# Crossplane configuration

> 原文：[https://docs.gitlab.com/ee/user/clusters/crossplane.html](https://docs.gitlab.com/ee/user/clusters/crossplane.html)

*   [Configure RBAC permissions](#configure-rbac-permissions)
*   [Configure Crossplane with a cloud provider](#configure-crossplane-with-a-cloud-provider)
*   [Configure Managed Service Access](#configure-managed-service-access)
*   [Setting up Resource classes](#setting-up-resource-classes)
*   [Auto DevOps Configuration Options](#auto-devops-configuration-options)
*   [Connect to the PostgreSQL instance](#connect-to-the-postgresql-instance)

# Crossplane configuration[](#crossplane-configuration "Permalink")

[安装](applications.html#crossplane) Crossplane 后，必须对其进行配置以供使用. 配置 Crossplane 的过程包括：

1.  [Configure RBAC permissions](#configure-rbac-permissions).
2.  [Configure Crossplane with a cloud provider](#configure-crossplane-with-a-cloud-provider).
3.  [Configure managed service access](#configure-managed-service-access).
4.  [Set up Resource classes](#setting-up-resource-classes).
5.  Use [Auto DevOps configuration options](#auto-devops-configuration-options).
6.  [Connect to the PostgreSQL instance](#connect-to-the-postgresql-instance).

为了允许 Crossplane 设置诸如 PostgreSQL 之类的云服务，必须使用用户帐户配置云提供商堆栈. 例如：

*   GCP 的服务帐户.
*   AWS 的 IAM 用户.

一些重要的注意事项：

*   本指南以 GCP 为例，但 AWS 和 Azure 的过程相似.
*   Crossplane 要求 Kubernetes 集群是启用了 Alias IP 的 VPC 本机，因此可以在 GCP 网络内路由 Pod 的 IP 地址.

首先，使用配置声明一些环境变量以供本指南使用：

```
export PROJECT_ID=crossplane-playground # the GCP project where all resources reside.
export NETWORK_NAME=default # the GCP network where your GKE is provisioned.
export REGION=us-central1 # the GCP region where the GKE cluster is provisioned. 
```

## Configure RBAC permissions[](#configure-rbac-permissions "Permalink")

对于由 GitLab 管理的群集，将自动配置基于角色的访问控制（RBAC）.

对于非 GitLab 管理的群集，请确保提供的令牌的服务帐户可以管理`database.crossplane.io` API 组中的资源：

1.  将以下 YAML 保存为`crossplane-database-role.yaml` ：

    ```
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: crossplane-database-role
      labels:
        rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rules:
      - apiGroups:
          - database.crossplane.io
        resources:
          - postgresqlinstances
        verbs:
          - get
          - list
          - create
          - update
          - delete
          - patch
          - watch 
    ```

2.  将集群角色应用于集群：

    ```
    kubectl apply -f crossplane-database-role.yaml 
    ```

## Configure Crossplane with a cloud provider[](#configure-crossplane-with-a-cloud-provider "Permalink")

请参阅[配置您的云提供商帐户](https://crossplane.github.io/docs/v0.4/cloud-providers.html)以使用用户帐户配置已安装的云提供商堆栈.

**注意：必须**将 Secret 和引用该 Secret 的 Provider 资源应用于指南中的`gitlab-managed-apps`命名空间. 请确保在执行该过程时进行更改.

## Configure Managed Service Access[](#configure-managed-service-access "Permalink")

接下来，通过以下任一方法配置 PostgreSQL 数据库和 GKE 集群之间的连接：

*   如下所示使用 Crossplane.
*   Directly in the GCP console by [configuring private services access](https://cloud.google.com/vpc/docs/configure-private-services-access).

1.  运行以下命令，这将创建一个`network.yaml`文件，并配置`GlobalAddress`和连接资源：

    ```
    cat > network.yaml <<EOF
    ---
    # gitlab-ad-globaladdress defines the IP range that will be allocated
    # for cloud services connecting to the instances in the given Network.

    apiVersion: compute.gcp.crossplane.io/v1alpha3
    kind: GlobalAddress
    metadata:
      name: gitlab-ad-globaladdress
    spec:
      providerRef:
        name: gcp-provider
      reclaimPolicy: Delete
      name: gitlab-ad-globaladdress
      purpose: VPC_PEERING
      addressType: INTERNAL
      prefixLength: 16
      network: projects/$PROJECT_ID/global/networks/$NETWORK_NAME
    ---
    # gitlab-ad-connection is what allows cloud services to use the allocated
    # GlobalAddress for communication. Behind the scenes, it creates a VPC peering
    # to the network that those service instances actually live.

    apiVersion: servicenetworking.gcp.crossplane.io/v1alpha3
    kind: Connection
    metadata:
      name: gitlab-ad-connection
    spec:
      providerRef:
        name: gcp-provider
      reclaimPolicy: Delete
      parent: services/servicenetworking.googleapis.com
      network: projects/$PROJECT_ID/global/networks/$NETWORK_NAME
      reservedPeeringRangeRefs:
        - name: gitlab-ad-globaladdress
    EOF 
    ```

2.  使用以下命令应用文件中指定的设置：

    ```
    kubectl apply -f network.yaml 
    ```

3.  验证网络资源的创建，以及两个资源均已准备就绪并已同步.

    ```
    kubectl describe connection.servicenetworking.gcp.crossplane.io gitlab-ad-connection
    kubectl describe globaladdress.compute.gcp.crossplane.io gitlab-ad-globaladdress 
    ```

## Setting up Resource classes[](#setting-up-resource-classes "Permalink")

使用资源类为所需的托管服务定义配置. 这个例子定义了 PostgreSQL Resource 类：

1.  运行以下命令，该命令定义一个`gcp-postgres-standard.yaml`资源类，该资源类包含带有标签的默认`CloudSQLInstanceClass` ：

    ```
    cat > gcp-postgres-standard.yaml <<EOF
    apiVersion: database.gcp.crossplane.io/v1beta1
    kind: CloudSQLInstanceClass
    metadata:
      name: cloudsqlinstancepostgresql-standard
      labels:
        gitlab-ad-demo: "true"
    specTemplate:
      writeConnectionSecretsToNamespace: gitlab-managed-apps
      forProvider:
        databaseVersion: POSTGRES_11_7
        region: $REGION
        settings:
          tier: db-custom-1-3840
          dataDiskType: PD_SSD
          dataDiskSizeGb: 10
          ipConfiguration:
            privateNetwork: projects/$PROJECT_ID/global/networks/$NETWORK_NAME
      # this should match the name of the provider created in the above step
      providerRef:
        name: gcp-provider
      reclaimPolicy: Delete
    ---
    apiVersion: database.gcp.crossplane.io/v1beta1
    kind: CloudSQLInstanceClass
    metadata:
      name: cloudsqlinstancepostgresql-standard-default
      annotations:
        resourceclass.crossplane.io/is-default-class: "true"
    specTemplate:
      writeConnectionSecretsToNamespace: gitlab-managed-apps
      forProvider:
        databaseVersion: POSTGRES_11_7
        region: $REGION
        settings:
          tier: db-custom-1-3840
          dataDiskType: PD_SSD
          dataDiskSizeGb: 10
          ipConfiguration:
            privateNetwork: projects/$PROJECT_ID/global/networks/$NETWORK_NAME
      # this should match the name of the provider created in the above step
      providerRef:
        name: gcp-provider
      reclaimPolicy: Delete
    EOF 
    ```

2.  使用以下命令应用资源类配置：

    ```
    kubectl apply -f gcp-postgres-standard.yaml 
    ```

3.  使用以下命令验证 Resource 类的创建：

    ```
    kubectl get cloudsqlinstanceclasses 
    ```

资源类使您可以定义托管服务的服务类. 我们可以创建另一个`CloudSQLInstanceClass` ，以请求更大或更快速的磁盘. 它还可以请求特定版本的数据库.

## Auto DevOps Configuration Options[](#auto-devops-configuration-options "Permalink")

您可以使用以下任一选项来运行 Auto DevOps 管道：

*   设置环境变量`AUTO_DEVOPS_POSTGRES_MANAGED`和`AUTO_DEVOPS_POSTGRES_MANAGED_CLASS_SELECTOR`以使用 Crossplane 设置 PostgreSQL.
*   舵图的替代值：
    *   将`postgres.managed`设置为`true` ，这将选择默认资源类. 用注释`resourceclass.crossplane.io/is-default-class: "true"`标记资源类`resourceclass.crossplane.io/is-default-class: "true"` . CloudSQLInstanceClass `cloudsqlinstancepostgresql-standard-default`用于满足声明.
    *   使用`postgres.managedClassSelector`将`postgres.managed`设置为`true` ，以根据标签提供要选择的资源类. 在这种情况下， `postgres.managedClassSelector.matchLabels.gitlab-ad-demo="true"`选择 CloudSQLInstance 类`cloudsqlinstancepostgresql-standard`以满足声明请求.

Auto DevOps 管道在成功运行时应预配一个 PostgresqlInstance.

要验证已创建 PostgreSQL 实例，请运行此命令. 当 PostgresqlInstance 的`STATUS`字段更改为`BOUND` ，它已成功配置：

```
$ kubectl get postgresqlinstance

NAME            STATUS   CLASS-KIND              CLASS-NAME                            RESOURCE-KIND      RESOURCE-NAME                               AGE
staging-test8   Bound    CloudSQLInstanceClass   cloudsqlinstancepostgresql-standard   CloudSQLInstance   xp-ad-demo-24-staging-staging-test8-jj55c   9m 
```

PostgreSQL 实例的端点和用户凭据位于同一项目名称空间内的一个名为`app-postgres`的秘密中. 您可以使用以下命令来验证机密：

```
$ kubectl describe secret app-postgres

Name:         app-postgres
Namespace:    xp-ad-demo-24-staging
Labels:       <none>
Annotations:  crossplane.io/propagate-from-name: 108e460e-06c7-11ea-b907-42010a8000bd
              crossplane.io/propagate-from-namespace: gitlab-managed-apps
              crossplane.io/propagate-from-uid: 10c79605-06c7-11ea-b907-42010a8000bd

Type:  Opaque

Data
====
privateIP:                            8 bytes
publicIP:                             13 bytes
serverCACertificateCert:              1272 bytes
serverCACertificateCertSerialNumber:  1 bytes
serverCACertificateCreateTime:        24 bytes
serverCACertificateExpirationTime:    24 bytes
username:                             8 bytes
endpoint:                             8 bytes
password:                             27 bytes
serverCACertificateCommonName:        98 bytes
serverCACertificateInstance:          41 bytes
serverCACertificateSha1Fingerprint:   40 bytes 
```

## Connect to the PostgreSQL instance[](#connect-to-the-postgresql-instance "Permalink")

如果您想连接到 CloudSQL 上新配置的 PostgreSQL 数据库实例，请遵循此[GCP 指南](https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine) .