-sa
Used to download the Anthos binaries from Cloud Storage.
connect-register-sa
Used to register Anthos clusters to the Google Cloud console.
connect-agent-sa
Used to maintain the connection between user clusters and the Google Cloud.
logging-monitoring-sa
Used to write logging and monitoring data to Stackdriver.
Each account is assigned an email address that references your approved Google Cloud project name. The following examples all list the project Anthos-Dev, which was used during the NetApp validation. Make sure to substitute your appropriate project name in syntax examples where necessary. [user@rhel7 anthos-install]$ gcloud iam service-accounts create component-access-sa \ --display-name "Component Access Service Account" \ --project anthos-dev [user@rhel7 anthos-install]$ gcloud iam service-accounts keys create component-access-key.json \ --iam-account component-access-sa@anthos-dev.iam.gserviceaccount.com [user@rhel7 anthos-install]$ gcloud iam service-accounts create connect-register-sa \ --project anthos-dev [user@rhel7 anthos-install]$ gcloud iam service-accounts keys create connect-register-key.json \ --iam-account connect-register-sa@anthos-dev.iam.gserviceaccount.com [user@rhel7 anthos-install]$ gcloud iam service-accounts create connect-agent-sa \ --project anthos-dev [user@rhel7 anthos-install]$ gcloud iam service-accounts keys create connect-agent-key.json \ --iam-account connect-agent-sa@anthos-dev.iam.gserviceaccount.com [user@rhel7 anthos-install]$ gcloud iam service-accounts create logging-monitoring-sa \ --project anthos-dev [user@rhel7 anthos-install]$ gcloud iam service-accounts keys create logging-monitoring-key.json \ --iam-account logging-monitoring-sa@anthos-dev.iam.gserviceaccount.com
-
The final step needed to prepare your environment to deploy Anthos is to limit certain privileges to your service accounts. You need the associated email address for each service account listed in Step 7.
-
Using the component-access-sa account, assign the roles for
serviceuseage.serviceUsageViewer
,iam.serviceAccountCreator
, andiam.roleViewer
.[user@rhel7 anthos-install]$ gcloud projects add-iam-policy-binding anthos-dev\ --member "serviceAccount:component-access-sa@anthos-dev.iam.gserviceaccount.com" \ --role "roles/serviceusage.serviceUsageViewer" [user@rhel7 anthos-install]$ gcloud projects add-iam-policy-binding anthos-dev\ --member "serviceAccount:component-access-sa@anthos-dev.iam.gserviceaccount.com" \ --role "roles/iam.serviceAccountCreator" [user@rhel7 anthos-install]$ gcloud projects add-iam-policy-binding anthos-dev\ --member "serviceAccount:component-access-sa@anthos-dev.iam.gserviceaccount.com" \ --role "roles/iam.roleViewer"
-
Using the connect-register-sa service account, assign the role for
gkehub.admin
.[user@rhel7 anthos-install]$ gcloud projects add-iam-policy-binding anthos-dev \ --member "serviceAccount:connect-register-sa@anthos-dev.iam.gserviceaccount.com " \ --role "roles/gkehub.admin"
-
Using the connect-agent-sa acccount, assign the role for
gkehub.connect
.[user@rhel7 anthos-install]$ gcloud projects add-iam-policy-binding anthos-dev \ --member "serviceAccount:connect-agent-sa@anthos-dev.iam.gserviceaccount.com" \ --role "roles/gkehub.connect"
-
With the logging-monitoring-sa service account, assign the roles for
stackdriver.resourceMetadata.writer
,logging.logWriter
,monitoring.metricWriter
, andmonitoring.dashboardEditor
.[user@rhel7 anthos-install]$ gcloud projects add-iam-policy-binding anthos-dev \ --member "serviceAccount:logging-monitoring-sa@anthos-dev.iam.gserviceaccount.com" \ --role "roles/stackdriver.resourceMetadata.writer" [user@rhel7 anthos-install]$ gcloud projects add-iam-policy-binding anthos-dev\ --member "serviceAccount:logging-monitoring-sa@anthos-dev.iam.gserviceaccount.com" \ --role "roles/logging.logWriter" [user@rhel7 anthos-install]$ gcloud projects add-iam-policy-binding anthos-dev\ --member "serviceAccount:logging-monitoring-sa@anthos-dev.iam.gserviceaccount.com" \ --role "roles/monitoring.metricWriter" [user@rhel7 anthos-install]$ gcloud projects add-iam-policy-binding anthos-dev\ --member "serviceAccount:logging-monitoring-sa@anthos-dev.iam.gserviceaccount.com" \ --role "roles/monitoring.dashboardEditor"
-
-
Download the vCenter certificate for the VMWare CA; this is used later to authenticate to the vCenter during installation.
[user@rhel7 anthos-install]$ true | openssl s_client -connect anthos-vc.cie.netapp.com:443 -showcerts 2>/dev/null | sed -ne '/-BEGIN/,/-END/p' > vcenter.pem