This topic tells you how to install and configure Tanzu Cloud Service Broker for GCP.

Prerequisites for Installing Cloud Service Broker for GCP

Before you install Cloud Service Broker for GCP, you must have:

• A small MySQL database: This database is used as the state database. The broker requires this database to store its state.
• GCP service account credentials: A project and account to provision the services that this broker manages. Service account JSON credentials are required to configure this broker.

• GCP-enabled APIs: Enable the services you need by enabling the relevant APIs in APIs and services > Library. These services and APIs are listed in the following table.

  Service	Necessity	API to enable
  Google Cloud Resource Manager	Required	Google Cloud Resource Manager API
  Google Identity and Access Management (IAM)	Required	Google Identity and Access Management (IAM) API
  CloudSQL as a service (MySQL and PostgreSQL)	Optional	CloudSQL API, CloudSQL Admin API, and Service Networking API
  Cloud Storage as a service	Optional	Cloud Storage API

  For more information about the API library, see the GCP documentation.

Install Cloud Service Broker for GCP

To install the Cloud Service Broker for GCP using Tanzu Operations Manager Installation Dashboard:

1. Download the product file from Broadcom Support.

2. Navigate to the Tanzu Operations Manager Installation Dashboard and click Import a Product to upload the product file.

3. Under Import a Product, click + next to the version number of Cloud Service Broker for GCP in the left sidebar. This adds the tile to your staging area.

4. Click the newly added Cloud Service Broker for GCP tile.

Configure the Cloud Service Broker for GCP

The following procedures describe configuring the panes on the Cloud Service Broker for GCP tile.

Configure AZs and Networks

This section describes how to choose an AZ to run the service broker for Cloud Service Broker for GCP. It also describes how to select networks for Cloud Service Broker for GCP.

To configure AZs and networks:

1. Click Assign AZs and Networks.

2. Configure the fields as follows:

   Field	Instructions
   Place singleton jobs in	Select the AZ in which the broker VM for Cloud Service Broker for GCP runs. The broker runs as a singleton job.
   Balance other jobs in	Select the AZs in which other jobs can run.
   Network	Select a subnet for the Cloud Service Broker for GCP broker. This is typically the same subnet that includes the component VMs for VMware Tanzu Application Service for VMs (TAS for VMs).

3. Click Save.

Configure GCP Credentials

This section describes how to configure the GCP credentials that Cloud Service Broker for GCP requires to manage service instances.

To configure GCP credentials:

1. Click GCP Config.

2. Configure the fields as follows:

   Field	Instructions
   Root Service Account JSON	Enter JSON service account.
   GCP project	Enter project name.
   Authorized Network	Self link of the VPC network to connect instances to. It has the format https://www.googleapis.com/compute/v1/projects/PROJECT-NAME/global/networks/VPC-NAME.
   Region	Enter the default GCP region for provisioning service instances.

3. Click Save.

Cloud Service Broker for GCP services are validated using the same GCP project and region for VMware Tanzu Application Service for VMs (TAS for VMs) and Cloud Service Broker for GCP. In other configurations, make sure that TAS for VMs apps have network connectivity to the services managed by Cloud Service Broker for GCP.

Configure a State Database

This section describes how to associate Cloud Service Broker for GCP with a MySQL database, the state database.

About Encrypting the State Database

In production environments, VMware recommends that you enable encryption. This encrypts certain sensitive information in the state database, such as IaaS credentials. The encryption password that you enter on the Service Broker Config pane is used to generate an encryption key.

VMware recommends that backup and restore capabilities are enabled in the MySQL database before attempting encryption.

Applying changes takes longer than normal when you first enable encryption and when you change the encryption password.

Prerequisite

You must have a small MySQL database to use as the state database.

Procedure: Configure a State Database

To configure Cloud Service Broker for GCP with a database:

1. Click Service Broker Config.

   

2. Configure the fields as follows:

   Field	Instructions
   Database host	Enter the host name of the prerequisite state database.
   Database username and Database password	Enter the credentials for the state database. The example shown in the screenshot in the previous step refers to setting the username for a MySQL tile provisioned database. If you are configuring a database provisioned by another service, refer to the documentation for that service for the correct username format. For Cloud SQL for MySQL, see the Google Cloud documentation.
   Database port	Enter the port number for connection to the state database. It is 3306 by default.
   Database name	Enter the name of an existing database to use as the state database.
   TLS Enforcement	Select the type of TLS enforcement you want. If you select Custom, enter your CA certificate, client certificate, and key.
   Enable encryption of the Cloud Service Broker database	If you want the sensitive data to be encrypted, select this checkbox and the Add button. If you do not want to encrypt the date, leave the checkbox unselected and do not fill in the Database Encryption Passwords fields.
   Label	Enter a unique password label. You cannot change this label after you save.
   Password	Enter a secure password that is at least 20 characters long. You cannot change this password after you save.
   Primary	Select this checkbox if this is the password that you want to use to encrypt the data. You must mark one and only one password as primary.

3. Click Save.

4. If upgrading from a previous tile version, service instances might need upgrading. By default, the tile upgrades all instances during installation. To configure the upgrade task, see Upgrade All Service Instances Config. For version-specific upgrade instructions, see Upgrading Cloud Service Broker for GCP.

5. Return to the Tanzu Operations Manager Installation Dashboard.

6. Click Review Pending Changes.

7. Click Apply changes to install the Cloud Service Broker for GCP tile.

If you later want to change the password on the state database, see Rotate the Encryption Password on the State Database below.
If you later want to turn off encryption, see Remove Encryption from the State Database below.

Configure Services with Cloud Service Broker for GCP

This section describes how to configure services and service plans offered by the Cloud Service Broker for GCP within the Cloud Foundry Marketplace on your instance of Cloud Foundry.

Cloud Service Broker for GCP specifies new service plans by using JSON. An example is provided, using the smallest possible size, within each service.

To configure services and service plans:

1. Click the already-installed Cloud Service Broker for GCP tile in your Tanzu Operations Manager tile Dashboard.

2. Find the service you want to make available in the left navigation under the Settings tab.

3. Enter additional plans as additional JSON objects within the provided field. For more information about properties for each service configuration, see Service Plan Reference.

   When developers create or update a service instance, they cannot override any plan-level properties that were set in this field.

4. (Optional) To use different credentials to the ones specified in the GCP Config tab, supply the credentials as properties to a plan instance in the additional plans box:

   [
     {
       "name" : "PLAN-NAME",
       "id" : "UUID",
       "description" : "PLAN-DESCRIPTION",
       "credentials" : "GCP-JSON-CREDENTIAL",
       "project" : "GCP-PROJECT",
       ...
     }
   ]
   

5. Click Save.

6. Return to the Tanzu Operations Manager Installation Dashboard and click Review Pending Changes.

7. Click Apply changes.

8. Review your Cloud Foundry Marketplace to see the new plan sizes.

Configure Feature Flags

This section describes how to enable feature flags for Cloud Service Broker for GCP.

To configure Feature Flags:

1. Click Feature Flags.

2. By default the enable-beta-services flag is false. To enable all services tagged as beta, select the check box.

3. Click Save.

Rotate the Encryption Password on the State Database

If you have already set an encryption password and want to change it, follow the instructions below:

To rotate the password on the state database:

1. Click Service Broker Config.

2. Clear the Primary checkbox.

3. Click Add.

4. Enter a new Label and Password for the new password, and select Primary.

   You cannot change the label or password after you save.

5. Click Save.

6. Return to the Tanzu Operations Manager Installation Dashboard.

7. Click Review Pending Changes.

8. Click Apply changes to install the Cloud Service Broker for GCP tile.

9. (Recommended) After the apply changes process completes, delete the non-primary label and password pair and apply changes again.

   

Remove Encryption from the State Database

If the data in the state database was previously encrypted, and you want to deactivate encryption, follow the instructions below.

To remove encryption from the state database:

1. Click Service Broker Config.

2. Clear the Enable encryption of the Cloud Service Broker database checkbox.

3. Clear the Primary checkbox, but do not change the Label or Password fields.

4. Click Save.

5. Return to the Tanzu Operations Manager Installation Dashboard.

6. Click Review Pending Changes.

7. Click Apply changes to install the Cloud Service Broker for GCP tile.

8. (Recommended) After the apply changes process completes, delete all label and password pairs and apply changes again.

   

Upgrade All Services Instances Config

If upgrading from a previous tile version, service instances might need upgrading. By default, the tile upgrades all instances during installation if the errand Upgrade all Cloud Service Broker instances is enabled. This section is about the general configuration of upgrades. For version-specific upgrade instructions, see Upgrading Cloud Service Broker for GCP.

If the errand Upgrade all Cloud Service Broker instances is disabled, service instances are not upgraded during installation. The broker might not be able to manage these service instances anymore. In that case, any operations on that instance (update/bind/unbind/delete) are blocked until the upgrade is performed. You can run the upgrade-services errand any time.

Deleting custom plans before upgrading all instances might cause some instances to become unmanageable by the broker. Delete plans at a later step or see Release Notes for Cloud Service Broker for GCP and Upgrading Cloud Service Broker for GCP to ensure there are no conflicting upgrades.

To perform the upgrade task:

1. Go to the Upgrade All Service Instances Config tab.

   

2. Configure the fields as follows:

   Field	Description
   The number of upgrades to run in parallel	Indicates the number of instances that can be in the upgrading status at any given time.

   Important
   The Upgrade all Cloud Service Broker instances errand must be enabled for your environment to take advantage of this feature. This is the default behavior for the installation.

3. Click Save.

4. Return to the Tanzu Operations Manager Installation Dashboard.

5. Click Review Pending Changes.

6. Click Apply changes to install the Cloud Service Broker for GCP tile.