Google Compute Engine

Spinnaker supports deploying applications to Google Compute Engine (GCE).

In Google Compute Engine (GCE), an Account maps to a credential able to authenticate against a given Google Cloud Platform (GCP) project.

Prerequisites

You need a Google Cloud Platform (GCP) project to run Spinnaker against. The next steps assume you’ve already created a project , and installed gcloud . You can check that gcloud is installed and authenticated by running:

  1. gcloud info

Downloading credentials

Spinnaker needs a service account to authenticate as against GCE, with the role enumerated below enabled. If you don’t already have such a service account with the corresponding JSON key downloaded, you can run the following commands to do so:

  1. SERVICE_ACCOUNT_NAME=spinnaker-gce-account
  2. SERVICE_ACCOUNT_DEST=~/.gcp/gce-account.json
  4. gcloud iam service-accounts create \
  5.     $SERVICE_ACCOUNT_NAME \
  6.     --display-name $SERVICE_ACCOUNT_NAME
  8. SA_EMAIL=$(gcloud iam service-accounts list \
  9.     --filter="displayName:$SERVICE_ACCOUNT_NAME" \
  10.     --format='value(email)')
  12. PROJECT=$(gcloud config get-value project)
  14. # permission to create/modify instances in your project
  15. gcloud projects add-iam-policy-binding $PROJECT \
  16.     --member serviceAccount:$SA_EMAIL \
  17.     --role roles/compute.instanceAdmin
  19. # permission to create/modify network settings in your project
  20. gcloud projects add-iam-policy-binding $PROJECT \
  21.     --member serviceAccount:$SA_EMAIL \
  22.     --role roles/compute.networkAdmin
  24. # permission to create/modify firewall rules in your project
  25. gcloud projects add-iam-policy-binding $PROJECT \
  26.     --member serviceAccount:$SA_EMAIL \
  27.     --role roles/compute.securityAdmin
  29. # permission to create/modify images & disks in your project
  30. gcloud projects add-iam-policy-binding $PROJECT \
  31.     --member serviceAccount:$SA_EMAIL \
  32.     --role roles/compute.storageAdmin
  34. # permission to download service account keys in your project
  35. # this is needed by packer to bake GCE images remotely
  36. gcloud projects add-iam-policy-binding $PROJECT \
  37.     --member serviceAccount:$SA_EMAIL \
  38.     --role roles/iam.serviceAccountActor
  40. mkdir -p $(dirname $SERVICE_ACCOUNT_DEST)
  42. gcloud iam service-accounts keys create $SERVICE_ACCOUNT_DEST \
  43.     --iam-account $SA_EMAIL

Once you have run these commands, your GCP JSON key is sitting in a file called $SERVICE_ACCOUNT_DEST.

Adding an Account

First, make sure that the provider is enabled:

  1. hal config provider google enable

All that’s required are the following values (we’ve provided defaults for you):

  1. PROJECT=$(gcloud config get-value project)
  2. SERVICE_ACCOUNT_DEST=# see Prerequisites section above

Finally, add your new google account:

  1. ACCOUNT=my-gce-account
  2. hal config provider google account add $ACCOUNT --project $PROJECT \
  3.     --json-path $SERVICE_ACCOUNT_DEST

TODO(lwander or duftler): Add a note about application default credentials.

Advanced account settings

If you are looking for more configurability, please see the other options listed in the Halyard Reference .

Next steps

Optionally, you can set up another cloud provider , but otherwise you’re ready to choose an environment in which to install Spinnaker.

Last modified December 22, 2021: docs(fix): Fix various encoding issues (#170) (0475fe5)