Creating a new Service Account
K10 requires a newly created service account to contain the following roles:
roles/compute.storageAdmin
Note
Currently, the Google Service Account key needs to be created in the same GCP account as the GKE cluster.
The following steps should be used to create the service account and add the required permissions:
$ myproject=$(gcloud config get-value core/project)
$ gcloud iam service-accounts create k10-test-sa --display-name "K10 Service Account"
$ k10saemail=$(gcloud iam service-accounts list --filter "k10-test-sa" --format="value(email)")
$ gcloud iam service-accounts keys create --iam-account=${k10saemail} k10-sa-key.json
$ gcloud projects add-iam-policy-binding ${myproject} --member serviceAccount:${k10saemail} --role roles/compute.storageAdmin
Installing K10 with the new Service Account
Use the base64
tool to encode the k10-sa-key.json
file generated above
and install K10 with the newly created credentials.
$ sa_key=$(base64 -w0 k10-sa-key.json)
$ helm install k10 kasten/k10 --namespace=kasten-io --set secrets.googleApiKey=$sa_key
Using a custom Project ID
If the Google Service Account belongs to a project other than the one in which the cluster is located, then the project's ID of the cluster must be also provided during the installation.
$ sa_key=$(base64 -w0 k10-sa-key.json)
$ helm install k10 kasten/k10 \
--namespace=kasten-io \
--set secrets.googleApiKey=$sa_key \
--set secrets.googleProjectId=<project-id>
Existing secret usage
It is possible to use an existing secret to provide Service Account and Project ID.
To do so, the following Helm option can be used:
--set secrets.googleClientSecretName=<secret name>
Note
Please ensure that the secret exists in the namespace where K10 is installed. The default namespace assumed throughout this documentation is kasten-io.
apiVersion: v1
kind: Secret
metadata:
name: my-google-creds
namespace: kasten-io
data:
google-api-key: MjMzODAyNWMEXAMPLEAPIKEY
google-project-id: UlVMOFF+dnpwM1EXAMPLEPROJECTID
type: Opaque