Fabian Lee : Software Engineer

GCP: quota project error when invoking GCP API using ADC application-default

October 14, 2023
Categories: Hyperscaler

If you receive an error similar to below when calling the GCP API using ADC login credentials with either gcloud or terraform: Cannot add the project “myproj-i1wsbbn8pkfeq3jhkcg0z4” to ADC as the quota project because the account in ADC does not have the “serviceusage.services.use” permission on this project. You might receive a “quota_exceeded” or “API not … GCP: quota project error when invoking GCP API using ADC application-default

GCP: determining whether GKE cluster mode is Standard or Autopilot

May 8, 2023
Categories: Hyperscaler

If you need to determine at the CLI whether a GKE cluster is managed using Standard or Autopilot mode, this is available by using gcloud to describe the cluster. # identify cluster and location gcloud container clusters list cluster_name=<clusterName> location_flag=”–region=<region>” # OR –zone=<zone> # returns ‘True’ if GKE AutoPilot cluster # returns empty if standard … GCP: determining whether GKE cluster mode is Standard or Autopilot

GCP: Google Cloud Storage bucket with permissions for user or service account

February 24, 2023
Categories: Hyperscaler

Creating a Google Cloud Storage bucket is simple, but the IAM permissions required to perform operations in the bucket can be difficult to understand. Especially when you want something as simple as to provide upload/download access to the person who created the bucket and perhaps a service account. Below are the commands for creating a … GCP: Google Cloud Storage bucket with permissions for user or service account

GCP: running a container on a GKE cluster using Workload Identity

May 23, 2022
Categories: Hyperscaler

With Workload Identity enabled on a GKE cluster, your container can access Google Cloud API services (Compute Engine, Storage, etc.) using a Kubernetes Service Account (KSA). This is done by having the container run as the KSA, where the KSA has been bound to the Google Service Account (GSA). This is the recommended way of … GCP: running a container on a GKE cluster using Workload Identity

GCP: Enabling autoUpgrade for node-pools to reduce manual maintenance

May 17, 2022
Categories: Hyperscaler, Kubernetes

GKE cluster upgrades do not need to be a manual process. GKE clusters can be auto upgraded by subscribing the cluster to an appropriate release channel and assigning a sensible maintenance window. As long as adequate pod disruption budgets, replicas, and ingress are configured, these upgrades can happen without interrupting availability. To check the current … GCP: Enabling autoUpgrade for node-pools to reduce manual maintenance

GCP: Moving a VM instance to a different region using snapshots

May 1, 2022
Categories: Hyperscaler

The ‘gcloud compute instances move‘ command is convenient for moving VM instances from one region to another, but only works within a narrow scope of OS image types and disks. For example, only older non-UEFI OS images can be moved with this command. Trying to move even the simplest Ubuntu bionic/focal or Debian bullseye/buster VM … GCP: Moving a VM instance to a different region using snapshots

GCP: Cloud Function to handle requests to HTTPS LB during maintenance

April 1, 2022
Categories: Hyperscaler

At some point you may need to schedule a maintenance window for your solution But that doesn’t mean the end-user traffic or client integrations will stop requesting the services from the GCP external HTTPS LB that fronts all client requests. The VM instances and GKE clusters that normally respond to requests may not be able … GCP: Cloud Function to handle requests to HTTPS LB during maintenance

GCP: Deploying a 2nd gen Python Cloud Function and exposing from an HTTPS LB

April 1, 2022
Categories: Hyperscaler

GCP Cloud Functions have taken a step forward with the 2nd generation release. One of the biggest architectural differences is that now multiple request can run concurrently on a single instance, enabling large traffic loads. In this article, I will show you how to deploy a simple Python Flask web server as a 2nd gen … GCP: Deploying a 2nd gen Python Cloud Function and exposing from an HTTPS LB

GCP: global external HTTPS LB for securely exposing insecure VM services

March 30, 2022
Categories: Hyperscaler

If you have unmanaged GCP VM instances running services on insecure ports (e.g. Apache HTTP on port 80), one way to secure the public external traffic is to create an external GCP HTTPS load balancer. Conceptually, we want to expose a secure front to otherwise insecure services. While the preferred method would be to secure … GCP: global external HTTPS LB for securely exposing insecure VM services

GCP: internal HTTPS LB for securely exposing insecure VM services

March 30, 2022
Categories: Hyperscaler

If you have unmanaged GCP VM instances running services on insecure ports (e.g. Apache HTTP on port 80), one way to secure the internal communication coming from other internal pods/apps is to create an internal GCP HTTPS load balancer. Conceptually, we want to expose a secure front to otherwise insecure services. While the preferred method … GCP: internal HTTPS LB for securely exposing insecure VM services

GCP: serving a maintenance page using an HTTPS LB and container native routing

March 14, 2022
Categories: Containers

No matter how highly available your services, there may still be significant backend events that require planned maintenance. During this downtime, you should still reply to end users and service integrations with a proper response. In this article, I will show you how to configure your GCP HTTPS Loadbalancer so that a single maintenance service … GCP: serving a maintenance page using an HTTPS LB and container native routing

GCP: enabling Cloud Armor on GCP HTTPS LB for Anthos Service Mesh

March 6, 2022
Categories: Hyperscaler

If you are using Anthos Service Mesh to deliver your public applications from a GFE HTTPS LB, I would strongly suggest enabling Cloud Armor which is a WAF (web application firewall) that can mitigate and defend against a variety of attacks such as cross-site scripting and denial of service. As a summary overview, the first … GCP: enabling Cloud Armor on GCP HTTPS LB for Anthos Service Mesh

Terraform: provisioning GCP servers in both public and private subnets

May 30, 2021
Categories: Linux

It is relatively straightforward to create a GCP public subnet where the compute instances have access to the public internet via the default internet gateway. But once you start building private subnets behind it, you must start considering firewall, routing, and the NAT gateways required to reach public services. In this article, I will use … Terraform: provisioning GCP servers in both public and private subnets

GCP: pulling an image from the Container Registry of another project

April 28, 2021
Categories: Containers

In a previous article I discussed the advantages to keeping container images in the private Google Container Registry of a project. And if you have a GKE cluster in the exact same project, then image pulls happen seamlessly without any additional configuration required. However, if the GKE cluster is in a different project than the … GCP: pulling an image from the Container Registry of another project

GCP: pushing GKE images into gcr.io to avoid pull rate limits

April 27, 2021
Categories: Containers

Docker hub now enforces pull rate limits (since November 2020). And unfortunately, this limit is often reached at critical moments such as upgrades or infrastructure events when bulk pod recreation is happening. One way to avoid this problem is to place your images into an alternate image registry. This could mean a lot of work … GCP: pushing GKE images into gcr.io to avoid pull rate limits

GCP: Creating gcp service account with IAM roles using gcloud

March 17, 2021
Categories: Containers

Although the GCP console provides a manual interface for creating service accounts and assigning roles, it can also be done via the gcloud CLI. Using gcloud, even the json key file for the service account can be generated, which is essential for automation. The full Bash script, create_serviceaccount.sh can be found on github. But here … GCP: Creating gcp service account with IAM roles using gcloud

Terraform: Using non-authoritative resources to avoid IAM membership dependency web

February 5, 2021
Categories: Virtualization

One of the most challenging aspects of using Terraform is dealing with external changes and sprawl of dependent objects that may originate outside your control. Terraform wants to be a system of record and have everything documented in its state as resource/data, however keeping your state in sync when other groups may be doing automation … Terraform: Using non-authoritative resources to avoid IAM membership dependency web