compute.networks.create
compute.subnetworks.create
compute.routers.create
(for Cloud NAT)compute.addresses.create
(for NAT IPs)compute.firewalls.create
(for intra-cluster traffic rules)compute.organizations.admin
(for the host project)compute.networks.use
(for the service project)container.clusters.create
container.clusters.update
(for private cluster settings)compute.networks.useExternalIp
(for public endpoint access)compute.instances.create
compute.disks.create
(for node disks)compute.instanceGroups.create
(for autoscaling)roles/container.hostServiceAgentUser
roles/container.nodeServiceAccount
roles/iam.workloadIdentityUser
storage.buckets.create
storage.objects.create
(for versioning)storage.buckets.update
(for encryption/lifecycle rules)cloudsql.instances.create
cloudsql.instances.connect
(for private IPs)vpcaccess.connectors.use
(if using Serverless VPC Access)compute.disks.create
(for pd.csi.storage.gke.io
)compute.subnetworks.use
(for regional disks)iam.serviceAccounts.getAccessToken
(for federated access)iam.serviceAccounts.setIamPolicy
(to bind Kubernetes SAs to GCP SAs)compute.routers.update
(for NAT configuration)compute.addresses.use
(for NAT IP allocation)compute.projects.setCommonInstanceMetadata
(for SSH key upload)compute.instances.osAdminLogin
roles/editor
(broad access, or scope with custom roles)roles/compute.networkAdmin
(for VPC and subnets)roles/container.admin
(for GKE)roles/storage.admin
(for GCS)roles/cloudsql.admin
(for Postgres)u10d-platform
10.0.0.0/16
public-subnet
— 10.0.0.0/24
${region}
private-subnet-a
: 10.0.1.0/24
, region ${region}-a
private-subnet-b
: 10.0.2.0/24
, region ${region}-b
0.0.0.0/0
to Internet Gateway (via external IPs)0.0.0.0/0
via Cloud NATroles/container.clusterAdmin
roles/compute.networkAdmin
roles/container.nodeServiceAccount
roles/compute.viewer
roles/storage.objectViewer
recommender
, etl-operator
, data-broker
roles/storage.objectAdmin
for access to GCS buckets1.31
or highern2-standard-16
10.0.0.0/16
kubectl
or Helm)v0.7.2
)pd.csi.storage.gke.io
db-f1-micro
(or db-custom-1-3840
)u10d-{stack_name}-etl-blob-cache
u10d-{stack_name}-etl-job-db
u10d-{stack_name}-etl-job-status
u10d-{stack_name}-job-files
ssh-keygen -t rsa -b 4096
)BLOB_STORAGE_ADAPTER_GCP_SERVICE_ACCOUNT_KEY_JSON
BLOB_STORAGE_ADAPTER_REGION_NAME
DB_USERNAME
DB_PASSWORD
DB_HOST
DB_NAME
DB_DATABASE
(used in platform-api
only)JWT_SECRET_KEY
AUTH_STRATEGY
(sometimes encoded, sometimes not)SESSION_SECRET
SHARED_SECRET
KEYCLOAK_CLIENT_SECRET
KEYCLOAK_ADMIN_SECRET
KEYCLOAK_ADMIN
KEYCLOAK_ADMIN_PASSWORD
API_BEARER_TOKEN
BLOB_STORAGE_ADAPTER_TYPE
(always gcp
for GCP)BLOB_STORAGE_ADAPTER_BUCKET
ETL_BLOB_CACHE_BUCKET_NAME
ETL_API_BLOB_STORAGE_ADAPTER_BUCKET
ETL_API_BLOB_STORAGE_ADAPTER_TYPE
ETL_API_DB_REMOTE_BUCKET_NAME
ETL_API_JOB_STATUS_DEST_BUCKET_NAME
JOB_STATUS_BUCKET_NAME
JOB_DB_BUCKET_NAME
ENV
ENVIRONMENT
JOB_ENV
JOB_ENVIRONMENT
JOB_OTEL_EXPORTER_OTLP_ENDPOINT
JOB_OTEL_METRICS_EXPORTER
JOB_OTEL_TRACES_EXPORTER
OTEL_EXPORTER_OTLP_ENDPOINT
OTEL_METRICS_EXPORTER
OTEL_TRACES_EXPORTER
UNSTRUCTURED_API_URL
JWKS_URL
JWT_ISSUER
JWT_AUDIENCE
SINGLE_PLANE_DEPLOYMENT
API_BASE_URL
API_CLIENT_BASE_URL
API_URL
APM_SERVICE_NAME
APM_SERVICE_NAME_CLIENT
AUTH_STRATEGY
FRONTEND_BASE_URL
KEYCLOAK_CALLBACK_URL
KEYCLOAK_CLIENT_ID
KEYCLOAK_DOMAIN
KEYCLOAK_REALM
KEYCLOAK_SSL_ENABLED
KEYCLOAK_TRUST_ISSUER
PUBLIC_BASE_URL
PUBLIC_RELEASE_CHANNEL
SENTRY_DSN
SENTRY_SAMPLE_RATE
WORKFLOW_NODE_EDITOR_FF_REQUEST_FORM
CUSTOM_WORKFLOW_FF_REQUEST_FORM
REDIS_DSN
IMAGE_PULL_SECRETS
PRIVATE_KEY_SECRETS_ADAPTER_TYPE
PRIVATE_KEY_SECRETS_ADAPTER_GCP_REGION
SECRETS_ADAPTER_TYPE
SECRETS_ADAPTER_GCP_REGION
File name | Type | Resource name | Namespace | Data keys |
---|---|---|---|---|
data-broker-env-cm.yaml | ConfigMap | data-broker-env | api | JOB_STATUS_BUCKET_NAME , JOB_DB_BUCKET_NAME , BLOB_STORAGE_ADAPTER_TYPE |
data-broker-env-secret.yaml | Secret | data-broker-env | api | BLOB_STORAGE_ADAPTER_GCP_SERVICE_ACCOUNT_KEY_JSON , BLOB_STORAGE_ADAPTER_REGION_NAME |
dataplane-api-env-cm.yaml | Secret | dataplane-api-env | api | DB_PASSWORD , DB_USERNAME , DB_HOST , DB_NAME |
etl-operator-env-cm.yaml | ConfigMap | etl-operator-env | etl-operator | BLOB_STORAGE_ADAPTER_BUCKET , JOB_STATUS_BUCKET_NAME , JOB_DB_BUCKET_NAME , BLOB_STORAGE_ADAPTER_TYPE , ENV , ENVIRONMENT , REDIS_DSN , ETL_API_BLOB_STORAGE_ADAPTER_BUCKET , ETL_API_BLOB_STORAGE_ADAPTER_TYPE , ETL_API_DB_REMOTE_BUCKET_NAME , ETL_API_JOB_STATUS_DEST_BUCKET_NAME (x2), ETL_BLOB_CACHE_BUCKET_NAME , IMAGE_PULL_SECRETS , JOB_ENV , JOB_ENVIRONMENT , JOB_OTEL_EXPORTER_OTLP_ENDPOINT , JOB_OTEL_METRICS_EXPORTER , JOB_OTEL_TRACES_EXPORTER , OTEL_EXPORTER_OTLP_ENDPOINT , OTEL_METRICS_EXPORTER , OTEL_TRACES_EXPORTER , UNSTRUCTURED_API_URL |
etl-operator-env-secret.yaml | Secret | etl-operator-env | etl-operator | BLOB_STORAGE_ADAPTER_GCP_SERVICE_ACCOUNT_KEY_JSON , BLOB_STORAGE_ADAPTER_REGION_NAME, |
frontend-env-cm.yaml | ConfigMap | frontend-env | www | API_BASE_URL , API_CLIENT_BASE_URL , API_URL , APM_SERVICE_NAME , APM_SERVICE_NAME_CLIENT , AUTH_STRATEGY , ENV , FRONTEND_BASE_URL , KEYCLOAK_CALLBACK_URL , KEYCLOAK_CLIENT_ID , KEYCLOAK_DOMAIN , KEYCLOAK_REALM , KEYCLOAK_SSL_ENABLED , KEYCLOAK_TRUST_ISSUER , PUBLIC_BASE_URL , PUBLIC_RELEASE_CHANNEL , SENTRY_DSN , SENTRY_SAMPLE_RATE , WORKFLOW_NODE_EDITOR_FF_REQUEST_FORM , CUSTOM_WORKFLOW_FF_REQUEST_FORM |
frontend-env-secret.yaml | Secret | frontend-env | www | API_BEARER_TOKEN , KEYCLOAK_ADMIN_SECRET , KEYCLOAK_CLIENT_SECRET , SESSION_SECRET , SHARED_SECRET |
keycloak-secret.yaml | Secret | phasetwo-keycloak-env | www | KEYCLOAK_ADMIN , KEYCLOAK_ADMIN_PASSWORD |
platform-api-env-cm.yaml | ConfigMap | platform-api-env | api | JWKS_URL , JWT_ISSUER , JWT_AUDIENCE , SINGLE_PLANE_DEPLOYMENT |
platform-api-env-secret.yaml | Secret | platform-api-env | api | DB_PASSWORD , DB_USERNAME , DB_HOST , DB_NAME , DB_DATABASE , JWT_SECRET_KEY , AUTH_STRATEGY |
recommender-env-cm.yaml | ConfigMap | recommender-env | recommender | BLOB_STORAGE_ADAPTER_TYPE , ETL_BLOB_CACHE_BUCKET_NAME |
recommender-env-secret.yaml | Secret | recommender-env | recommender | BLOB_STORAGE_ADAPTER_GCP_SERVICE_ACCOUNT_KEY_JSON , BLOB_STORAGE_ADAPTER_REGION_NAME |
secret-provider-api-env-cm.yaml | ConfigMap | secrets-provider-api-env | secrets | ENV , ENVIRONMENT , OTEL_EXPORTER_OTLP_ENDPOINT , OTEL_METRICS_EXPORTER , OTEL_TRACES_EXPORTER , PRIVATE_KEY_SECRETS_ADAPTER_GCP_REGION , PRIVATE_KEY_SECRETS_ADAPTER_TYPE , SECRETS_ADAPTER_GCP_REGION , SECRETS_ADAPTER_TYPE |
secret-provider-api-env-secret.yaml | Secret | secrets-provider-api-env | secrets | BLOB_STORAGE_ADAPTER_GCP_SERVICE_ACCOUNT_KEY_JSON , BLOB_STORAGE_ADAPTER_REGION_NAME |
usage-collector-env-secret.yaml | Secret | usage-collector-env | api | DB_PASSWORD , DB_USERNAME , DB_HOST , DB_NAME , BLOB_STORAGE_ADAPTER_TYPE |
data-broker-env-cm.yaml
ConfigMap file, the contents would look like this:
data-broker-env-secret.yaml
Secret file, the contents would look like this: