Skip to main content

Overview

The GCP infrastructure provider enables you to deploy and manage compute workloads and networking resources on Google Cloud Platform using Datum’s declarative Kubernetes API.
The GCP provider is Datum’s first official infrastructure provider plugin, demonstrating the full capabilities of the provider plugin architecture.

Supported Features

The GCP provider supports the following Datum resources and capabilities:

VM Instances

Deploy Virtual Machine-based workload instances using OS images from an image library

Container Instances

Deploy sandboxed container-based workload instances with any OCI-compliant container image

VPC Networks

Create and manage Google Cloud VPC networks with automated IPAM

Multi-Network Attachment

Attach workload instances to one or more VPC networks

Installation

1

Configure GCP credentials

Create a Google Cloud service account with the necessary permissions and download the JSON key file.
gcloud iam service-accounts create datum-provider \
  --display-name="Datum GCP Provider"

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:datum-provider@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/compute.admin"

gcloud iam service-accounts keys create key.json \
  --iam-account=datum-provider@PROJECT_ID.iam.gserviceaccount.com
2

Create Kubernetes secret

Store the GCP credentials as a Kubernetes secret in your Datum control plane cluster.
kubectl create secret generic gcp-credentials \
  --from-file=key.json=./key.json \
  --namespace=datum-system
3

Install the GCP provider

Deploy the GCP provider operator to your Datum control plane cluster.
kubectl apply -f https://github.com/datum-cloud/infra-provider-gcp/releases/latest/download/install.yaml
4

Configure provider credentials

Create a ProviderConfig resource referencing your GCP credentials.
apiVersion: gcp.datum.net/v1alpha1
kind: ProviderConfig
metadata:
  name: default
spec:
  projectID: your-gcp-project-id
  credentials:
    source: Secret
    secretRef:
      name: gcp-credentials
      namespace: datum-system
      key: key.json

Deploying VM-based Workloads

Deploy virtual machine instances using Datum’s Workload resource: 
apiVersion: workload.datum.net/v1alpha1
kind: Workload
metadata:
  name: web-servers
  namespace: my-project
spec:
  template:
    spec:
      # Use VM instances with a specific OS image
      instanceType: vm
      image: projects/debian-cloud/global/images/debian-11-bullseye-v20240110
      machineType: e2-medium
      
      # Network configuration
      networks:
        - name: my-vpc
  
  # Placement and scaling
  placement:
    providers:
      - name: gcp
        config:
          projectID: my-gcp-project
    regions:
      - us-central1
      - us-east1
  
  replicas: 3
This creates 3 Google Compute Engine VM instances distributed across the specified regions.

Deploying Container-based Workloads

Deploy containerized applications using OCI-compliant container images: 
apiVersion: workload.datum.net/v1alpha1
kind: Workload
metadata:
  name: api-service
  namespace: my-project
spec:
  template:
    spec:
      # Use sandboxed container instances
      containers:
        - name: api
          image: gcr.io/my-project/api-service:v2.1.0
          ports:
            - containerPort: 8080
              protocol: TCP
          env:
            - name: DATABASE_URL
              value: postgresql://db.example.com/mydb
      
      # Network configuration
      networks:
        - name: my-vpc
  
  placement:
    providers:
      - name: gcp
    regions:
      - us-central1
  
  replicas: 5
Container-based workloads on GCP use sandboxed container runtime for enhanced security and isolation.

VPC Network Management

Create and manage Google Cloud VPC networks with Datum’s Network resource: 
apiVersion: network.datum.net/v1alpha1
kind: Network
metadata:
  name: my-vpc
  namespace: my-project
spec:
  provider: gcp
  
  # VPC configuration
  cidr: 10.0.0.0/16
  
  subnets:
    - name: subnet-us-central1
      cidr: 10.0.1.0/24
      region: us-central1
    
    - name: subnet-us-east1
      cidr: 10.0.2.0/24
      region: us-east1
  
  # IPAM is automatically managed
  ipam:
    enabled: true
The GCP provider creates:
  • A Google Cloud VPC network
  • Subnet resources in the specified regions
  • Automatic IP address allocation for workload instances

Multi-Network Attachment

Attach workload instances to multiple VPC networks: 
apiVersion: workload.datum.net/v1alpha1
kind: Workload
metadata:
  name: database-cluster
  namespace: my-project
spec:
  template:
    spec:
      instanceType: vm
      image: projects/debian-cloud/global/images/debian-11-bullseye-v20240110
      machineType: n2-standard-4
      
      # Attach to multiple networks
      networks:
        - name: backend-vpc      # Private backend network
        - name: management-vpc   # Management/admin network
  
  placement:
    providers:
      - name: gcp
    regions:
      - us-central1
  
  replicas: 3
Each instance gets network interfaces in both VPC networks with automatically assigned IP addresses.

Configuration Reference

Provider Configuration

FieldDescriptionRequired
projectIDGCP project ID where resources will be createdYes
credentialsReference to GCP service account credentialsYes
regionDefault region for resources (can be overridden per workload)No

Workload VM Options

FieldDescriptionDefault
instanceTypeSet to vm for VM-based instances-
imageGCP VM image (project/image format)-
machineTypeGCP machine type (e.g., e2-medium, n2-standard-4)e2-medium
diskSizeBoot disk size in GB10
diskTypeDisk type (pd-standard, pd-ssd, pd-balanced)pd-standard

Workload Container Options

FieldDescription
containersList of container specifications
containers[].nameContainer name
containers[].imageOCI container image reference
containers[].portsList of exposed ports
containers[].envEnvironment variables

Monitoring and Status

Check the status of your GCP-backed workloads: 
# View workload status
kubectl get workload web-servers -n my-project -o yaml

# Check individual instances
kubectl get instances -n my-project -l workload=web-servers

# View provider-specific details
kubectl describe workloaddeployment web-servers-gcp -n my-project
The status shows:
  • Provisioned GCP instance IDs
  • Assigned IP addresses
  • Instance health and readiness
  • Any provisioning errors

Troubleshooting

Check the GCP provider logs:
kubectl logs -n datum-system -l app=gcp-provider
Common issues:
  • Insufficient GCP quotas for the machine type or region
  • Invalid service account permissions
  • Network configuration conflicts
Ensure the Network resource exists and is in a ready state:
kubectl get network my-vpc -n my-project
The network must be successfully created in GCP before workloads can reference it.
Verify the GCP credentials secret is correctly configured:
kubectl get secret gcp-credentials -n datum-system
kubectl describe providerconfig default
Ensure the service account has the required IAM roles:
  • roles/compute.admin
  • roles/compute.networkAdmin (for VPC management)

Next Steps

Workload Concepts

Learn more about Datum’s Workload resource and placement rules

Network Concepts

Understand Datum’s network management capabilities

Gateway Integration

Expose your workloads with Kubernetes Gateway API

Custom Providers

Build your own infrastructure provider plugin

Build docs developers (and LLMs) love

Get started for freeTalk to us