To remain inherently safe, Karrots does not acquire or store account secrets. On GKE Karrots relies on the Google management tool
gcloud to perform all of the Terraform operations that require secrets and authorization. To make this work you will need to first do a little
Before you run Karrots you need a Google Compute organization, project, and billing account. Your user account needs to then have admin privileges in that organzation. You can find organization setup information here: https://cloud.google.com/resource-manager/docs/creating-managing-organization. The Terraform scripts that Karrots runs, uses your local
gcloud setup to handle validation and authorization. You can find
gcloud installation instructions here: https://cloud.google.com/sdk/docs/downloads-interactive#interactive_installation.
When Karrots creates a new cluster, it does that inside a project and creates a new service account that owns the cluster. (Your admin account will not own the cluster for security reasons.)
Manual setup steps¶
Once you have a valid organization and project, you need to perform a few steps to setup
gcloud on the local machine so that Karrots can use it provide authorization for certain Terraform operations. (Karrots never stores secrets.)
The first thing you need to do is install the
gcloud beta components so that Karrots can use the
gcloud beta billing accounts list command to validate your account is setup correctly.
gcloud components install beta
If you don't already have a stored
gcloud config for the project where you want to run Karrots, then you will need to create one.
gcloud config configurations create karrots gcloud config set account <account-id> (your GCP login account: email@example.com) gcloud config set project <project-name> gcloud config set compute/region <region> gcloud config set compute/zone <zone>
gcloudconfig you want Karrots to use and then login to the account associated with that config. The reason for the second login using
gcloudwill setup local config so that the
kubectlcommand works from your local machine against the new cluster once it's up.
gcloud config configurations activate karrots gcloud auth login gcloud auth application-default login
Post Cluster Creation Steps¶
At this point you should be able to execute:
kubectl get pods
and get a list of running pods.