GCP - GKE - Helm

Deploying InsightCloudSec to GCP GKE Using Helm

This document provides steps for deploying a scalable instance of InsightCloudSec on GCP using GKE and Cloud SQL. If you have questions or issues, reach out to us through the Customer Support Portal.


Value Names (DivvyCloud vs. InsightCloudSec)

Some components use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.


Before you get started with this setup, ensure that you have the following:

  • A GCP account with the appropriate admin permissions
  • Permission to create/modify resources in CloudSQL, MemoryStore, and Kubernetes

Note: The content on this page applies to self-hosted customers. For hosted customers we recommend that you contact your CSM or through the Customer Support Portal with any questions or concerns.

Steps for Completing the GKE Scalable Deployment


1. To ensure that the CloudSQL API is enabled, go to “APIs” in the GCP console. Then:

  • Click on “Library” on the left
  • Search for and select “Cloud SQL Admin API” and ensure it is enabled.

Cloud SQL Admin API (API Enabled)

2. Create a Cloud SQL database and complete the description for this db instance using the recommended specs:

  • Engine: MySQL 5.7
  • Instance type: db-n1-standard-4
  • 100 GB volume (Enable automatic storage increases)
  • Private IP
  • Availability: High availability (regional)

Create an SQL Database

Complete the settings as outlined in the example below


SQL Settings

3. Once the instance comes up, click on your database to view the details.


Instance Details


Save your Instance details

Copy the instance connection name; you’ll need it later to complete the configuration.

4. Click on the "Users" tab and create a new user:

  • Username = divvy
  • Password = [your choice]

Creating a New User

5. Go to Overview and click on "Connect using cloud shell".


Connect Using Cloud Shell

6. Once the shell comes up, in the mysql> prompt, paste in the following, line by line:



GRANT ALL PRIVILEGES on divvy.* to 'divvy'@'%';

GRANT ALL PRIVILEGES on divvykeys.* to 'divvy'@'%';

GRANT RELOAD ON *.* TO 'divvy'@'%';



SQL Commands

Create a Memorystore Instance

Next you will need to create a Memorystore (Redis) instance in the GCP Console.

1. Open the GCP Console and locate the "Memorystore" option under "Storage".

2. Click "Create Instance" and complete the form as follows:

  • Instance ID - your instance ID
  • Display Name - your display name
  • Version - 4.0
  • Instance tier - Standard (recommended for inclusion of failover)
  • Location - ensure that Region and Zone match the Cloud SQL database you specified
  • Instance capacity - 3GB (recommended)

Memorystore (Redis) instance in GCP

3. Click "Create" and wait for the instance to build. Note the associated IP address.


Memorystore (Redis) instance IP Address

Create Static IP

1. To create a static IP, go to VPC network

  • From the left menu bar, choose External IP addresses
  • Click Reserve Static Address
    • Name: divvy
  • Ensure static address is in the same region as GKE cluster, CloudSQL, and MemoryStore instances
  • Click Reserve


Region Settings

Ensure GKE cluster, CloudSQL, and MemoryStore instances are in the same region and VPC network.


Create a Static IP

2. Copy the Static IP and save this information.


External Static IP

Create a Cluster

1. To create a cluster, close the cloud shell window, and go to IAM & Admin.

  • From the left menu bar, choose Service Accounts
  • Create a GCP Service Account by choosing from top menu bar, then use the following:
    • Name: GKEtoCloudSQL
    • Role: Cloud SQL Client (Cloud SQL / Cloud SQL Client)
    • Leave the “Grant users access to this service account” blank

2. Create a key (JSON) and download/save the JSON.

3. Go to Kubernetes Engine, and select "create cluster", using the following:

  • Name: divvycloud-gke
  • In the box for the default-pool, update the machine type to 2vCPUs n1-standard-2

4. Click on More options and select "Enable AutoScaling":

  • Minimum number of nodes: 2
  • Max number of nodes: 6

Create Cluster

5. In the Networking section, ensure the "Enable VPC-native traffic routing (uses alias IP)" box is checked.

6. Once the cluster is created, click on "Connect" and then "Run in Cloud Shell" to connect to the cluster.


Connect to Cluster


Run in Cloud Shell to Connect to Cluster

7. Paste these commands, one by one, into the terminal:

curl -O https://s3.amazonaws.com/get.divvycloud.com/prodserv/gcp/gke/divvycloud-gke-nginx-lb.zip

unzip divvycloud-gke-nginx-lb.zip

cd divvycloud-gke-nginx-lb/

8. Update the InsightCloudSec version on line 4 of the values.yaml file to the latest version. You can see the latest version here.

9. Paste this command into the terminal:
kubectl create namespace divvycloud



Create a Cloud SQLProxy Secret

1. To create a CloudSQLProxy secret:

  • In the terminal, create a file called service_account.json
  • Paste in the JSON from the service account and save the file

2. Run the following command
kubectl create secret generic -n divvycloud cloudsql-instance-credentials --from-file=credentials.json=service_account.json



Create TLS Certificate Secret

1. To create a TLS Certificate Secret:

  • Create a certificate and key file
  • Upload those into the cluster:
  • kubectl create secret tls divvycloud --key hostname.key --cert hostname.crt

TLS Certificate Sheet

Edit the YAML File and Complete the Setup

1. Open the file called "values.yaml" and enter your required parameters.
The standard parameters are:

  • useExternalDb: True
  • cloudSQLInstanceName: [Cloud SQL Instance Connection Name (saved from database creation)]
  • databaseUser: [ divvy user created (default is divvy)]
  • databasePassword: [ divvy password created]
  • useExternalRedis: [true]
  • redisHost:[IP Address from the created Memorystore instance above]
  • loadBalancerIP:[IP Address from the created static IP above]
  • secretName: divvycloud
  • hosts:[Hostname record that is pointed at your static IP, it must match the tls certificate]
966966 13041304

2. In the terminal window, run these commands:

make app/install-notiller

2a. To upgrade, update the InsightCloudSec version in values.yaml and re-run the install command:

make app/install-notiller


3. Connect to your InsightCloudSec/DivvyCloud instance by doing the following:

  • Close the cloud shell window
  • In the Kubernetes engine, go to the Services & Ingress tab
  • Once the interface server is up, the endpoint displayed there will be the hostname you connect to for your InsightCloudSec instance. You will need to create a DNS record to point to the static IP you created earlier. A connection directly to the IP address without a hostname will be ignored.


Reaching the SIte

If the site can’t be reached, please wait a few minutes and try again. During a clean installation, there are a large number of MySQL schema updates that must be executed.


Site Can't Be Reached

4. When all is ready, you will see the following:


Getting Started With InsightCloudSec

Did this page help you?