Skip to main content

Self Hosted Installation on GCP GKE

Prerequisites

To install and run a self-hosted Mission Control on GCP GKE you need to have the following prerequisites:

  • GKE 1.28+ with an Ingress Controller
  • 500m - 2000m of CPU and 6 - 8GB of Memory (2 - 4GB if using an external DB)
  • Persistent Volumes with 20GB+ of storage or an external postgres database like CloudSQL
  • Access to create
  • (Optional) SMTP Server (For sending notifications and invites)

Create an IAM Role

Depending on how you want to use Mission Control you need to create an IAM role for mission control to use:

Use CaseRole
Read Only Scrapingroles/viewer
Playbooks to create and update GCP Resourcesroles/editor

Configure IAM Roles for Mission Control

You can also refer the official docs for Workload Identity

  1. Enable workload identity

    # The name of the GKE cluster mission control is being deployed to
    export CLUSTER=<CLUSTER_NAME>
    # the default namespace the mission-control helm chart uses
    export NAMESPACE=mission-control
    # GCP Project ID
    export PROJECT_ID=gcp-project-id
    # GCP Project Number
    export PROJECT_NUMBER=gcp-project-number
    # Location of GKE Cluster
    LOCATION=us-east1

    gcloud container clusters update $CLUSTER \
        --location=$LOCATION \
        --workload-pool=PROJECT_ID.svc.id.goog

  2. Bind IAM Policy

    The $KSA_NAME refers to the Kubernetes service account name. In our case, we need to bind to 3 service accounts: mission-control-sa, canary-checker-sa and config-db-sa

    gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
        --role=$ROLE \
        --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/mission-control-sa \
        --condition=None

    gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
        --role=$ROLE \
        --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/canary-checker-sa \
        --condition=None

    gcloud projects add-iam-policy-binding projects/$PROJECT_ID \
        --role=$ROLE \
        --member=principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$PROJECT_ID.svc.id.goog/subject/ns/$NAMESPACE/sa/config-db-sa \
        --condition=None

  3. Choose a routable DOMAIN for Mission Control

    See Ingress for more options on configuring the ingress including generating certs with cert-manager

    See Local Testing for testing using a kind or minikube without a routable domain

  4. Install Mission Control

    apiVersion: v1
    kind: Namespace
    metadata:
      name: mission-control
    ---
    apiVersion: source.toolkit.fluxcd.io/v1
    kind: HelmRepository
    metadata:
      name: flanksource
      namespace: mission-control
    spec:
      interval: 5m0s
      url: https://flanksource.github.io/charts
    ---
    apiVersion:  helm.toolkit.fluxcd.io/v2
    kind: HelmRelease
    metadata:
      name: mission-control
      namespace: mission-control
    spec:
      chart:
        spec:
          chart: mission-control
          sourceRef:
            kind: HelmRepository
            name: flanksource
            namespace: mission-control
      interval: 5m
    values:
      global.ui.host: DOMAIN
    See values.yaml

Next Steps

Scrape GCP Resources
Integration
Scraper
CRD