GCP with Cloud Monitoring¶
This section shows how to configure the chart and provision the infrastructure to observe DataRobot on GCP managed services.
Requirements¶
OIDC provider must be configured. Refer to the Google - Google Kubernetes Engine (GKE) documentation in the installation guide.
The created Google service account must:
* Get assigned the logging.logWriter, monitoring.metricWriter and
cloudtrace.agent roles
* Bound to each of the Kubernetes service account that are bound to the
observability subchart pods
The Kubernetes service accounts used by the pods are the following (unless explicitly named otherwise in the subchart):
observability-v2-otel-deploymentobservability-v2-otel-daemonsetobservability-v2-otel-statsdobservability-v2-otel-scraperobservability-v2-otel-scraper-static
This is explained below.
Google service account¶
First, the Google Service Account needs to be created for the project:
GOOGLE_SERVICE_ACCOUNT_ID="<GOOGLE_SERVICE_ACCOUNT_ID>"
PROJECT_NAME="<PROJECT_NAME>"
GOOGLE_SERVICE_ACCOUNT_DISPLAY_NAME="<GOOGLE_SERVICE_ACCOUNT_DISPLAY_NAME>"
gcloud iam service-accounts create "$GOOGLE_SERVICE_ACCOUNT_ID" \
--project="$PROJECT_NAME" \
--display-name="$GOOGLE_SERVICE_ACCOUNT_DISPLAY_NAME"
# Required for subsequent steps {: #required-for-subsequent-steps }
GOOGLE_SERVICE_ACCOUNT_EMAIL="$GOOGLE_SERVICE_ACCOUNT_ID@$PROJECT_NAME.iam.gserviceaccount.com"
The GOOGLE_SERVICE_ACCOUNT_EMAIL will be later needed to configure the chart.
The value for this will be
<GOOGLE_SERVICE_ACCOUNT_ID>@<PROJECT_NAME>.iam.gserviceaccount.com, where
GOOGLE_SERVICE_ACCOUNT and PROJECT_NAME where manually specified above at
the time of creating this account.
Role binding to the Google service account¶
The previously mentioned roles need to be bound to this account:
declare -a PROJECT_ROLES=(
"roles/logging.logWriter"
"roles/monitoring.metricWriter"
"roles/cloudtrace.agent"
)
for ROLE in "${PROJECT_ROLES[@]}"; do
echo " -> Granting role: $ROLE"
gcloud projects add-iam-policy-binding "$PROJECT_NAME" \
--member="serviceAccount:$GOOGLE_SERVICE_ACCOUNT_EMAIL" \
--role="$ROLE" \
--no-user-output-enabled
done
Workload identity binding to Kubernetes service accounts¶
Finally, the kubernetes service accounts mentioned earlier need to be bound to the Google service account:
NAMESPACE="<KUBERNETES_NAMESPACE>"
declare -a KUBERNETES_SERVICE_ACCOUNT_NAMES=(
"observability-v2-otel-deployment"
"observability-v2-otel-daemonset"
"observability-v2-otel-statsd"
"observability-v2-otel-scraper"
"observability-v2-otel-scraper-static"
)
for KSA in "${KUBERNETES_SERVICE_ACCOUNT_NAMES[@]}"; do
MEMBER="serviceAccount:${PROJECT_NAME}.svc.id.goog[${NAMESPACE}/${KSA}]"
gcloud iam service-accounts add-iam-policy-binding "$GOOGLE_SERVICE_ACCOUNT_EMAIL" \
--project="$PROJECT_NAME" \
--role="$WORKLOAD_IDENTITY_BINDING_ROLE" \
--member="$MEMBER" \
--no-user-output-enabled
done
Full chart configuration¶
A full working example of the configuration can be found in the
datarobot-prime/charts/datarobot-observability-core/examples/gke.values.yaml
file in the DataRobot tarball.
In the minimal configuration without additional custom processors (see extending pipelines with custom processors), the values to update are the following:
SERVICE_ACCOUNT: see Google service accountPROJECT_NAME: the project name where DataRobot is deployed. This value is the same as the one used in Google service accountLOG_NAME: a default name for log entries (log.default_log_nameingooglecloudexporter)
For additional exporter configuration, check the specific exporter definition where these values are referenced, where a link to the upstream exporter documentation is included.
Once the values are set, DataRobot can be installed/upgraded by specifying the
path to this file with the -f option to the helm command.