Product Documentation

Appearance

EE: GCP cloud

GCP Private Installation Instructions

Overview

This document outlines the process for installing Yellowbrick on Google Cloud Platform (GCP) using a private Google Kubernetes Engine (GKE) cluster. GCP offers flexibility for deploying infrastructure with varying levels of privacy and customization. This guide supports a bring-your-own-VPC approach, allowing customers to create custom networking configurations that meet their specific requirements, while still leveraging the Yellowbrick installer to manage the deployment process.

NOTE

A private installation requires advanced knowledge of cloud infrastructure and networking. Please contact your internal IT and operations teams as needed, or reach out to Yellowbrick Support for assistance.

Understanding a Private GKE Cluster

In GCP, a private GKE cluster is a Kubernetes cluster where the control plane (master) and nodes have restricted access, with no public IP addresses assigned to them. The key features of a private GKE cluster include:

  • Private Nodes: Nodes are deployed without public IP addresses, ensuring that they are only accessible from within the VPC.
  • Private Control Plane (Master): The GKE control plane is accessed through internal IP addresses within the VPC, with no public endpoint.
  • Private IP Google Services Access: For private communication with Google services such as Google Cloud Storage, private IP services access can be configured.

For more details, refer to the Google Cloud documentation on private GKE clusters.

Infrastructure Preparation

Creating the VPC Network

Before deploying Yellowbrick, create a VPC network that satisfies the requirements for a private installation. This network will support the private cluster and provide secure communication with Google Cloud services.

  1. VPC Setup:

    • Create a VPC to accommodate your cluster and future expansion.

  2. Subnet Configuration:

    • Configure a subnet for GKE nodes within the VPC, ensuring it is large enough to handle pod IP allocations. A /22 subnet is recommended to allow for growth, but smaller subnets can be used if you know the specific scale of your installation.
    • Ensure that all nodes reside within this subnet to avoid possible cross-zone communication costs.
    • Private Services Access: Enable private services access to connect the subnet to Google-managed services without exposing data to the public internet.

  3. Firewall Rules:

    • Create firewall rules to allow internal communication between GKE nodes and necessary Google Cloud services. For private installations, ensure that no public ingress is allowed, and restrict egress as needed. Yellowbrick does not require egress beyond GKE and Google services.

Executing the Deployer

The Deployer will utilize a Compute Engine VM instance within the same private subnet where Yellowbrick will be deployed. This instance will create a GKE cluster and requires access to the GKE cluster via private endpoints and to Google Cloud services through private services access. This Deployer will then complete the deployment process, including the creation of any additional resources and the installation of Kubernetes workloads.

Installation Process

NOTE

By installing Yellowbrick Enterprise Edition software into your Cloud Account, you agree to Yellowbrick’s Enterprise Edition EULA.

  1. Subscribe to the Yellowbrick Data Warehouse Enterprise Edition image in the Google Cloud Marketplace.

  2. Create the base infrastructure as outlined in this deployment guide.

  3. Launch a Google Compute Engine VM using the Yellowbrick image in the target subnet within the VPC. Assign the necessary roles listed here to the VM’s service account. As this VM will not be accessible from the internet, you may need to perform additional steps to ensure SSH and HTTPS access.

  4. Create an SSH connection to the VM as the ubuntu user using the SSH key pair specified during the launch.

  5. The VM is configured to automatically start the interactive web UI for the deployment process. Accessing this UI requires an access key that can be retrieved by executing /opt/ybd/get-access-key from the remote shell.

  6. From a web browser, access the VM instance over HTTPS port 443. Use the DNS or IP address of the VM instance as the hostname. Web traffic will be encrypted over TLS and a self-signed certificate will be used.

  7. When accessing the Yellowbrick Deployer UI, you will need to provide the Deployer access key retrieved from the previous step.

Accessing Yellowbrick Deployer UI

  1. With a web browser, access the Deployer by following the instructions given in each previous method.

  2. On the "Restrict Access" step, indicate this is a private installation and click Next.

  3. On the "Network" step, choose the correct VPC network previously created.

  4. Continue with the deployment process as normal. The Deployer will configure the cluster, set up necessary IAM roles, create additional node pools, and deploy the Yellowbrick Operator and related workloads.

Terraform Reference

For a Terraform reference of this infrastructure, please see deployer-contrib.

Conclusion

By following this guide, you can establish a private IP environment for Yellowbrick within GCP and tailor the infrastructure to your specific requirements.