The Crossplane GCP Provider lets you manage Google Cloud resources directly from Kubernetes, treating your cloud infrastructure as code.
Let’s get this set up. You’ll need a Kubernetes cluster and kubectl configured to talk to it. You’ll also need a GCP service account with the necessary permissions.
First, install the Crossplane core components. This uses Helm, the Kubernetes package manager.
helm install crossplane crossplane-stable/crossplane --namespace crossplane-system --create-namespace
This deploys Crossplane into the crossplane-system namespace. Give it a minute to spin up. You can check its status with:
kubectl get pods -n crossplane-system
You should see a crossplane-xyz pod in a Running state.
Next, you need to create a ProviderConfig resource that tells Crossplane how to authenticate with GCP. This involves creating a Kubernetes Secret containing your GCP service account key.
First, create a JSON file with your service account key. Let’s call it gcp-key.json.
{
"type": "service_account",
"project_id": "your-gcp-project-id",
"private_key_id": "your-private-key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nYOUR_PRIVATE_KEY_CONTENT\n-----END PRIVATE KEY-----\n",
"client_email": "your-service-account-email@your-gcp-project-id.iam.gserviceaccount.com",
"client_id": "your-client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-service-account-email%40your-gcp-project-id.iam.gserviceaccount.com"
}
Important: Replace the placeholder values with your actual GCP service account key details. Make sure the private_key has its newlines correctly escaped (\n).
Now, create a Kubernetes Secret from this file:
kubectl create secret generic gcp-key --from-file=key=./gcp-key.json -n crossplane-system
This Secret, named gcp-key, will be used by the Crossplane GCP Provider.
With the Secret in place, you can now install the GCP Provider itself. Create a YAML file, say gcp-provider.yaml:
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-gcp
spec:
package: xpkg.upbound.io/upbound/provider-gcp:v0.37.0 # Check for the latest version
Apply this configuration:
kubectl apply -f gcp-provider.yaml
This tells Crossplane to pull and install the GCP provider package. You’ll see a Provider resource created. Crossplane will then provision a ProviderInstallation and eventually a ProviderRevision.
Finally, you need to link the installed provider to your GCP credentials. Create a ProviderConfig resource, gcp-providerconfig.yaml:
apiVersion: gcp.upbound.io/v1beta1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
source: Secret
secretRef:
namespace: crossplane-system
name: gcp-key
key: key
Apply this:
kubectl apply -f gcp-provider-config.yaml
This ProviderConfig named default tells the GCP provider to use the gcp-key Secret in the crossplane-system namespace for authentication. The key: key part refers to the key within the Secret that holds the JSON service account data.
Now, Crossplane knows how to talk to GCP using your service account. You can start provisioning GCP resources by creating custom resource definitions (CRDs) provided by the GCP provider, such as GCPInstance for Compute Engine instances or GCPBucket for Cloud Storage buckets.
For example, to create a GCP bucket, you’d define a Bucket resource:
apiVersion: storage.gcp.upbound.io/v1beta1
kind: Bucket
metadata:
name: my-crossplane-managed-bucket
spec:
forProvider:
location: US
storageClass: STANDARD
providerConfigRef:
name: default
Applying this Bucket resource will instruct Crossplane to provision a Cloud Storage bucket in GCP.
The next thing you’ll likely encounter is a No providerConfig found for provider "storage.gcp.upbound.io" error if your ProviderConfig isn’t correctly referenced or named.