Skip to content

GKE (GCP)

GKE Setup

To remain inherently safe, Karrots does not acquire or store account secrets. On GKE Karrots relies on the Google management tool gcloud to perform all of the Terraform operations that require secrets and authorization. To make this work you will need to first do a little gcloud setup.

Prerequisites

Before you run Karrots you need a Google Compute organization, project, and billing account. Your user account needs to then have admin privileges in that organzation. You can find organization setup information here: https://cloud.google.com/resource-manager/docs/creating-managing-organization. The Terraform scripts that Karrots runs, uses your local gcloud setup to handle validation and authorization. You can find gcloud installation instructions here: https://cloud.google.com/sdk/docs/downloads-interactive#interactive_installation.

When Karrots creates a new cluster, it does that inside a project and creates a new service account that owns the cluster. (Your admin account will not own the cluster for security reasons.)

Manual setup steps

Once you have a valid organization and project, you need to perform a few steps to setup gcloud on the local machine so that Karrots can use it provide authorization for certain Terraform operations. (Karrots never stores secrets.)

The first thing you need to do is install the gcloud beta components so that Karrots can use the gcloud beta billing accounts list command to validate your account is setup correctly.

gcloud components install beta

If you don't already have a stored gcloud config for the project where you want to run Karrots, then you will need to create one.

gcloud config configurations create karrots
gcloud config set account <account-id> (your GCP login account: first.last@sample.com)
gcloud config set project <project-name>
gcloud config set compute/region <region>
gcloud config set compute/zone <zone>
You can now activate the gcloud config you want Karrots to use and then login to the account associated with that config. The reason for the second login usingapplication-default is that gcloud will setup local config so that the kubectl command works from your local machine against the new cluster once it's up.

gcloud config configurations activate karrots
gcloud auth login
gcloud auth application-default login

Post Cluster Creation Steps

At this point you should be able to execute:

kubectl get pods

and get a list of running pods.