GCP Project Operator
GCP Project Operator is an open source project responsible for creating and destroying projects and service accounts in GCP. It stores the credentials in a secret, so other Kubernetes applications (operators) can use them and interact with GCP to create cloud resources or any other underlying infrastructure (such as storage or virtual machines).
You can get a quick overview of what's happening inside the Operator by watching this video.
If you like to contribute to GCP Project Operator, please be so kind to read our Contribution Policy first.
- Google GCP configuration -- The Operator expects a
Secretto be already present in the cluster before you use it.
- How to use it -- Tell the Operator to create or delete a new GCP Project for you.
- Debugging -- Useful tips and commands.
- API -- Options you can fine-tune for
- Design -- Describes the interaction between the custom resource definitions.
- Building -- Instructions for building the project.
- Development -- Instructions for developers who want to contribute.
- Testing -- Instructions for writing tests.
- Troubleshooting -- Common errors and pitfalls.
- Code Analysis -- A high-level analysis of the code to get yourself familiar with the codebase.
Workflow - ProjectClaim
- The operator watches all namespaces for
- When a
ProjectClaimis found (see example below) the operator triggers the creation of a project in GCP.
- After successful project creation:
- The field
Statewill be set to
- A secret is created in the cluster namespace, as defined in the
- The field
spec.gcpProjectIDwill be filled with the ID of the GCP project.
- A list of available zones in the input region is set in
- The field
- When a
ProjectClaimis removed, the secret, the GCP project and its ServiceAccounts are deleted.
- The operator removes the finalizer from the
Example Input Custom Resource
apiVersion: gcp.managed.openshift.io/v1alpha1 kind: ProjectClaim metadata: name: example-projectclaim namespace: example-clusternamespace spec: region: us-east1 gcpCredentialSecret: name: gcp-secret namespace: example-clusternamespace legalEntity: name: example-legal-entity id: example-legal-entity-id
- Typically you'll want to use CRC, though it's fine if you're running OpenShift another way.
- You need to have the operator-sdk binary in your
Start operator locally
oc new-project gcp-project-operator oc apply -f deploy/crds/gcp.managed.openshift.io_projectclaims.yaml oc apply -f deploy/crds/gcp.managed.openshift.io_projectreferences.yaml operator-sdk up local --namespace gcp-project-operator
NOTE: The above command works with operator-sdk v0.11.0. If it fails to run, try using one of the older commands:
operator-sdk run --local --namespace gcp-project-operator operator-sdk run local --watch-namespace gcp-project-operator
If everything went ok, you should see some startup logs from the operator in your terminal window.
There are example CRs in
deploy/crds/ you might want to use to see how the operator reacts to their presence (and absence if you delete them).
You can run the tests using
make gotest or
go test ./...
For the operator to interact with GCP properly, it needs a bit of configuration first.
Note: unless you're running this against your very own GCP org, someone likely already has this stuff prepared for you. Ask around.
- Create a gcp service account with appropriate permissions to an empty folder ("(Project) Owner" and "Project Creator" should suffice).
- Generate keys for the service account and download them.
oc create -n gcp-project-operator secret generic gcp-project-operator-credentials --from-file=key.json=YOUR-KEYS-FILE-NAME.json
The controller expects to find a
ConfigMap with the name
gcp-project-operator inside the
For how to create a
ConfigMap, please refer to the doc.