Skip to main content

Google Cloud

Ensure all of the following are configured before linking your GCP account in Onehouse.

GCP Project

Create a dedicated GCP project for Onehouse managed resources. Onehouse will provision the GKE cluster, service accounts, and supporting infrastructure within this project.

Networking

VPC

You need a VPC in your GCP project with:

  • A /16 CIDR block (e.g. 10.0.0.0/16)
  • A private /20 subnet for GKE nodes (4,096 IPs) — GKE nodes and their alias pod IPs are allocated from this subnet
  • NAT Gateway for outbound internet access
  • Two secondary IP ranges reserved in the subnet for GKE alias IPs:
    • /20 for pods (4,096 pod IPs)
    • /24 for services (256 service IPs)

GKE uses Alias IPs, where pods get IPs from secondary ranges rather than directly from the node subnet. Even so, size the node subnet at /20 to leave room for node scaling and future growth — consistent with AWS private subnets.

Private Google Access

Enable Private Google Access on your subnet so that GKE nodes can reach GCS without routing through NAT. See GCP docs.

VPC Peering

If your data sources (Kafka clusters, databases) live in a separate GCP project or VPC, configure VPC peering between that VPC and your Onehouse VPC so the GKE cluster can reach them. See GCP docs.

Domain Allowlist

Required only if your environment has an egress firewall:

Domains to allowlist
  • .onehouse.ai
  • .googleapis.com
  • .docker.io
  • .gcr.io
  • .pkg.dev
  • .k8s.io
  • production.cloudflare.docker.com
  • d5l0dvt14r5h8.cloudfront.net
  • registry.terraform.io
  • releases.hashicorp.com
  • .confluent.cloud
  • .github.com
  • .githubusercontent.com
  • .github.io
  • .pagerduty.com
  • docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com
  • get.helm.sh
  • auth.docker.io.cdn.cloudflare.net
  • docker-registry-production.d24a988e385e0074d717b6bdaea58f0d.r2.cloudflarestorage.com
  • .strimzi.io
  • .jupyter.org

    • Private Service Connect (optional)

    For environments requiring no public internet traversal, Onehouse supports routing all control plane traffic over Private Service Connect. To enable this, set privateServiceConnect.enabled = true in the customer stack and provide a vpcName and subnetCidr. Onehouse will create a forwarding rule and private DNS zone (onehouse.ai) in your project.

    Service Account

    Create a Terraform executor service account with Owner or Editor permissions:

    terraform@${GCP_PROJECT_ID}.iam.gserviceaccount.com

    Generate and download a JSON key file for this service account — it is required to run the Terraform stack.

    Storage

    Terraform State Bucket

    Create a GCS bucket named onehouse-customer-bucket-<RequestIdPrefix> in the same region as your deployment. This stores Terraform state and configuration.

    Lakehouse Bucket

    Create a GCS bucket for your data lakehouse in the same region as your deployment.

    GKE Cluster Endpoint Access

    The GKE cluster API endpoint is private. The Onehouse control plane connects to it from its NAT IP — you must ensure this is not blocked by your VPC firewall rules:

    • 54.153.81.1/32

    If your firewall blocks inbound access to the cluster endpoint from this IP, Onehouse will not be able to reach the cluster after it is created.

    APIs

    Enable the following GCP APIs in your project before running Terraform:

    • Cloud Resource Manager API — required for Terraform to manage project resources
    • Kubernetes Engine API — required for Onehouse to provision and manage the GKE cluster

    Tooling

    Ensure the following are installed in the environment where you will run the Terraform stack:

    ToolPurpose
    Terraform 1.11.0Infrastructure deployment
    gcloud CLIGCP authentication and project management
    yqYAML processing for config.yaml
    jqJSON processing
    curlChecksum verification during install