New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable the ability to do Private Service Connect Consumer to published services #763
Comments
I also discovered that |
Hi, curious if there is any update on this? We ended up creating a PSC via other means as well, but using CC is as well our preference so just a quick ping to mention we'd be interested in this, thanks in advance! |
I just found out that there is no way to create a forwarding rule pointing to a serviceAttachment (PSC), I really need it too :/ |
@snuggie12 Are you asking the Something like below?
|
yes @diviner524 , We too expect this behavior |
@Dineshvcetster: So ideally we want to add Having said that, I believe we can use the
On top of the workaround above, there are a few other known issues with this combination, @justinsb has a recent fix for this scenario, which should be included in our next release (v1.111.0). I suggest you wait until the release is out and then apply the workaround above to see if it works. |
Our strategy here BTW is to try to make sure we have test coverage, and now that we are fully OSS (i.e. all development happens on github) to ensure that we coverage in the mockgcp layer so that we can run our tests on github without relying on the "real" GCP APIs. I believe I got to forwardingRule in some of my WIP PRs, so now it's a matter of getting that all merge-ready (breaking it into smaller PRs) and reviewed. In addition to the "quick" mockgcp tests, we also run tests against the real GCP APIs "behind the scenes" - it's quite a thorny issue to run tests against real infrastructure for community pull requests. I think we should try to make sure we have test coverage for /assign (Assigning to myself, though if anyone else wants to work on it, please feel free and comment here to avoid duplication of effort!) |
@diviner524, we tried with config connector v1.111.0 version but ended with below error. As you mentioned, i tried all other targets but no luck Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.IPAddress': ''. The URL is malformed., invalid I tried with addressType Internal, External and allowed psc to be global but still getting same issue. Below Config i have used in my case.
|
@Dineshvcetster did you check the ComputeAddress resource
|
@diviner524 , Please find the spec
|
The 400 error message seems to indicate the API was getting an empty IP address value. However I do see Have you tried to change:
To:
Also @justinsb might be able to provide some sample YAMLs to show how we can configure a forwarding rule with PSC. |
@diviner524 , i tried and it didnt work. serviceAttachmentURI refers to cloudSQL which was created for our testing purpose with psc enabled and project allowed config When i use addressType EXTERNAL and use targetVPNGatewayRef with external refers to the serviceAttachmentURI, i am getting below error. Error creating GlobalForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': ''. No target or backend service specified for forwarding rule., invalid
|
@Dineshvcetster There is a bug somewhere, the error message is not the real one but I have no idea what the real error is. If you attach the compute address using an external ref with its url instead of an internal reference it will work (we do that). (external expects a gcp url, not the ip address) |
@schmurfy, Thanks for the input. After some trail and error, i ended with the below error. FYI, I switched to regional instead of global Update call failed: error applying desired state: summary: Error waiting to create ForwardingRule: Error waiting for Creating ForwardingRule: APPLICATION_ERROR;google.cloud.servicedirectory.v1beta1/ManagedResourceService.AddServiceBundle;Permission 'servicedirectory.services.create' denied on resource 'projects/41769309009/locations/europe-west1/namespaces/goog-psc-default'. Do we really need serviceDirectoryRegistrations? I tried with below config but no luck
|
If we use global forwarding rule, we are getting summary: Error creating GlobalForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': ''. Unrecognized forwarding rule target specified SERVICE_ATTACHMENT, invalid. @justinsb , @diviner524 , Could you please share the sample yaml which you have used for serviceAttachment? |
@Dineshvcetster - This may not be exactly what you are looking for, however my team recently got PSC working with Config Connector and I wanted to share what the configuration looks like. For our use case, PSC is providing connectivity from a consumer project to an internal GKE endpoint in another project with out having to peer the VPC networks. This is how we got it to work:
Note: to get this to work, we had to set loadBalancingScheme to an empty string in the ComputeForwardingRule. |
@tedelwartowski-bestbuy, thanks for your effort. I also ended with the similar config except the computeaddress with namespace: PROJECT_NAMESPACE But I have no idea why we need servicedirectory(an optional field)? Below error I am getting with Creating ForwardingRule: APPLICATION_ERROR;google.cloud.servicedirectory.v1beta1/ManagedResourceService.AddServiceBundle;Permission 'servicedirectory.services.create' denied on resource 'projects//locations/europe-west1/namespaces/goog-psc-default'. |
It is working now. Thanks @diviner524 @schmurfy @tedelwartowski-bestbuy |
The bit I'm failing to figure out is how you reference the forwarding-rule via targetServiceRef if it has been generated by the GKE Gateway API Controller. The value for |
Checklist
Describe the feature or resource
According to TF docs a consumer can more or less be created by creating the following resources:
The
ComputeForwardingRule
requires a new target type to hit the service attachment.However, when you create a consumer using the console additional objects get created:
PSC Connection ID
so I presume it's an object of some sort.Weirdly the service directory API doesn't need enabled to work, but I turned it on to see which objects were getting created.
I'm willing to try and create all these objects separately but at the very least I think the forwarding rule needs updated in order to talk to a service attachment.
Additional information
https://cloud.google.com/vpc/docs/configure-private-service-connect-services#create-endpoint shows similar instructions to the terraform docs.
Importance
We are currently testing this feature out so it's not a blocker since this can be created via other means, but using kcc is our preference with these things.
The text was updated successfully, but these errors were encountered: