Skip to content

Google Cloud Resources

Overview

Before installing the Privacera Manager software, the following Google Cloud resources need to be created:

Prerequisite Description
VM Instance A virtual machine to run the Privacera Manager software is required. Refer to here for more details.
🟢 For self-managed: Required.
🟢 PrivaceraCloud Data plane: Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.
GKE cluster GKE cluster to run the Privacera software is required. Refer to here for more details.
🟢 For self-managed: Required.
🟢 PrivaceraCloud Data plane: Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.
Google SQL Server Google SQL Server (MySQL or PostgreSQL) for the Privacera database. Refer here for more details.
🟢 For self-managed: Required.
🔴 PrivaceraCloud Data plane: Not Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.
Wildcard certificate and Key A wildcard certificate for the domain name used for the Privacera service endpoints, along with the private key, is required. Refer to here for more details.
🟢 For self-managed: Required.
🟢 PrivaceraCloud Data plane: Required.
🟢 PrivaceraCloud Data plane + Privacera Discovery: Required.

Appendix

Google VM Instance for running Privacera Manager

VM Instance

Privacera Manager runs on a VM instance that has access to the Kubernetes cluster and can create and manage cloud resources.

Tip

The Privacera Manager installation on this VM instance will include signed certificates necessary for subsequent upgrades. Therefore, it is recommended that this VM instance is not deleted and is protected from termination. It is also strongly advised to backup the contents of the Privacera Manager folder on regular basis.

You don't need to run this VM instance 24x7. You can stop the VM instance when it is not in use.

Vitrual Machine configuration

The Vitrual Machine needs to be provisioned to run the Privacera Manager software. At a minimum, the instance should have the following specifications:

  • Ubuntu 20.04.6 LTS
  • Minimum 1 vCPUs
  • Minimum 4 GB RAM
  • Minimum 100 GB disk space
  • SELinux should be disabled
  • Allow HTTP and HTTPS traffic in instance Firewall configuration.
User Configuration

Privacera Manager requires a dedicated user account with sudo privileges to run properly. This user must be configured with NOPASSWD sudo access to ensure automated operations can execute without manual intervention.

To create and configure the user:

  1. Create a dedicated user (e.g., privacera-admin):

    Bash
    1
    sudo useradd -m -s /bin/bash privacera-admin

  2. Add the user to the sudo group:

    Bash
    1
    sudo usermod -aG sudo privacera-admin

  3. Configure NOPASSWD sudo access by adding the following line to /etc/sudoers using visudo:

    Bash
    1
    privacera-admin ALL=(ALL) NOPASSWD:ALL

Following software should be installed on the VM Instance:

Packages
  • ssh, curl, tar, wget, gcc*,

Bash
1
2
sudo apt update
sudo apt install ssh curl tar wget gcc -y
- Openssl (v1.01, build 16 or later)

Bash
1
2
sudo apt install openssl -y
openssl version
- Python3 (with python-devel*)

Bash
1
2
sudo apt install python3 python3-dev python3-pip python3-passlib -y
python3 --version
- User account with sudo permissions

docker

Create a Privacera user with sudo access and then run the below commands.

Bash
1
2
3
4
5
VM_USER=privacera
sudo apt install docker.io -y  
sudo service docker start
sudo usermod -a -G docker ${VM_USER}
exit
Relogin to the jump host.

kubectl

Follow the instructions on this link.

helm

Follow the instructions on this link.

Bash
1
2
3
4
curl -fsSL -o get_helm.sh \
  https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

Google GKE cluster for running Privacera Software

Google GKE Cluster

Google GKE cluster with the following specifications:

  • Kubernetes version - For supported version check Privacera release notes
  • Node type - e2-standard-4 or similar
  • Auto-scaling node group: min 3 to max 10 nodes
  • Kubernetes Metrics Server - Required for monitoring and autoscaling. See installation instructions below
Kubernetes Metrics Server

The Kubernetes Metrics Server is required for Privacera to function properly. It provides resource metrics for pods and nodes, which are essential for monitoring and autoscaling.

Check if Metrics Server is already installed:

Bash
1
kubectl get deployment metrics-server -n kube-system

If the Metrics Server is not installed, follow these steps:

Option 1: Install via YAML (Recommended)

For Google GKE, the standard installation usually works without additional configuration:

Bash
1
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

If you encounter connection issues, you can optionally add the preferred address types flag:

Bash
1
2
kubectl patch deployment metrics-server -n kube-system --type='json' \
  -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"}]'

Option 2: Install via Helm

Bash
1
2
3
4
5
6
7
8
# Add Helm repository
helm repo add metrics-server https://kubernetes-sigs.github.io/metrics-server/
helm repo update

# Install with GKE configuration
helm install metrics-server metrics-server/metrics-server \
  --namespace kube-system \
  --set 'args[0]=--kubelet-preferred-address-types=InternalIP\,Hostname\,ExternalIP'

Troubleshooting TLS Certificate Errors

Google GKE manages certificates properly, and Metrics Server works with default TLS validation. You typically don't need the --kubelet-insecure-tls flag.

However, if you encounter an error like:

Text Only
1
Unable to fetch metrics: x509: certificate signed by unknown authority

Then re-run the Helm installation with the insecure TLS flag:

Bash
1
2
3
4
helm install metrics-server metrics-server/metrics-server \
  --namespace kube-system \
  --set 'args[0]=--kubelet-insecure-tls' \
  --set 'args[1]=--kubelet-preferred-address-types=InternalIP\,Hostname\,ExternalIP'

Verify Installation:

Bash
1
2
3
4
5
6
# Check if Metrics Server is running
kubectl get deployment metrics-server -n kube-system

# Verify metrics are available (may take 1-2 minutes)
kubectl top nodes
kubectl top pods -A

For more information, refer to the official Kubernetes Metrics Server documentation.

Google SQL Server

Google SQL Server

You can create either MySQL or PostgreSQL Server with the following specifications:

  • MySQL 5.7 or MySQL 8.0
  • 8 vCPU and 32GB RAM
  • Storage as per usage (atleast 500GB)
  • Keep High Availability enabled.
  • PostgreSQL 13 or higher
  • 8 vCPU and 32GB RAM
  • Storage as per usage (atleast 500GB)
  • Keep High Availability enabled.

Wildcard certificate and Private Key

Wildcard certificate and Private Key

A wildcard certificate for the domain name used for the Privacera service endpoints, along with the private key. This should one of these:

  • Wild-card certificate. The certificate requirements are given in TLS Certificate.
  • Certificate with specific host names generated by Privacera Manager
  • Certificate with specific host names generated by you for the service endpoints.