Current functional egress flags for GCP are subnet-id, instance-type, region, cloud-tags, debug, timeout
Set up your environment to use the correct VPC name, project ID, credentials of the GCP account for the target cluster.
- Make sure to have a Service Account with the permissions required within your GCP account (in that project). This can be done in the following ways:
- Follow the steps to use a script as prescibed in this document. or create a service account manually [this] (https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-gcloud)
- Export GCP project id environment variable:
Export GCP region environment variable or use
export GCP_PROJECT_ID=<YOUR_GCP_PROJECT_ID>
--region
flag:export GCP_REGION=<VPC_GCP_REGION>
Ensure that the GCP credentials being used have the following permissions:
The processes below describe different ways of using egress verifier on a single subnet. In order to verify entire VPC, repeat the verification process for each subnet ID.
-
Ensure correct environment setup.
-
Clone the source:
git clone https://github.com/openshift/osd-network-verifier.git
-
Build the cli:
make build
This generates
osd-network-verifier
executable in project root directory. -
Obtain params:
- subnet-id: Obtain the subnet id to be verified.
- vpc-name: Obtain the VPC name that the subnet belongs to
-
Execute:
# GCP ./osd-network-verifier egress --platform gcp-classic --subnet-id $SUBNET_ID --vpc-name $VPC_NAME Additional optional flags for overriding defaults (image-id, kms-key will be added in the future): ```shell --cloud-tags stringToString (optional) comma-seperated list of tags to assign to cloud resources e.g. --cloud-tags key1=value1,key2=value2 (default [osd-network-verifier=owned,red-hat-managed=true,Name=osd-network-verifier]) --debug (optional) if true, enable additional debug-level logging -- TODO image-id string (optional) cloud image for the compute instance --instance-type string (optional) compute instance type (default "e2-micro") -- TODO kms-key-id string (optional) ID of KMS key used to encrypt root volumes of compute instances. Defaults to cloud account default key --region string (optional) compute instance region. If absent, environment var GCP_REGION will be used, if set (default "us-east1") --subnet-id string source subnet ID --timeout duration (optional) timeout for individual egress verification requests (default 5s).
Get cli help:
./osd-network-verifier egress --help