Creating Kyvos Resources for GCP using Script
Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace
Kyvos Azure Marketplace Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)
Before you begin
In addition to the prerequisites, please ensure the following settings are enabled on your GCP project.
Project Billing: For this, search Billing on your Google Cloud project.
Click Link a Billing Account, and configure the billing information.
Once your billing is enabled, you will see an estimate as shown in the following figure.
Cloud Deployment Manager V2 API: Search Cloud Deployment Manager V2 API on your project and click the Enable button.
Once the API is enabled, the API Enabled status is displayed, as shown in the following figure.Compute Engine APIs: Search for Compute Engine APIs on your project, and click the Enable button.
Once the API is enabled, the corresponding status is displayed, as shown in the following figure.Cloud Resource Manager API: Search for Cloud Resource Manager API on your project, and click the Enable button.
Once the API is enabled, the API Enabled status is displayed, as shown in the following figure.Enable the following APIs on your project. Refer to the GCP documentation for details.
Cloud Functions
Cloud Build
Cloud Scheduler
Create an App Engine project, and select the region where you want to deploy your resources.
To the default Google APIs Service Agent service account, add the storage.buckets.get role. This is required to delete deployment through the Deployment Manager.
Kubernetes Engine API: Search for Kubernetes Engine API on your project and click the Enable button. Once the API is enabled, the API Enabled status is displayed.
Creating resources using script
Download the gcp.tar file from the GCP Installation Files folder on your workstation.
On your workstation, install the gcloud command-line tool.
Configure the gcloud command-line tool to use your project using the following command.
gcloud config set project [MY_PROJECT]
Here, replace [MY_PROJECT] with your project ID.Copy the script tar file and untar it.
Update the following parameters in the kyvos-template.yaml (provided in the gcp.tar) as per your business requirement.
Enter details as:
Note
Change the value of the parameter kmCount to 0 in the kyvos-template.yaml file to go with wizard-based deployment.
Once created, you can validate if the resources meet the requirements for installing Kyvos on the Google cloud platform.
Post-deployment, for a non-SSH based cluster, if you use an existing Dataproc cluster and a new bucket for automated deployment on GCP, you must execute the dataproc.sh script on the master node of Dataproc after modifying the values of DEPLOYMENT_BUCKET, WORK_DIR, COPY_LIB, and DATAPROC_VERSION to the name of the existing bucket. Then, sync the library and configuration files from the Kyvos Manager on the Dataproc page.
Deploying resources
To deploy your resources, use the gcloud command-line tool and execute the kyvos-deployment.sh file (provided in GCP installation files)
If the deployment is successful, you will receive a message like the following example
Create operation operation-1432319707382-516afeb5d00f1-b864f0e7-b7103978 completed successfully.NAME TYPE STATE ERRORSquickstart-deployment compute.v1.instance COMPLETED -
whereas,
NAME:<resource_name>
TYPE: compute.v1.disk
STATE: COMPLETED
Check your new deployment
To check the status of the deployment, run the following command
gcloud deployment-manager deployments describe <resource name>
A new bucket will be created for the Dataproc cluster.
Using existing Service Account
Once Kyvos resources are created using Kubernetes, execute the following commands using the gcloud CLI to link the Kubernetes Service account to the IAM Service account.
gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-monitoring/default]"
gcloud iam service-accounts add-iam-policy-binding IAM_SA_NAME@IAM_SA_PROJECT_ID.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "serviceAccount:PROJECT_ID.svc.id.goog[kyvos-compute/default]"
In the above-mentioned commands, replace the following:
IAM_SA_NAME: The name of your new IAM service account.
IAM_SA_PROJECT_ID: The project ID of your IAM service account.
PROJECT_ID: The project ID of your Google Cloud.
Note
After creating resources using scripts, the configuration of the Kyvos GCP cluster on Kyvos Manager is no longer needed. Once the resources are successfully created, deployment of the Kyvos cluster will commence automatically on logging into the Kyvos Manager portal.
Tip
In case of any failures in the Cloud-init service on any of the Kyvos Instances, you can view the Cloud-init logs directly from the GCP Cloud logging UI. Refer to the Troubleshooting GCP deployment section for details.
Copyright Kyvos, Inc. All rights reserved.