fusionauth logo
search-interface-symbol
Downloads
Quickstarts
API Docs
SDK
search-interface-symbol
talk to an expert
Log In
talk to an expert
Navigate to...
  • Welcome
  • Getting Started
    • Getting Started
    • 5-minute Setup Guide
      • Overview
      • Docker
      • Fast Path
      • Sandbox
    • Setup Wizard & First Login
    • Register a User and Login
    • Self-service Registration
    • Start and Stop FusionAuth
    • Core Concepts
      • Overview
      • Users
      • Roles
      • Groups
      • Registrations
      • Applications
      • Tenants
      • Identity Providers
      • Authentication/Authorization
      • Integration Points
    • Example Apps
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • PHP
      • Python
      • Ruby
    • Tutorials
      • Overview
      • Express.js
      • Flutter
      • Java Spring
      • Python Django
      • Python Flask
      • React
      • Ruby on Rails
      • Ruby on Rails API
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Marketplaces
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Microsoft Azure AD B2C
    • Tutorial
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Editions and Features
    • Key Rotation
    • Licensing
    • Monitoring
    • Prometheus Setup
    • Proxy Setup
    • Reference
      • Overview
      • Configuration
      • CORS
      • Data Types
      • Hosted Login Pages Cookies
      • Known Limitations
      • Password Hashes
    • Releases
    • Roadmap
    • Search And FusionAuth
    • Securing
    • Switch Search Engines
    • Technical Support
    • Troubleshooting
    • Upgrading
    • WebAuthn
  • Login Methods
    • Identity Providers
      • Overview
      • Apple
      • Epic Games
      • External JWT
        • Overview
        • Example
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
        • Overview
        • Amazon Cognito
        • Azure AD
        • Discord
        • Github
        • Okta
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • SAML v2
        • Overview
        • ADFS
        • Azure AD
        • Okta
      • SAML v2 IdP Initiated
        • Overview
        • Okta
      • Xbox
    • OIDC & OAuth 2.0
      • Overview
      • Endpoints
      • Tokens
      • OAuth Modes
      • URL Validation
      • Integrations
        • CockroachDB
        • Salesforce
    • Passwordless
      • Overview
      • Magic Links
      • WebAuthn & Passkeys
    • SAML v2 IdP
      • Overview
      • Google
      • PagerDuty
      • SendGrid
      • Tableau Cloud
      • Zendesk
  • Developer Guide
    • Overview
    • API Gateways
      • Overview
      • Amazon API Gateway
      • Kong Gateway
      • ngrok Cloud Edge
    • Client Libraries & SDKs
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • Node
      • OpenAPI
      • PHP
      • Python
      • React
      • Ruby
      • Typescript
    • Events & Webhooks
      • Overview
      • Writing a Webhook
      • Securing Webhooks
      • Events
        • Overview
        • Audit Log Create
        • Event Log Create
        • JWT Public Key Update
        • JWT Refresh
        • JWT Refresh Token Revoke
        • Kickstart Success
        • Group Create
        • Group Create Complete
        • Group Delete
        • Group Delete Complete
        • Group Update
        • Group Update Complete
        • Group Member Add
        • Group Member Add Complete
        • Group Member Remove
        • Group Member Remove Complete
        • Group Member Update
        • Group Member Update Complete
        • User Action
        • User Bulk Create
        • User Create
        • User Create Complete
        • User Deactivate
        • User Delete
        • User Delete Complete
        • User Email Update
        • User Email Verified
        • User IdP Link
        • User IdP Unlink
        • User Login Failed
        • User Login Id Dup. Create
        • User Login Id Dup. Update
        • User Login New Device
        • User Login Success
        • User Login Suspicious
        • User Password Breach
        • User Password Reset Send
        • User Password Reset Start
        • User Password Reset Success
        • User Password Update
        • User Reactivate
        • User Reg. Create
        • User Reg. Create Complete
        • User Reg. Delete
        • User Reg. Delete Complete
        • User Registration Update
        • User Reg. Update Complete
        • User Reg. Verified
        • User 2FA Method Add
        • User 2FA Method Remove
        • User Update
        • User Update Complete
    • Guides
      • Overview
      • Application Specific Email Templates
      • Authentication Tokens
      • Exposing A Local Instance
      • JSON Web Tokens
      • Key Master
      • Localization and Internationalization
      • Multi-Factor Authentication
      • Multi-Tenant
      • Passwordless
      • Registration-based Email Verification
      • Searching With Elasticsearch
      • Securing Your APIs
      • Silent Mode
      • Single Sign-on
      • Two Factor (pre 1.26)
    • Integrations
      • Overview
      • CleanSpeak
      • Kafka
      • Twilio
    • Plugins
      • Overview
      • Writing a Plugin
      • Custom Password Hashing
    • User Control & Gating
      • Overview
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
  • Customization
    • Email & Templates
      • Overview
      • Configure Email
      • Email Templates
      • Email Variables
      • Message Templates
    • Lambdas
      • Overview
      • Apple Reconcile
      • Client Cred. JWT Populate
      • Epic Games Reconcile
      • External JWT Reconcile
      • Facebook Reconcile
      • Google Reconcile
      • HYPR Reconcile
      • JWT Populate
      • LDAP Connector Reconcile
      • LinkedIn Reconcile
      • Nintendo Reconcile
      • OpenID Connect Reconcile
      • SAML v2 Populate
      • SAML v2 Reconcile
      • SCIM Group Req. Converter
      • SCIM Group Resp. Convtr.
      • SCIM User Req. Converter
      • SCIM User Resp. Converter
      • Self-Service Registration
      • Sony PSN Reconcile
      • Steam Reconcile
      • Twitch Reconcile
      • Twitter Reconcile
      • Xbox Reconcile
    • Messengers
      • Overview
      • Generic Messenger
      • Twilio Messenger
    • Themes
      • Overview
      • Examples
      • Helpers
      • Localization
      • Template Variables
      • Kickstart Custom Theme
  • Premium Features
    • Overview
    • Advanced Registration Forms
    • Advanced Threat Detection
    • Application Specific Themes
    • Breached Password Detection
    • Connectors
      • Overview
      • Generic Connector
      • LDAP Connector
      • FusionAuth Connector
    • Entity Management
    • SCIM
      • Overview
      • Azure AD Client
      • Okta Client
      • SCIM-SDK
    • Self Service Account Mgmt
      • Overview
      • Updating User Data & Password
      • Add Two-Factor Authenticator
      • Add Two-Factor Email
      • Add Two-Factor SMS
      • Add WebAuthn Passkey
      • Customizing
      • Bootstrapping Login
      • Troubleshooting
    • WebAuthn
  • APIs
    • Overview
    • Authentication
    • Errors
    • API Explorer
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Hosted Backend
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM User
      • SCIM Group
      • SCIM EnterpriseUser
      • SCIM Service Provider Config.
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • WebAuthn
    • Webhooks
  • Release Notes

    Provision a Google Kubernetes Engine (GKE) Kubernetes Cluster

    Overview

    This guide will show you how to set up a GKE cluster on Google Cloud Platform, commonly referred to as GCP. When completed, you will have a fully functional Kubernetes cluster ready to deploy FusionAuth to as well as a PostgreSQL database using GCP’s Cloud SQL. The following method uses the default settings when provisioning the GKE cluster with the required resources and services. It is recommended that you consult Google Kubernetes Engine for full GKE documentation, including any custom changes needed for your situation.

    Requirements

    • Google Cloud Platform account with sufficient IAM permissions to create resources.

    • gcloud - Command Line tool used to manage resources in Google Cloud. For installation instructions, see Installing Cloud SDK.

    • kubectl - Command line tool that interacts with the Kubernetes API server and is useful for managing Kubernetes clusters. Before proceeding, follow the installation documentation that corresponds to your platform found here. This guide will be using version 1.22

    Architecture

    The resulting GKE cluster will use a VPC-native cluster in the us-west1 region of which consists of three availability zones (us-west1-a, us-west1-b, and us-west1-c). You will provision a Cloud SQL PostgreSQL instance to satisfy installation requirements of FusionAuth.

    GCP provides a number of configuration options designed to meet specific needs based on cluster availability and workload types. For this example, you will use the Standard mode of operation.

    GKE Architecture

    Project Setup

    Having installed the Cloud SDK, authorize gcloud to access GCP using your Google credentials:

    Authorize gcloud
    
    gcloud auth login

    Now create a new project used to organize all of your Google Cloud resources:

    Create a project
    
    gcloud projects create fusionauth-gke-example \
      --name="FusionAuth GKE example"

    You will want to set the newly created project as your default project. When you create resources and enable APIs, they will be assigned to your default project:

    Set the default project
    
    gcloud config set project fusionauth-gke-example
    Output of the default project selection command
    
    Create in progress for [https://cloudresourcemanager.googleapis.com/v1/projects/fusionauth-gke-example].
    Waiting for [operations/cp.999999999156305912] to finish...done.
    Enabling service [cloudapis.googleapis.com] on project [fusionauth-gke-example]...

    Enable Billing

    In order to proceed, you will need to enable and link billing for your project. To do this:

    1. Navigate to the GCP Console.

    2. From the navigation menu, select Billing.

    3. Verify that billing is enabled for your project. If it’s not, follow the prompts to link a billing to your project.

    Enable Required APIs

    Enable the Kubernetes Engine API. This will allow you to make a service request to the API to create your GKE cluster:

    Enable Kubernetes Engine API
    
    gcloud services enable container.googleapis.com

    You will need to enable the Cloud SQL API in order to create a PostgreSQL database. Run the following command to do this:

    Enable Cloud SQL API
    
    gcloud services enable sqladmin.googleapis.com

    In order for our GKE cluster to communicate with PostgreSQL and Elasticsearch on internal IP addresses, the Service Networking API must be enabled:

    Enable Cloud SQL API
    
    gcloud services enable servicenetworking.googleapis.com \
        --project=fusionauth-gke-example

    Configure the Network

    Allocate an IP address range for private communication on your VPC:

    Create a private IP address range
    
    gcloud compute addresses create fusionauth-private-range \
      --global \
      --purpose=VPC_PEERING \
      --addresses=192.168.0.0 \
      --prefix-length=16 \
      --description="Fusionauth private IP range for GKE and SQL" \
      --network=default
    Created [https://www.google

    In order for GKE to communicate with Cloud SQL and Elasticsearch over a private network you need to create a private connection from your VPC network to the underlying service producer network.

    Create a private connection
    
    gcloud services vpc-peerings connect \
      --service=servicenetworking.googleapis.com \
      --ranges=fusionauth-private-range \
      --network=default \
      --project=fusionauth-gke-example

    Create a GKE Cluster

    With your project configured, billing enabled, and the Kubernetes Engine API enabled, you can proceed to create your GKE cluster.

    To create a new cluster, execute the following.

    Create GKE cluster
    
    gcloud container clusters create fusionauth-cluster \
      --num-nodes=1 \
      --region=us-west1 \
      --enable-ip-alias \
      --cluster-version=1.21.4-gke.2300 \
      --cluster-ipv4-cidr=10.44.0.0/14 \
      --services-ipv4-cidr=10.48.0.0/20
    • num-nodes - The number of nodes to be created in each zone. In this example, you specify the region of which consists of three zones. Therefore you will have a total of 3 nodes.

    • region - The region to create the cluster.

    • enable-ip-alias - Indicates to create a VPC-native cluster. This greatly simplifies network connectivity when communicating with the database by making pod IP addresses natively routable within the cluster’s VPC network.

    • cluster-version - The Kubernetes version to use. [optional]

    • cluster-ipv4-cidr - Used to create the subnet’s secondary IP address range for Pods. [optional]

    • service-ip-range - Used to create the subnet’s secondary IP address range for Services. [optional]

      For more information on the create command, see gcloud container clusters create documentation.

    Update Kubernetes Configuration

    If the create operation completed successfully, the last thing it will do is update your local ~/.kube file. If that didn’t happen for whatever reason, gcloud provides the following to update your configuration and set the newly created cluster as the active context. This will let you use kubectl to access your cluster.

    Get and update Kubeconfig
    
    gcloud container clusters get-credentials fusionauth-cluster

    Verify Cluster Configuration

    Execute the list command to see GKE clusters that have been configured.

    Get cluster information
    
    gcloud container clusters list
    
    NAME                LOCATION  MASTER_VERSION   MASTER_IP     MACHINE_TYPE  NODE_VERSION     NUM_NODES  STATUS
    fusionauth-cluster  us-west1  1.21.4-gke.2300  34.83.218.38  e2-medium     1.21.4-gke.2300  3          RUNNING

    You now have a fully functional provisioned EKS cluster. For good measure, view the nodes that have been created. Use kubectl to make requests to the Kubernetes API Server.

    Get list of nodes running on the cluster
    
    kubectl get nodes -o wide
    
    NAME                                                STATUS   ROLES    AGE   VERSION            INTERNAL-IP   EXTERNAL-IP      OS-IMAGE                             KERNEL-VERSION   CONTAINER-RUNTIME
    gke-fusionauth-cluster-default-pool-2a2e7af5-nrrb   Ready    <none>   66m   v1.21.4-gke.2300   10.138.0.23   35.203.183.157   Container-Optimized OS from Google   5.4.120+         containerd://1.4.4
    gke-fusionauth-cluster-default-pool-30c935b6-0mt4   Ready    <none>   66m   v1.21.4-gke.2300   10.138.0.24   35.185.202.53    Container-Optimized OS from Google   5.4.120+         containerd://1.4.4
    gke-fusionauth-cluster-default-pool-431a5f55-rf11   Ready    <none>   66m   v1.21.4-gke.2300   10.138.0.22   34.145.99.163    Container-Optimized OS from Google   5.4.120+         containerd://1.4.4

    Great! You have three nodes in a READY status. You can proceed to setting up a database.

    Create a Database

    Create a SQL Cloud PostgreSQL instance required for FusionAuth installation.

    Create Cloud SQL for PostgreSQL instance
    
    gcloud beta sql instances create fusionauth-test-db \
      --project=fusionauth-gke-example \
      --database-version=POSTGRES_12 \
      --tier=db-g1-small  \
      --region=us-west1 \
      --network=default \
      --no-assign-ip
    • project - The Id of the shared VPC service.

    • database-version - Database engine type and version. See FusionAuth supported databases here.

    • tier - Machine type for a shared-core instance.

    • region - The region to create the cluster.

    • network - Network in the current project that the instance will be part of.

    • no-assign-ip - Disables assignment of a public IP address.

      For more information on the create command, see gcloud beta sql instances create documentation.

    Configure the Default User

    Google cloud SQL requires that you execute the following to configure the postgres user.

    Set admin user password
    
    gcloud sql users set-password postgres \
      --instance=fusionauth-test-db \
      --password=changeMeToSomethingMoreSecure

    Verify Database Creation

    Get list of Cloud SQL instances in the current project
    
    gcloud sql instances list
    
    NAME                 DATABASE_VERSION  LOCATION    TIER               PRIMARY_ADDRESS  PRIVATE_ADDRESS  STATUS
    fusionauth-test-db3  POSTGRES_12       us-west1-a  db-g1-small        -                10.50.144.5      RUNNABLE

    Deploy Elasticsearch using Elastic Cloud

    Google Cloud offers its Elasticsearch Service through Elastic Cloud. This section will guide you through setting up your account and deploying an Elasticsearch cluster.

    From the navigation menu in the GCP console, click on Elasticsearch Service and then click the Enable button. Follow the instructions on the next screen to setup a new Elastic Cloud subscription.

    Elasticsearch service enable subscription screen

    After you have set up a subscription you will land on the GCP Elasticsearch Service Overview page. From here, click on the Manage Via Elastic button near the top of the window.

    GCP Elasticsearch service screen

    This will redirect you to the Elastic Cloud website. Login to Elastic Cloud using your Google account credentials.

    After logging in, you will arrive at your Elastic Cloud dashboard. To begin creating a new Elasticsearch cluster, click on the Create deployment button.

    Elastic Cloud dashboard screen

    Input a name for your deployment and again click on Create deployment.

    Create deployment screen

    At this point, your deployment is now being created. You will be presented with deployment credentials on the next page. Download or save your credentials as instructed.

    Save credentials screen

    When your deployment creation process is complete, click on the Continue button. You will then be directed to your Elastic Cloud dashboard and will see your new deployment listed.

    Click on the name of your deployment to manage it.

    Elastic Cloud dashboard with deployment screen

    From this dashboard, you have access to all of the necessary endpoint information you will need to connect to your deployment.

    Elastic Cloud deployment dashboard screen

    Under Applications, click on the Copy endpoint link next to Elasticsearch to copy the URL to your clipboard. You will need to save this URL for use when deploying FusionAuth to your GKE cluster.

    Next Steps

    You now are running all the necessary infrastructure to deploy a containerized application to GKE.

    Next up, Deploy FusionAuth in Kubernetes.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    Have a question or comment to share?

    Visit the FusionAuth community forum.

    © 2023 FusionAuth
    How-to
    Blog
    Expert Advice
    Download
    Release Notes
    Subscribe for developer updates