2

我在 .jinja 中设置了一个部署管理器包,它执行以下操作: - 为 GCP 服务创建 VPC 网络、子网和私有范围 - 在“servicenetworking.googleapis.com”和我的 VPC 网络之间创建对等互连 - 分配 Cloud SQL数据库到我的 VPC 中分配给谷歌服务的私有范围中

第二步是使用部署管理器证明是不可能的,因为没有可以调用的操作来执行此操作。我已经确认在这个阶段手动修复是调用以下 gcloud 命令,然后在 VPC 中设置 Cloud SQL 数据库:

gcloud services vpc-peerings connect --service=servicenetworking.googleapis.com --ranges=<my-range> --network=<my-network> --project=<my-project>

在我的 .jinja 中使用以下 gcp 类型是不够的,因为它不允许映射到预先存在的 gcp 服务,但需要一个源网络和目标网络。

- name: {{ env['deployment' ]}}-gcp-private-vpc-peering
  action: gcp-types/compute-v1:compute.networks.addPeering
  metadata:
    runtimePolicy:
    - CREATE
  properties:
    network: $(ref.{{ env['deployment']}}-network.name)
    name: {{ env['deployment' ]}}-gcp-private-vpc-peering
    autoCreateRoutes: true
    peerNetwork: servicenetworking.googleapis.com
    dependsOn:
    - $(ref.{{ env['deployment']}}-network.selfLink)

有没有办法从部署管理器调用 gcloud 命令,或者我可以调用一个操作来实现服务对等互连。我可以确认该项目确实启用了服务 API。

(请注意,目标 VPC 和项目是可变的,由 Google 分配,因此我无法将此值输入到上述模板中)

更新 05/07/19 我相信我已经找到了我需要做的 API 服务调用,但我非常不确定从部署管理器实际调用创建服务链接的语法:

https://cloud.google.com/service-infrastructure/docs/service-networking/reference/rest/v1beta/services.connections/create

需要一点方向 - 类似于下面?

- name: {{ env['deployment' ]}}-gcp-private-vpc-peering
  action:  gcp-types/servicenetworking.googleapis.com:services.connections
  metadata:
    runtimePolicy:
    - CREATE
  properties:
    propertyA: valueA
    ...
4

2 回答 2

3

@u-phoria

你是对的 - 这是他们目前正在筹备中的东西。

我已经向他们提出了产品改进票,可以在这里看到:

Deployment Manager 不支持 Cloud SQL 的私有 VPC 对等互连。这导致需要从相关 VPC 中的升级特权 VM 实例进行 VPC 对等,因为它是最安全的选项(2019 年 7 月 9 日更新) https://issuetracker.google.com/137033144

您需要执行此操作的资源示例如下所示:

{# Bootstrapped box to complete the VPC Peering Setup #}
- name: {{ env['deployment'] }}-peering-setup
  type: compute.v1.instance
  properties:

    {# Checking whether the creation of new resources are specified #}
    {% if properties['createNewResources'] %}
    zone: {{ properties["zone"] }}
    machineType: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ properties["zone"] }}/machineTypes/f1-micro
    networkInterfaces:
    - network: $(ref.{{ env['deployment']}}-network.selfLink)
      subnetwork: $(ref.{{ env['deployment']}}-subnetwork.selfLink)
      accessConfigs:
      - name: External NAT
        type: ONE_TO_ONE_NAT
    {% else %}
    zone: {{ common.ZONES[0] }}
    machineType: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ common.ZONES[0] }}/machineTypes/f1-micro
    networkInterfaces:
    - network: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/global/networks/default
      subnetwork: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/regions/{{ common.REGION }}/subnetworks/default
      accessConfigs:
      - name: External NAT
        type: ONE_TO_ONE_NAT
    {% endif %}

    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        sourceImage: https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/family/debian-9
    metadata:
      items:
      - key: startup-script
        value: |
          {# Creating VPC Peering to Google Services for the Managed Postgres in the existing network or the newly created one #}
          {% if properties['createNewResources'] %}
          #!/bin/bash
          sudo su -
          echo "Checking relevant peering connections to google services exist in local VPC" >> checking-status.sh
          output=$(gcloud services vpc-peerings list --network={{ env['deployment'] }}-network | grep "servicenetworking.googleapis.com")
          if [[ -z $output ]]; then
          echo "Peering not found, creating peering to servicenetworking.googleapis.com from private VPC" && gcloud services vpc-peerings connect --service=servicenetworking.googleapis.com --ranges={{ env['deployment'] }}-google-managed-services --network={{ env['deployment'] }}-network
          else
          echo "No peering created as relevant peering already exists"
          fi
          echo "Sending the signal to deployment manager to carry on with the deployment"
          gcloud beta runtime-config configs variables set success/{{ env['deployment'] }}-vpc-peering-setup success --config-name {{ env['deployment'] }}-startup-config

          echo "Destroying this instance now that it has succesfully executed peering change"
          gcloud compute instances delete --quiet --delete-disks=all --zone=europe-west1-b {{ env['deployment'] }}-peering-setup
          {% else %}
          #!/bin/bash
          sudo su -
          echo "Checking relevant peering connections to google services exist in local VPC" >> checking-status.sh
          output=$(gcloud services vpc-peerings list --network={{ properties['network'] }} | grep "servicenetworking.googleapis.com")

          if [[ -z $output ]]; then
          echo "Known GCP bug when re-creating GCP peering deployment into the same network reserved range, using the workaround published here: https://issuetracker.google.com/issues/118849070 and here https://github.com/terraform-providers/terraform-provider-google/issues/3294 to make sure this has no effect on the deployment"
          gcloud beta services vpc-peerings update --service=servicenetworking.googleapis.com --ranges={{ env['deployment'] }}-google-managed-services --network={{ properties['network'] }} --project={{ env['project'] }} --force

          echo "Peering not found, creating peering to servicenetworking.googleapis.com from private VPC" && gcloud services vpc-peerings connect --service=servicenetworking.googleapis.com --ranges={{ env['deployment'] }}-google-managed-services --network={{ properties['network'] }}
          else
          echo "No peering created as relevant peering already exists"
          fi
          echo "Sending the signal to deployment manager to carry on with the deployment"
          gcloud beta runtime-config configs variables set success/{{ env['deployment'] }}-vpc-peering-setup success --config-name {{ env['deployment'] }}-startup-config

          echo "Destroying this instance now that it has succesfully executed peering change"
          gcloud compute instances delete --quiet --delete-disks=all --zone=europe-west1-b {{ env['deployment'] }}-peering-setup
          {% endif %}
    serviceAccounts:
        - email: default
          scopes:
          - 'https://www.googleapis.com/auth/cloud-platform'
          - 'https://www.googleapis.com/auth/cloudruntimeconfig'
    dependsOn:
    - $(ref.{{ env['deployment'] }}-google-managed-services.selfLink)
    {% if properties['createNewResources'] %}
    - $(ref.{{ env['deployment'] }}-subnetwork.selfLink)
    {% endif %}

因此,如果设置了相关参数(在本例中为 createNewResources 标志),它将在两个网络之间创建 vpc 对等互连。

请记住,在执行上述 jinja 之前,您还必须为此设置全局地址范围。这方面的一个例子如下所示:

- name: {{ env['deployment'] }}-google-managed-services
  type: compute.v1.globalAddresses
  properties:
    name: google-managed-services-{{ env['deployment'] }}
    {% if properties['createNewResources'] %}
    address: 10.73.144.0
    prefixLength: 20
    {% else %}
    address: {{ CIDRSplit[0] }}
    prefixLength: {{ CIDRSplit[1] }}
    {% endif %}
    addressType: INTERNAL
    purpose: VPC_PEERING

    {# Create the peering to the new network or the specified one #}
    {% if properties['createNewResources'] %}
    network: $(ref.{{ env['deployment']}}-network.selfLink)
    {% else %}
    network: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/global/networks/{{ properties['network'] }}
    {% endif %}

    description: >
      Address range reserved for Google Managed Services.
      https://cloud.google.com/vpc/docs/configure-private-services-access

    {% if properties['createNewResources'] %}
    dependsOn:
    - $(ref.{{ env['deployment']}}-network.selfLink)
    {% endif %}

我希望这可以帮助别人。

于 2019-11-26T20:17:25.350 回答
1

创建对等互连所需的唯一参数是“network”和“reservedPeeringRanges”。这是他们两个网络的语法:“projects/{project}/global/networks/{network}” reservedPeeringRanges:“xxxx/x” 我认为您可能在网络中缺少一些变量。我使用 API 对其进行了测试,它可以正常工作。

于 2019-07-08T12:29:03.833 回答