Skip to main content

Install Otomi on GKE with a GCP DNS zone


Note: If you login via Google Cloud Shell, you don't need to install the prerequisites

GCloud CLI Cheat Sheet

# Initialize and authentication
gcloud init
gcloud auth login
gcloud config set project PROJECT_ID

# Enable google services api
gcloud services enable
gcloud services enable

Create a GKE cluster

Set up environment variables

# Set Cluster name
# Set region
# Create the cluster 
gcloud container clusters create $CLUSTER_NAME \
--enable-autoscaling \
--enable-network-policy \
--num-nodes 1 \
--min-nodes 1 \
--max-nodes 3 \
--machine-type e2-standard-8 \

Update the Kubernetes config file

gcloud container clusters get-credentials $CLUSTER_NAME --region $COMPUTE_REGION

Configure DNS

Create Cloud DNS Zone

Create a DNS zone which will contain the managed DNS records. If using your own domain that was registered with a third-party domain registrar, you should point your domain's name servers to the values under the nameServers key. Please consult your registrar's documentation on how to do that. This tutorial will use example domain of

gcloud dns managed-zones create "example-com" --dns-name "" \
--description "Automatically managed zone by"

Make a note of the nameservers that were assigned to your new zone.

gcloud dns record-sets list \
--zone "example-com" --name "" --type NS

Static Credentials

In this scenario, a new GSA (Google Service Account) is created that has access to the CloudDNS zone. The credentials for this GSA are saved and installed as a Kubernetes secret that will be used by ExternalDNS.

This allows only containers that have access to the secret, such as ExternalDNS to update records on the Cloud DNS Zone.

Create GSA for use with static credentials


# create GSA used to access the Cloud DNS zone
gcloud iam service-accounts create $DNS_SA_NAME --display-name $DNS_SA_NAME

# assign google service account to dns.admin role in cloud-dns project
gcloud projects add-iam-policy-binding $DNS_PROJECT_ID \
--member serviceAccount:$DNS_SA_EMAIL --role "roles/dns.admin"

Create credentials

Generate static credentials from the ExternalDNS GSA.

# download static credentials
gcloud iam service-accounts keys create /local/path/to/credentials.json \
--iam-account $DNS_SA_EMAIL

Get the contents of the credentials.son. Note that you don't need to create a Kubernetes secret. The credentials will be directly provided to the Otomi installer and Otomi will create the secret.

cat /local/path/to/credentials.json
"type": "service_account",
"project_id": "xxx",
"private_key_id": "xxx",
"private_key": xxx,
"client_email": "",
"client_id": "000000000000",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""

Create the values.yaml file

tee values.yaml<<EOF
name: otomi
provider: google
hasExternalDNS: true
serviceAccountKey: |
"type": "service_account",
"project_id": "xxx",
"private_key_id": "xxx",
"private_key": xxx,
"client_email": "",
"client_id": "000000000000",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
project: $DNS_PROJECT_ID
issuer: letsencrypt
stage: production

And adjust the domainSuffix, domainFilters and email.

Install Otomi using helm

Install Otomi using Helm:

helm repo add otomi
helm repo update
helm install -f values.yaml otomi otomi/otomi

Monitor the logs of the installer job:

kubectl logs jobs/otomi -n default -f

When the installer is finished, copy the url and admin-password from the console output.

Follow the activation steps here.


Like to learn how to use Otomi? Go through the Get Started labs