Creating a new Service Account

K10 requires a newly created service account to contain the following roles:

roles/compute.storageAdmin

Note

Currently, the Google Service Account key needs to be created in the same GCP account as the GKE cluster.

The following steps should be used to create the service account and add the required permissions:

$ myproject=$(gcloud config get-value core/project)
$ gcloud iam service-accounts create k10-test-sa --display-name "K10 Service Account"
$ k10saemail=$(gcloud iam service-accounts list --filter "k10-test-sa" --format="value(email)")
$ gcloud iam service-accounts keys create --iam-account=${k10saemail} k10-sa-key.json
$ gcloud projects add-iam-policy-binding ${myproject} --member serviceAccount:${k10saemail} --role roles/compute.storageAdmin

Installing K10 with the new Service Account

Use the base64 tool to encode the k10-sa-key.json file generated above and install K10 with the newly created credentials.

$ sa_key=$(base64 -w0 k10-sa-key.json)
$ helm install k10 kasten/k10 --namespace=kasten-io --set secrets.googleApiKey=$sa_key

Using a custom Project ID

If the Google Service Account belongs to a project other than the one in which the cluster is located, then the project's ID of the cluster must be also provided during the installation.

$ sa_key=$(base64 -w0 k10-sa-key.json)
$ helm install k10 kasten/k10 \
      --namespace=kasten-io \
      --set secrets.googleApiKey=$sa_key \
      --set secrets.googleProjectId=<project-id>

Existing secret usage

It is possible to use an existing secret to provide Service Account and Project ID.

To do so, the following Helm option can be used:

--set secrets.googleClientSecretName=<secret name>

Note

Please ensure that the secret exists in the namespace where K10 is installed. The default namespace assumed throughout this documentation is kasten-io.

apiVersion: v1
kind: Secret
metadata:
  name: my-google-creds
  namespace: kasten-io
data:
  google-api-key: MjMzODAyNWMEXAMPLEAPIKEY
  google-project-id: UlVMOFF+dnpwM1EXAMPLEPROJECTID
type: Opaque