Installing Optimizer Hub on Google Cloud

Table of Contents

Configuring GCP Blob Storage
- IAM Policy Update
- IAM Policy Binding

Need help?

Schedule a consultation with an Azul performance expert.

To install Optimizer Hub on Google Cloud, please follow the instructions on Installing Optimizer Hub on Kubernetes.

Configuring GCP Blob Storage

Optimizer Hub requires a bucket and R/W permissions to the bucket.

Within the Google Cloud system, create the bucket and R/W permissions.
Configure the Optimizer Hub storage by adding the following to your values-override.yaml file:
```
 storage:
  blobStorageService: gcp-blob
  gcpBlob:
    commonBucket: opthub-storage0
```

Configure the permissions by adding the following to your values-override.yaml file:

 deployment:
  serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account: <YOUR_SERVICE_ACCOUNT>

IAM Policy Update

An IAM policy update is required to add the role to the service account to assign the required permissions for the bucket :

 >> gsutil iam get gs://<YOUR_BUCKET>
{
  "bindings": [
    ...
    {
      "members": [
        "serviceAccount:<YOUR_SERVICE_ACCOUNT>"
      ],
      "role": "roles/storage.objectAdmin"
    }
  ],
  "etag": "CAM="
}

You can use the following CLI command to assign the required roles to a bucket:

 >>gsutil iam ch serviceAccount:<YOUR_SERVICE_ACCOUNT>:roles/storage.objectAdmin gs://<YOUR_BUCKET>

IAM Policy Binding

 >>gcloud iam service-accounts get-iam-policy <YOUR_SERVICE_ACCOUNT>
bindings:
- members:
- serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-cache]
- serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-compile-broker]
- serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-gateway]
- serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-mgmt-gateway]
role: roles/iam.workloadIdentityUser
etag: BwYo0_53sDw=
version: 1

You can use the following CLI command to add workloadIdentity to the Kubernetes service account names for the server components (opthub-cache, opthub-compile-broker, opthub-gateway, and opthub-mgmt-gateway):

 gcloud iam service-accounts \
  add-iam-policy-binding <YOUR_SERVICE_ACCOUNT> \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-gateway]"
gcloud iam service-accounts \
   add-iam-policy-binding <YOUR_SERVICE_ACCOUNT> \
   --role roles/iam.workloadIdentityUser \
   --member "serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog>[<YOUR_NAMESPACE>/opthub-cache]"
gcloud iam service-accounts \
   add-iam-policy-binding <YOUR_SERVICE_ACCOUNT> \
   --role roles/iam.workloadIdentityUser \
   --member "serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-compile-broker]"
gcloud iam service-accounts \
   add-iam-policy-binding <YOUR_SERVICE_ACCOUNT> \
   --role roles/iam.workloadIdentityUser \
   --member "serviceAccount:<YOUR_PROJECT_ID>.svc.id.goog[<YOUR_NAMESPACE>/opthub-mgmt-gateway]"