Skip to content
Operator responsible for managing GCP projects and credentials.
Go Python Shell Makefile Dockerfile
Branch: master
Clone or download


The gcp project operator is reponsible for creating projects and service accounts in GCP and storing the credentials in a secret.

Workflow - ProjectClaim

  1. The operator watches all namespaces for ProjectClaim resources
  2. When a ProjectClaim is found (see example below) the operator triggers the creation of a project in GCP
  3. After successful project creation
    • the field State will be set to Ready
    • A secret is created in the cluster namespace, as defined in the ProjectClaim
    • The field spec.gcpProjectID will be filled with the ID of the GCP project
  4. When a ProjectClaim is removed, the GCP project and service accounts are deleted (WIP)
  5. The operator removes the finalizer from the ProjectClaim (WIP)

Example CR

kind: ProjectClaim
  name: example-projectclaim
  namespace: example-clusternamespace
  region: us-east1
    name: gcp-secret
    namespace: example-clusternamespace
    name: example-legal-entity
    id: example-legal-entity-id

Workflow - ClusterDeployment (deprecated)

  • The operator would watch clusterdeployments in all namespaces.
  • Operator would check that the clusterdeployment’s labels “ = true” and “ = gcp"
    • If both labels are as expected and clusterdeployment field “Spec.Installed = false”
      • The operator will create a project for the cluster from the name provided in “Spec.Platform.GCP.ProjectID” in the region provided by "Spec.Platform.GCP.Region"
      • The operator will then enable the required APIs.
      • The operator will set quotas as required
      • The operator will then create a service account for the operator and key
      • The operator will create a secret called gcp
      • The operator will add a finalizer to the clusterdeployment
    • If both labels are as expected and the clusterdeployment field “Spec.Installed = true” and the clusterdeployment is attempted to be deleted.
      • The operator will delete the service account and project
      • The operator will remove the finalizer


  • OCM will provide a clusterdeployment with the following
    • An agreed upon secret name in "Spec.PlatformSecrets.GCP.Credentials.Name" now it is using name gcp
    • Unique name in projectID “Spec.Platform.GCP.ProjectID”
    • Supported region in “Spec.Platform.GCP.Region”
    • Ssh Key in the clusterdeployment namesapcew with the clusterdeployment "Spec.SshKey.Name" filled out -- Service account credentials with permissions to create projects, service accounts, and service account keys in the operator namespace gcp-project-operator



Just run make.

Local Dev


  • Typically you'll want to use CRC, though it's fine if you're running OpenShift another way.
  • You need to have the operator-sdk binary in your $PATH.

Load Hive CRDS

For gcp-project-operator to work, the cluster needs to have CRDs from Hive present in the system.

Note: the git clone below isn't using the master branch.

git clone --branch v1alpha1
for crd in hive/config/crds/hive_v1alpha1_*.yaml; do (set -x; oc apply -f $crd); done

Start operator locally

oc new-project gcp-project-operator
oc apply -f deploy/crds/gcp_v1alpha1_projectclaim_crd.yaml
oc apply -f deploy/crds/gcp_v1alpha1_projectreference_crd.yaml

operator-sdk run --local --namespace gcp-project-operator

If everything went ok, you should see some startup logs from the operator in your terminal window.

There are example CRs in deploy/crds/ you might want to use to see how the operator reacts to their presence (and absence if you delete them).


Pushing Image To quay

If you have permissions to push to You can use the following commands to push the latest code

podman build . -f build/Dockerfile -t

podman push

Deploying code

Currently it is being deployed using image '' Update deploy/operator.yaml with image you would like deployed.

oc apply -f deploy/cluster_role_binding.yaml
oc apply -f deploy/cluster_role.yaml
oc apply -f deploy/service_account.yaml
oc apply -f deploy/operator.yaml

If you need to update to lastest image pushed to quay repo

oc scale deployment gcp-project-operator -n gcp-project-operator --replicas=0

oc scale deployment gcp-project-operator -n gcp-project-operator --replicas=1


For the operator to interact with GCP properly, it needs a bit of configuration first.

Note: unless you're running this against your very own GCP org, someone likely already has this stuff prepared for you. Ask around.

Auth Secret

  1. Create a gcp service account with appropriate permissions to an empty folder ("(Project) Owner" and "Project Creator" should suffice).
  2. Generate keys for the service account and download them.
  3. Run oc create -n gcp-project-operator secret generic gcp-project-operator-credentials --from-file=key.json=YOUR-KEYS-FILE-NAME.json


The controller expects to find a ConfigMap with the name gcp-project-operator inside the gcp-project-operator namespace. It will parse it and verify its contents, expecting to extract the values of two specific fields that should be already populated by you:

  • billingAccount
  • parentFolderID

To fulfil this prerequisite, please type:

export PARENTFOLDERID="123456789123"         # Google Cloud organization Parent Folder ID
export BILLINGACCOUNT="123456-ABCDEF-123456" # Google billing ID from

kubectl create -n gcp-project-operator configmap gcp-project-operator --from-literal parentFolderID=$PARENTFOLDERID --from-literal billingAccount=$BILLINGACCOUNT
You can’t perform that action at this time.