This page describes how to setup Google Kubernetes Engine (GKE) for Tanzu Postgres deployments, create a Google Cloud Platform (GCP) service account, and use the service account credentials to create a Kubernetes secret to pull Tanzu Postgres images from Google Container Registry (GCR).

Setting up Google Kubernetes Engine (GKE)

When creating the GKE cluster, ensure that you make the following selections on the Create a Kubernetes cluster screen of the Google Cloud Platform console:

Under Cluster basics:
- For the Cluster Version option, select the most recent version of Kubernetes.
Under Default-pool:
- Set the Size to 1 or more nodes.
- Disable Enable auto-upgrade.
- Disable Enable auto-repair.
Under Nodes:
- For the Node Image type option, select Ubuntu. You cannot deploy Postgres for Kubernetes with the Container-Optimized OS (cos) image.
- Scale the Machine Type option to at least 2 vCPUs / 8GB memory.

Setting the Kubernetes Context

After creating the GKE cluster, use your local computer's preinstalled gcloud command-line tool to log in to GCP, and set your current project and cluster context:

  1. Log in to GCP:

    $ gcloud auth login
    
  2. Set the current project to the project where you will deploy Tanzu Postgres:

    $ gcloud projects list
    $ gcloud config set project <your-project-name>
    
  3. Set the Kubernetes cluster context, so all kubectl commands for this project run against that cluster.

    $ gcloud container clusters get-credentials <cluster-name>
    
    Fetching cluster endpoint and auth data.
    kubeconfig entry generated for <cluster-name>.
    

For more details about the Kubernetes context and kubectl access permissions, see Configuring cluster access for kubectl in the GKE documentation.

Creating the Kubernetes Service Account

To pull Tanzu Postgres container images from the Google Cloud Registry (GCR), create a Google Cloud Platform (GCP) service account, assign the necessary role permissions, and create an authentication key to be used as a Kubernetes secret.

The following steps create a new service account, assign the Google Cloud storage.objectViewer role permissions and create a key.json file key.

  1. Log in to your Google Cloud account and list your Google cloud projects. Select the project to use for Tanzu Postgres, and set the GCP_PROJECT enviromental variable on your computer to be used with the gcloud commands.

    $ gcloud auth login
    $ gcloud projects list
    $ gcloud config set project <your_project_name>
    $ gcloud config set compute/zone <your_compute_zone>
    $ export GCP_PROJECT=<your_project_name>
    
  2. Create a new GCP service account postgres-image-pull, to be used for Tanzu Postgres:

    $ gcloud iam service-accounts create postgres-image-pull
    
  3. Assign the required role storage.objectViewer to the new account:

    $ gcloud projects add-iam-policy-binding $GCP_PROJECT \
        --member serviceAccount:postgres-image-pull@$GCP_PROJECT.iam.gserviceaccount.com \
        --role roles/storage.objectViewer
    
  4. Create a service account key, to be used as a Kubernetes secret, and save it onto your local computer. In this example, the key file is called key.json:

    $ gcloud iam service-accounts keys create --iam-account "postgres-image-pull@$GCP_PROJECT.iam.gserviceaccount.com" ~/key.json
    

For details about using the key, see Create Kubernetes Access Secret in the Installing VMware Tanzu Postgres topic.

check-circle-line exclamation-circle-line close-line
Scroll to top icon