Installing a GCP Connector with Helm (Project Wide)
This guide is intended for admins managing a Connector in the environment
Overview
Integrating a cloud account with Apono, syncs your resources so that you can easily use Apono to discover existing privileges and identities, manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows and granular permissions to customer sensitive data.
You have chosen the advanced installation method
If can also easily connect GCP in Apono following this UI guide here
Deploy in a new GKE cluster
Prerequisites
- A Google project to connect to Apono
- Google Cloud CLI
- A GCP user with project
Owner
permissions - Kubernetes command-line tool (kubectl)
Optional - run the installation from the GCP Console
Install Apono
1. Prepare parameters for Apono installation
Fill and set the values for the following variables:
# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace
echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
Set the following variable:
export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
2. Enable Cloud Resource Manager API
gcloud services enable cloudresourcemanager.googleapis.com --project $PROJECT_ID
3. Create IAM Service Account and grant it with the roles: Security Admin, Secret Accessor for the project.
gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
--role="roles/secretmanager.secretAccessor" \
--project $PROJECT_ID
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
--role="roles/iam.securityAdmin" \
--project $PROJECT_ID
4. Verifying default GKE cluster for installation
- Open the Kubernetes command-line tool
- Run
kubectl config get-contexts
to see the GKE clusters list - Set the desired cluster to be the default -
kubectl config use-context
#the name of the cluster - Run
kubectl get-contexts
- verify the "*" indicates the correct cluster.
5. Bind the IAM Service Account to the K8S Service Account
gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
--member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
--role="roles/iam.workloadIdentityUser" \
--project $PROJECT_ID
6. Install Helm Chart
The helm chart installs the following:
- Kubernetes Deployment containing the Apono-Connector image container
- Kubernetes Service Account annotated with GCP IAM Service Account
- Kubernetes Secret containing Docker Registry credentials
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
--set-string apono.token=$APONO_TOKEN \
--set-string apono.connectorId=$APONO_CONNECTOR_ID \
--set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
--namespace $NAMESPACE \
--create-namespace
Verify the Connector has been successfully installed
You can validate the Connector is installed in the Connector status page.
Hurray!
You've successfully installed a GCP Connector using Helm!
You can now enable more GCP integrations in the Integrations Catalog.
Updated 12 days ago