Create a Datum Workload backed by Google Cloud
Before you begin
Section titled “Before you begin”This tutorial assumes you have already:
- Registered a Datum account
- Installed and configured the necessary tools
- Created a Datum project
- Install and access to the Google Cloud CLI
- Enabling an API in your Google Cloud project
- Enable Identity and Access Management (IAM) API in your Google Cloud project
- Enable Compute Engine API in your Google Cloud project
Discover Available Datum Cloud Projects
Section titled “Discover Available Datum Cloud Projects”Use kubectl get projects to list your Datum Cloud Projects. Select a DATUM_PROJECT_NAME to be used in this tutorial.
Discover Available Google Cloud Projects
Section titled “Discover Available Google Cloud Projects”Ensure your gcloud CLI has authenticated to Google Cloud.
Use gcloud list projects to obtain a list of GCP_PROJECT_IDs. Select the GCP_PROJECT_ID to be used with this tutorial.
Grant Datum Cloud access to your GCP Project
Section titled “Grant Datum Cloud access to your GCP Project”Datum requires the following roles to be granted to a Datum managed service account which is specific to each Datum project:
roles/compute.adminroles/secretmanager.adminroles/iam.serviceAccountAdminroles/iam.serviceAccountUser
The service account email will be in the following format:
DATUM_PROJECT_NAME@datum-cloud-project.iam.gserviceaccount.com
Use the gcloud tool to grant IAM Roles to your Datum service account, replacing
GCP_PROJECT_ID and DATUM_PROJECT_NAME with their respective values:
gcloud projects add-iam-policy-binding GCP_PROJECT_ID \ --member="serviceAccount:DATUM_PROJECT_NAME@datum-cloud-project.iam.gserviceaccount.com" \ --role="roles/compute.admin"
gcloud projects add-iam-policy-binding GCP_PROJECT_ID \ --member="serviceAccount:DATUM_PROJECT_NAME@datum-cloud-project.iam.gserviceaccount.com" \ --role="roles/secretmanager.admin"
gcloud projects add-iam-policy-binding GCP_PROJECT_ID \ --member="serviceAccount:DATUM_PROJECT_NAME@datum-cloud-project.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountAdmin"
gcloud projects add-iam-policy-binding GCP_PROJECT_ID \ --member="serviceAccount:DATUM_PROJECT_NAME@datum-cloud-project.iam.gserviceaccount.com" \ --role="roles/iam.serviceAccountUser"For guidance on granting roles via Google’s Console, see Manage access to projects, folders, and organizations.
Register a Datum Managed Location
Section titled “Register a Datum Managed Location”Before creating a workload, a Location must be registered.
Use the following example manifest to create a location which Datum’s control
plane will be responsible for managing, replacing GCP_PROJECT_ID with
your GCP project id:
apiVersion: networking.datumapis.com/v1alphakind: Locationmetadata: name: my-gcp-us-south1-aspec: locationClassName: datum-managed topology: topology.datum.net/city-code: DFW provider: gcp: projectId: GCP_PROJECT_ID region: us-south1 zone: us-south1-a- Replace
topology.datum.net/city-code’s value (DFW) with the desired city code for your workloads. - Update the
gcpprovider settings to reflect your GCP project ID, desired region, and zone.
Apply the manifest:
kubectl apply -f <path-to-location-manifest>List Locations:
kubectl get locationsNAME AGEmy-gcp-us-south1-a 5sCreate a Network
Section titled “Create a Network”Before creating a workload, a Network must be created. You can use the following manifest to do this:
apiVersion: networking.datumapis.com/v1alphakind: Networkmetadata: name: defaultspec: ipam: mode: AutoApply the manifest:
kubectl apply -f <path-to-network-manifest>List Networks:
kubectl get networksNAME AGEdefault 5sCreate a Workload
Section titled “Create a Workload”Create a manifest for a sandbox based workload, for example:
apiVersion: compute.datumapis.com/v1alphakind: Workloadmetadata: name: my-container-workloadspec: template: spec: runtime: resources: instanceType: datumcloud/d1-standard-2 sandbox: containers: - name: httpbin image: mccutchen/go-httpbin ports: - name: http port: 8080 networkInterfaces: - network: name: default networkPolicy: ingress: - ports: - port: 8080 from: - ipBlock: cidr: 0.0.0.0/0 placements: - name: us cityCodes: ['DFW'] scaleSettings: minReplicas: 1Apply the manifest:
kubectl apply -f <path-to-workload-manifest>Check the state of the workload
Section titled “Check the state of the workload”kubectl get workloadsThe output is similar to:
NAME AGE AVAILABLE REASONmy-container-workload 9s False NoAvailablePlacementsThe REASON field will be updated as the system progresses with attempting to
satisfy the workload’s intent.
Check Workload Deployments
Section titled “Check Workload Deployments”A Workload will result in one or more WorkloadDeployments being created, one for each unique CityCode per placement.
kubectl get workloaddeploymentsThe output is similar to:
NAME AGE LOCATION NAMESPCE LOCATION NAME AVAILABLE REASONmy-container-workload-us-dfw 58s default my-gcp-us-south1-a False LocationAssignedSimilar to workloads, the REASON field will be updated as the system
progresses with attempting to satisfy the workload’s intent. In this case, the
infra-provider-gcp operator is responsible for these actions.
Check Instances
Section titled “Check Instances”kubectl -n default get instances -o wideThe output is similar to:
NAME AGE AVAILABLE REASON NETWORK IP EXTERNAL IPmy-container-workload-us-dfw-0 24s True InstanceIsRunning 10.128.0.2 34.174.154.114Confirm that the go-httpbin application is running:
curl -s http://34.174.154.114:8080/uuid{ "uuid": "8244205b-403e-4472-8b91-728245e99029"}Delete the workload
Section titled “Delete the workload”Delete the workload when testing is complete:
kubectl delete workload my-container-workload