GCP
Please check the general requirements for basic requirements. On this page, we include GCP-specific recommendations.
Setting up Domain Name
For a seamless integration experience, we recommend using Cloud DNS zones.
Configuring Network
Check the network and firewall requirements section from the general requirements.
Please follow the best practices for VPC design guide to set up your virtual network, subnets, security groups, etc.
Please contact AlphaSense if you need extra annotations to the nginx ingress service kind specified in specified in cloud-provider-gcp
Kubernetes Cluster
CNI
We recommend using GKE default CNI or Cilium.
Node Groups
Select one of the reference architectures and configure the node group autoscaling accordingly.
API
- Artifact Registry API
- Cloud DNS API
- Cloud Monitoring API
- Cloud Pub/Sub API
- Cloud Resource Manager API
- Cloud SQL Admin API
- Compute Engine API
- IAM Service Account Credentials API
- Identity and Access Management (IAM) API
- Kubernetes Engine API
- Security Token Service API
- Service Networking API
- Service Usage API
GCS Buckets
AlphaSense uses Crossplane to create around 30 buckets. The GCP project where you plan to install must have enough free space to create those buckets.
Resource Quotas
Resource quotas are a feature of GCP that limits the number of resources that can be used in a project. We recommend disabling quotas in the project where you plan to install AlphaSense Enterprise Intelligence.
MySQL Database Cluster
Please check the engine and required parameters in the MySQL
database cluster section of the general
requirements.
We recommend using Cloud SQL MySQL.
Select one of the reference architectures and configure the MySQL cluster resources accordingly.
If you use Google Cloud SQL MySQL, please follow the database flags configuration docs to configure the server parameters.
Service Accounts
To enable Crossplane to create all the necessary resources and permissions, a role must be created. The following examples and lists are provided for audit purposes. You can decide how to create the role and identity, whether through Terraform or another method of your choice.
Please ensure that placeholders in the commands are replaced with the relevant information before execution.
export PROJECT_ID=<your GCP project id>
export CLUSTER_NAME=<your cluster name, e.g. thunderstorm>
export RANDOM_SUFFIX=$(openssl rand -hex 2)
gcloud iam service-accounts create uxp-provider-${CLUSTER_NAME} \
--display-name="Crossplane Provider Service Account for ${CLUSTER_NAME}" \
--project=${PROJECT_ID}
gcloud iam roles create uxp_provider.${RANDOM_SUFFIX} \
--project=${PROJECT_ID} \
--title="Crossplane Provider Custom Role for ${CLUSTER_NAME}" \
--permissions="iam.roles.create,iam.roles.delete,iam.roles.get,iam.roles.list,iam.roles.undelete,iam.roles.update,iam.serviceAccounts.create,iam.serviceAccounts.delete,iam.serviceAccounts.disable,iam.serviceAccounts.enable,iam.serviceAccounts.get,iam.serviceAccounts.getIamPolicy,iam.serviceAccounts.list,iam.serviceAccounts.setIamPolicy,iam.serviceAccounts.undelete,iam.serviceAccounts.update,pubsub.subscriptions.create,pubsub.subscriptions.delete,pubsub.subscriptions.get,pubsub.subscriptions.getIamPolicy,pubsub.subscriptions.list,pubsub.subscriptions.setIamPolicy,pubsub.subscriptions.update,pubsub.topics.attachSubscription,pubsub.topics.create,pubsub.topics.delete,pubsub.topics.detachSubscription,pubsub.topics.get,pubsub.topics.getIamPolicy,pubsub.topics.list,pubsub.topics.setIamPolicy,pubsub.topics.update,pubsub.topics.updateTag,resourcemanager.projects.get,resourcemanager.projects.getIamPolicy,resourcemanager.projects.setIamPolicy,storage.buckets.create,storage.buckets.createTagBinding,storage.buckets.delete,storage.buckets.deleteTagBinding,storage.buckets.enableObjectRetention,storage.buckets.get,storage.buckets.getIamPolicy,storage.buckets.list,storage.buckets.listEffectiveTags,storage.buckets.listTagBindings,storage.buckets.setIamPolicy,storage.buckets.update,cloudsql.backupRuns.create,cloudsql.backupRuns.get,cloudsql.backupRuns.list,cloudsql.instances.addServerCa,cloudsql.backupRuns.delete,cloudsql.instances.clone,cloudsql.instances.connect,cloudsql.instances.create,cloudsql.instances.createTagBinding,cloudsql.instances.delete,cloudsql.instances.deleteTagBinding,cloudsql.instances.export,cloudsql.instances.failover,cloudsql.instances.get,cloudsql.instances.import,cloudsql.instances.list,cloudsql.instances.listEffectiveTags,cloudsql.instances.listTagBindings,cloudsql.instances.resetSslConfig,cloudsql.instances.restart,cloudsql.instances.restoreBackup,cloudsql.instances.update,cloudsql.users.create,cloudsql.users.delete,cloudsql.users.get,cloudsql.users.list,cloudsql.users.update,iam.serviceAccountKeys.create,iam.serviceAccountKeys.delete,iam.serviceAccountKeys.disable,iam.serviceAccountKeys.enable,iam.serviceAccountKeys.get,iam.serviceAccountKeys.list,storage.hmacKeys.create,storage.hmacKeys.delete,storage.hmacKeys.get,storage.hmacKeys.list,storage.hmacKeys.update"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:uxp-provider-${CLUSTER_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="projects/${PROJECT_ID}/roles/uxp_provider.${RANDOM_SUFFIX}"
gcloud iam service-accounts add-iam-policy-binding uxp-provider-${CLUSTER_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="serviceAccount:${PROJECT_ID}.svc.id.goog[crossplane/gcp-provider-sa]"
With the Crossplane role and managed identity now created, we need to proceed with creating additional service accounts to ensure the proper functioning and integration of various components within the GCP environment. Follow the steps below to create the necessary service accounts and assign the required roles and permissions.
gcloud iam service-accounts create certmgr-${CLUSTER_NAME} \
--display-name="Cert Manager Service Account for ${CLUSTER_NAME}" \
--project=${PROJECT_ID}
gcloud iam service-accounts add-iam-policy-binding certmgr-${CLUSTER_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="serviceAccount:${PROJECT_ID}.svc.id.goog[cert-manager/cert-manager]"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:certmgr-${CLUSTER_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role=${CERT_MANAGER_ROLE}
gcloud iam service-accounts create keda-operator-${CLUSTER_NAME} \
--display-name="KEDA Operator Service Account for ${CLUSTER_NAME}" \
--project=${PROJECT_ID}
gcloud iam service-accounts add-iam-policy-binding keda-operator-${CLUSTER_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="serviceAccount:${PROJECT_ID}.svc.id.goog[keda/keda-operator]"
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:keda-operator-${CLUSTER_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/monitoring.viewer"
To forward undeliverable messages to a dead-letter topic, Pub/Sub must have permission to do the following:
- Publish messages to the topic.
- Acknowledge the messages, which removes them from the subscription.
For each project, Pub/Sub automatically generates and manages a service account:
service-project-number@gcp-sa-pubsub.iam.gserviceaccount.com. To grant forwarding permissions, you
need to assign publisher and subscriber roles to this service account. Refer to this
guide for
more details.
Kubernetes Secrets
Check the Kubernetes secrets section from the general requirements.
Telemetry
For auditing and troubleshooting purposes, you can use the built-in Grafana central hub to access the logs and metrics. Details can be found in Observability.