Prime EDMGoogle GKE Deployment Guide
Prerequisites
Before deploying to Google Kubernetes Engine (GKE), ensure you have:
- Google Cloud SDK installed and configured
- Kubernetes CLI (
kubectl) installed - Helm 3.x installed
Cluster Setup
- Set your project:
bash
gcloud config set project YOUR_PROJECT_ID- Create a GKE cluster:
bash
gcloud container clusters create prime-edm-cluster \
--zone us-central1-a \
--num-nodes 3 \
--machine-type e2-standard-2- Get credentials:
bash
gcloud container clusters get-credentials prime-edm-cluster --zone us-central1-aInstalling Prime EDM Charts
- Add the Helm repository:
bash
helm repo add prime-edm https://charts.acx-sandbox.net --username $USER --password $PASSWORD
helm repo update- Create GKE-specific values:
yaml
# gke-values.yaml
global:
provider: gcp
region: us-central1
storage:
class: standard
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
ingress:
annotations:
kubernetes.io/ingress.class: gce- Install the chart:
bash
helm install prime-edm prime-edm/prime-edm -f gke-values.yamlGKE-Specific Configuration
Storage Classes
GKE provides several storage options:
yaml
storage:
# Standard persistent disk
class: standard
# SSD persistent disk
# class: premium-rwo
# Regional persistent disk
# class: standard-rwo-regionalLoad Balancer
Using Google Cloud Load Balancer:
yaml
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.global-static-ip-name: prime-edm-ipWorkload Identity
Configure Workload Identity:
yaml
serviceAccount:
create: true
annotations:
iam.gke.io/gcp-service-account: GSA_NAME@PROJECT_ID.iam.gserviceaccount.comSecrets Management
Google Secret Manager Setup
- Enable Secret Manager API:
bash
gcloud services enable secretmanager.googleapis.com- Create Workload Identity:
bash
# Create service account
gcloud iam service-accounts create prime-edm-sa
# Add IAM policy binding
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:prime-edm-sa@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/secretmanager.secretAccessor"
# Create Kubernetes service account
kubectl create serviceaccount prime-edm-ksa
# Bind service accounts
gcloud iam service-accounts add-iam-policy-binding \
prime-edm-sa@$PROJECT_ID.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="serviceAccount:$PROJECT_ID.svc.id.goog[default/prime-edm-ksa]"- Install External Secrets Operator:
bash
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
helm install external-secrets \
external-secrets/external-secrets \
--namespace external-secrets \
--create-namespace \
--set installCRDs=true- Create SecretStore:
yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: gcp-backend
spec:
provider:
gcpsm:
projectID: $PROJECT_ID
auth:
workloadIdentity:
serviceAccountRef:
name: prime-edm-ksa
namespace: default- Create ExternalSecret:
yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: gcp-backend
kind: SecretStore
target:
name: db-credentials
data:
- secretKey: username
remoteRef:
key: projects/$PROJECT_ID/secrets/db-username/versions/latest
- secretKey: password
remoteRef:
key: projects/$PROJECT_ID/secrets/db-password/versions/latestMonitoring
Cloud Operations Integration
Enable Cloud Operations (formerly Stackdriver):
yaml
monitoring:
cloudOperations:
enabled: true
projectId: YOUR_PROJECT_IDBest Practices
- Use node selectors:
yaml
nodeSelector:
cloud.google.com/gke-nodepool: prime-edm-pool- Configure resource limits:
yaml
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
cpu: 500m
memory: 1Gi- Enable auto-scaling:
yaml
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 80Troubleshooting
Common issues and solutions:
Load balancer issues:
- Check firewall rules
- Verify health checks
- Validate backend services
Storage problems:
- Confirm storage class exists
- Check PVC status
- Verify IAM permissions
Identity issues:
- Check Workload Identity setup
- Verify service account bindings
- Validate IAM roles