app/gcp/k8s:gke

This contract is shared by the GKE Service and GKE Job app modules. Outputs marked [job only] are populated by job modules.

cluster-namespace - connection

Connection Type: cluster-namespace/gcp/k8s:gke

project_id - string

The GCP Project ID hosting this application.

service_namespace - string

The Kubernetes namespace where the app's resources are created. This is used to scope Kubernetes API calls when performing deployments.

service_name - string [optional]

The name of the Kubernetes Deployment for the app.

This value is blank for job apps that do not provision a long-running pod. This is used to create an app in Nullstone as a task that can be executed on-demand.

service_account_email - string

The email of the GCP service account that the app runs as. The Kubernetes ServiceAccount in <service_namespace>/<service_name> impersonates this GCP SA via Workload Identity. Capability-layer IAM bindings (e.g. roles/secretmanager.secretAccessor) should target this email.

image_repo_url - string

The image repository URL where the service pulls its images.

Format: [region]-docker.pkg.dev/[project-id]/[repository-name]/[app-name]

image_pusher - object

A GCP service account that the Nullstone agent impersonates to push images to the image repository.

Format

value = {
    project_id  = var.project_id
    email       = google_service_account.image_pusher.email
    id          = google_service_account.image_pusher.id
    impersonate = true
}

Required IAM permissions

[artifact-registry-repo]
    roles/artifactregistry.writer
    roles/artifactregistry.reader
[image-pusher-sa]
    roles/iam.serviceAccountTokenCreator   # granted to the Nullstone agent

main_container_name - string

The name of the container definition for the main service container.

A Kubernetes pod can contain one or many container definitions; main_container_name identifies the primary container. This is used by the Nullstone CLI to upgrade the image tag when deploying new versions.

deployer - object

A GCP service account that the Nullstone agent impersonates to deploy new versions to the GKE cluster.

Format

value = {
    project_id  = var.project_id
    email       = google_service_account.deployer.email
    id          = google_service_account.deployer.id
    impersonate = true
}

Required IAM permissions

[project]
    roles/container.developer
    roles/monitoring.viewer
[artifact-registry-repo]
    roles/artifactregistry.reader
[deployer-sa]
    roles/iam.serviceAccountTokenCreator   # granted to the Nullstone agent

log_provider - string

The name of the log provider.

For GKE, this is gke.

log_reader - object

A GCP service account that the Nullstone agent impersonates to read application logs.

Format

value = {
    project_id  = var.project_id
    email       = google_service_account.log_reader.email
    id          = google_service_account.log_reader.id
    impersonate = true
}

Required IAM permissions

[project]
    roles/logging.viewer
[log-reader-sa]
    roles/iam.serviceAccountTokenCreator   # granted to the Nullstone agent

metrics_provider - string

The name of the metrics provider.

For GKE, this is cloudmonitoring.

metrics_reader - object

A GCP service account that the Nullstone agent impersonates to read application metrics. This is aliased to the deployer SA, which already holds roles/monitoring.viewer.

Format

value = {
    project_id  = var.project_id
    email       = google_service_account.deployer.email
    impersonate = true
}

metrics_mappings - string

A JSON-encoded mapping of metric definitions used to render app metrics in the Nullstone UI.

job_definition_name - string [job only]

The name of the Kubernetes ConfigMap containing the Job template.

private_urls - list(string)

A list of URLs only accessible inside the network.

public_urls - list(string)

A list of URLs accessible to the public.