Advanced Setup Available in v1.19.3+
This guide covers how to setup Google node integration using a self-managed service account.
Google Integration Setup
You can set up Google integration resources directly on your Google account, without using ScaleOps Managed Service Account.
- Launch Cloud Shell Google account
- Run the provided script in Cloud Shell:
curl -sL scriptshelf.scaleops.com/google/integrate.sh | bash -s -- node-integration --project-id <PROJECT_ID> --create-service-account- Copy the helm configuration values from the script output and add them to your ScaleOps helm values file, then upgrade your ScaleOps deployment.
- Wait for ScaleOps to integrate with your cloud data
*It may take a few minutes for the integration to complete.
Service Account Impersonation
To enable ScaleOps to manage and scale node pools, specifically in the spot optimization feature, ScaleOps requires permissions to the node pool’s service account.
You can use the --allow-service-accounts flag to grant ScaleOps impersonation permissions for the service account.
Usage
curl -sL scriptshelf.scaleops.com/google/integrate.sh | bash -s -- node-integration \
--project-id <PROJECT_ID> \
--create-service-account \
--allow-service-accounts <SERVICE_ACCOUNT_1>,<SERVICE_ACCOUNT_2>Examples
Multiple custom service accounts:
--allow-service-accounts node-sa@project.iam.gserviceaccount.com,gpu-sa@project.iam.gserviceaccount.comReference
Helm Parameters
| Key | Description | Default |
|---|---|---|
enabled | Enable integration | false |
projectId | GCP Project ID | Current cluster project ID |
serviceAccountCredentials | Service Account Credentials JSON | Service account credentials from ScaleOps API |
applyToAllClusters | Should enable all child clusters | false |
Script parameters
| Parameter | Description | Default / Notes |
|---|---|---|
-p <PROJECT_ID>, --project-id <PROJECT_ID> | GCP project ID (required) | |
-s <EMAIL>, --service-account <EMAIL> | Service account email (required unless --create-service-account is used) | |
-i <NAME>, --role-id <NAME> | ID for the role | "ScaleOpsIntegration" |
--service-account-name <NAME> | Name for the service account | "scaleops-<TIMESTAMP>" |
--role-display-name <NAME> | Display name for the role | "ScaleOps Cloud Node Integration" |
--create-service-account | Create a new service account instead of using existing | |
--allow-service-accounts <SA1,SA2> | Comma-separated list of service accounts to grant impersonation permissions for (example) | Required for node operations with custom SAs |
--cluster <NAME> | Grant impersonation permissions for all node groups in this cluster | |
--all-clusters | Grant impersonation permissions for all node groups in all clusters in the project | false |
--use-workload-identity | Enable workload identity setup (required for workload identity) | false |
--installation-namespace <NAMESPACE> | Installation namespace (required for workload identity) | scaleops-system |
--skip-checks | Skip organization policies validations | Default: false |
-r, --remove | Remove the custom role and IAM policy binding | |
--dry-run | Show what would be created without making changes | |
-v, --verbose | Print all gcloud commands before executing them | |
-h, --help | Show this help message |
Permissions
To run the integration script, your Google account must have the following IAM roles:
roles/iam.roleAdmin # Create and manage custom IAM roles
roles/resourcemanager.projectIamAdmin # Manage project-level IAM bindings
roles/iam.serviceAccountAdmin # Create service accounts and manage SA permissions
roles/orgpolicy.policyViewer # View organization policies (if applicable)Note: Users with roles/owner or roles/editor typically have these permissions included.
Using External Secret
Run helm template with correct values of the Google node integration to retrieve secret definition:
helm template ... --show-only templates/cloud_node_integration_settings_secret.yamlStore the secret data from the helm template output on your secret provider, and reference it using External Secrets:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: scaleops-cloud-node-integration-settings
namespace: scaleops-system
spec:
secretStoreRef:
name: SECRET_STORE_NAME # Replace with your secret store name
kind: ClusterSecretStore # Replace with your secret store kind
target:
name: scaleops-cloud-node-integration-settings
template:
data:
settings: "{{ .google_node_config }}"
data:
- secretKey: google_node_config
remoteRef:
key: path/to/secret # Replace with your secret pathIf you use this approach, do not include cloudIntegration.google values in your helm values file.