GKE Deployer Parameters for OpenLegacy Hub
OpenLegacy Hub's GKE deployer requires specific JSON parameters for authentication and deployment targeting.
Default Configuration Template
{
"replicas": 1,
"namespace": "default",
"selector": {},
"kubeConfig": null,
"makePublic": false,
"masterUrl": null,
"token": null,
"projectId": null,
"clusterName": null,
"zone": null,
"serviceAccountKey": null,
"clientId": null,
"clientSecret": null,
"useApplicationDefaultCredentials": false,
"enableIngress": false,
"ingressClass": "gce",
"awaitTimeout": 10000
}Parameter Reference Table
| Parameter | Description | Required | Example |
|---|---|---|---|
| replicas | Number of pod replicas | Optional | 1 |
| namespace | GKE target namespace | Recommended | default |
| selector | Pod selector labels | Optional | |
| kubeConfig | Base64 kubeconfig (alternative auth) | Optional | null |
| makePublic | Create public LoadBalancer service | Optional | false |
| masterUrl | GKE cluster endpoint (auto-discovered) | Optional | null |
| token | Kubernetes service account token | Optional | null |
| projectId | GCP project ID | Required | my-gke-project-123 |
| clusterName | GKE cluster name | Required | my-production-cluster |
| zone | GKE cluster zone/region Zone: us-central1-a Region: us-central1 | Required | us-central1-a |
| serviceAccountKey | Base64 JSON service account key (preferred) | Recommended | [base64-key] |
| clientId | OAuth2 client ID (app credentials) | With OAuth | [client-id] |
| clientSecret | OAuth2 client secret | With OAuth | [client-secret] |
| useApplicationDefaultCredentials | Use gcloud ADC (runs on GCP VM) | With ADC | true |
| enableIngress | Create Google Cloud Ingress | Optional | false |
| ingressClass | Ingress controller class | With Ingress | gce / nginx |
| awaitTimeout | Deployment readiness timeout (ms) | Recommended | 10000 |
Authentication Options (Choose One)
Option 1: Service Account Key (Recommended)
projectId: "my-project"
clusterName: "my-cluster"
zone: "us-central1-a"
serviceAccountKey: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."Option 2: OAuth2 App Credentials
projectId: "my-project"
clientId: "123456.apps.googleusercontent.com"
clientSecret: "GOCSPX-abc123"Option 3: Application Default Credentials
useApplicationDefaultCredentials: trueRequires: gcloud auth application-default login
Setup Instructions
- Create Service Account:
gcloud iam service-accounts create ol-hub-deployer --project=my-project - Grant Permissions:
gcloud projects add-iam-policy-binding my-project --member="serviceAccount:[[email protected]](mailto:[email protected])" --role="roles/container.clusterAdmin" - Download Key:
gcloud iam service-accounts keys create key.json --iam-account=[[email protected]](mailto:[email protected]) base64 -w 0 key.json # Copy output to serviceAccountKey - Find Cluster Details:
gcloud container clusters list --project=my-project
Ingress Configuration
enableIngress: true
ingressClass: "gce" # Google Cloud Load Balancer OR "nginx" for nginx-ingressMinimal GKE Config
{
"projectId": "my-gcp-project",
"clusterName": "my-gke-cluster",
"zone": "us-central1-a",
"serviceAccountKey": "eyJ0eXAiOiJKV1QiLCJhbGc...",
"replicas": 1,
"namespace": "default"
}Security Best Practices
- Use Workload Identity Federation instead of service account keys when possible
- Restrict service account to
container.developerrole minimum - Enable Workload Identity on GKE cluster
- Rotate keys every 90 days
- Use regional clusters (zone: "us-central1") for HA
This configuration deploys OpenLegacy APIs to GKE with Google Cloud authentication and optional Ingress exposure.
Updated about 14 hours ago