Deploying Gel to Google Cloud​
In this guide we show how to deploy Gel on GCP using Cloud SQL and Kubernetes.
Gel Cloud: Reset the default password for the admin role
If you want to dump an existing Gel Cloud instance and restore it to a new self-managed instance, you need to change the automatically generated password for the default admin role - edgedb or admin.
The administrator role name and its password used in the dump/restore process must be the same in both the instance dumped from and the instance restored to for the Gel tooling to continue functioning properly.
To change the default password in the Cloud instance, execute the following query in the instance:
ALTER ROLE admin { set password := 'new_password' };Prerequisites​
-
Google Cloud account with billing enabled (or a free trial)
-
gcloudCLI (install) -
kubectlCLI (install)
Make sure you are logged into Google Cloud.
$
gcloud initCreate a project​
Set the PROJECT environment variable to the project name you'd like to
use. Google Cloud only allow letters, numbers, and hyphens.
$
PROJECT=gelThen create a project with this name. Skip this step if your project already exists.
$
gcloud projects create $PROJECTThen enable the requisite APIs.
$
gcloud services enable \
container.googleapis.com \
sqladmin.googleapis.com \
iam.googleapis.com \
--project=$PROJECTProvision a Postgres instance​
Use the read command to securely assign a value to the PASSWORD
environment variable.
$
echo -n "> " && read -s PASSWORDThen create a Cloud SQL instance and set the password.
$
gcloud sql instances create ${PROJECT}-postgres \
--database-version=POSTGRES_17 \
--edition=enterprise \
--cpu=1 \
--memory=3840MiB \
--region=us-west2 \
--project=$PROJECT$
gcloud sql users set-password postgres \
--instance=${PROJECT}-postgres \
--password=$PASSWORD \
--project=$PROJECTCreate a Kubernetes cluster​
Create an empty Kubernetes cluster inside your project.
$
gcloud container clusters create ${PROJECT}-k8s \
--zone=us-west2-a \
--num-nodes=1 \
--project=$PROJECTConfigure service account​
Create a new service account, configure its permissions, and generate a
credentials.json file.
$
gcloud iam service-accounts create ${PROJECT}-account \
--project=$PROJECT$
MEMBER="${PROJECT}-account@${PROJECT}.iam.gserviceaccount.com"$
gcloud projects add-iam-policy-binding $PROJECT \
--member=serviceAccount:${MEMBER} \
--role=roles/cloudsql.admin \
--project=$PROJECT$
gcloud iam service-accounts keys create credentials.json \
--iam-account=${MEMBER}Then use this credentials.json to authenticate the Kubernetes CLI tool
kubectl.
$
gcloud components install gke-gcloud-auth-plugin$
kubectl create secret generic cloudsql-instance-credentials \
--from-file=credentials.json=credentials.json$
INSTANCE_CONNECTION_NAME=$(
gcloud sql instances describe ${PROJECT}-postgres \
--format="value(connectionName)" \
--project=$PROJECT
)$
DSN="postgresql://postgres:${PASSWORD}@127.0.0.1:5432"$
kubectl create secret generic cloudsql-db-credentials \
--from-literal=dsn=$DSN \
--from-literal=password=$PASSWORD \
--from-literal=instance=${INSTANCE_CONNECTION_NAME}=tcp:5432Deploy Gel​
Download the starter Gel Kubernetes configuration file. This file specifies a persistent volume, a container running a Cloud SQL authorization proxy, and a container to run Gel itself. It relies on the secrets we declared in the previous step.
$
wget "https://raw.githubusercontent.com\
/geldata/gel-deploy/dev/gcp/deployment.yaml"$
kubectl apply -f deployment.yamlEnsure the pods are running.
$
kubectl get podsNAME READY STATUS RESTARTS AGE gel-977b8fdf6-jswlw 0/2 ContainerCreating 0 16s
The READY 0/2 tells us neither of the two pods have finished booting.
Re-run the command until 2/2 pods are READY.
If there were errors you can check Gel's logs with:
$
kubectl logs deployment/gel --container gelPersist TLS Certificate​
Now that our Gel instance is up and running, we need to download a local copy of its self-signed TLS certificate (which it generated on startup) and pass it as a secret into Kubernetes. Then we'll redeploy the pods.
$
kubectl create secret generic cloudsql-tls-credentials \
--from-literal=tlskey="$(
kubectl exec deploy/gel -c=gel -- \
gel-show-secrets.sh --format=raw GEL_SERVER_TLS_KEY
)" \
--from-literal=tlscert="$(
kubectl exec deploy/gel -c=gel -- \
gel-show-secrets.sh --format=raw GEL_SERVER_TLS_CERT
)"$
kubectl delete -f deployment.yaml$
kubectl apply -f deployment.yamlConnecting your application​
To connect your application to the Gel instance, you'll need to provide connection parameters. Gel client libraries can be configured using either a DSN (connection string) or individual environment variables.
Obtaining connection parameters​
Your connection requires the following components:
-
Host: The
EXTERNAL-IPof the LoadBalancer service -
Port:
5656(the default Gel port) -
Username:
admin(the default superuser) -
Password: The value you assigned to
$PASSWORD -
Branch:
main(the default branch)
Get the public-facing IP address of your database:
$
kubectl get serviceNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) gel LoadBalancer <ip> <ip> 5656:30841/TCP
Copy the EXTERNAL-IP associated with the gel service and construct
your instance's DSN:
$
GEL_IP=<copy IP address here>$
GEL_DSN="gel://admin:${PASSWORD}@${GEL_IP}"To print the final DSN, you can echo it. Note that you should only run
this command on a computer you trust, like a personal laptop or sandboxed
environment.
$
echo $GEL_DSNObtaining the TLS certificate​
Since we configured Gel with a self-signed TLS certificate, your application needs the certificate to connect securely. Retrieve it from the running pod:
$
kubectl exec deploy/gel -c=gel -- \
gel-show-secrets.sh --format=raw GEL_SERVER_TLS_CERT \
> gel-tls-cert.pemAlternatively, retrieve it using the Gel CLI:
$
gel --dsn $GEL_DSN --tls-security insecure \
query "SELECT sys::get_tls_certificate()" > gel-tls-cert.pemTest your connection by opening a REPL:
$
gel --dsn $GEL_DSN --tls-security insecureGel x.x (repl x.x) Type \help for help, \quit to quit. gel> select "hello world!";
Local development with the CLI​
To make your remote instance easier to work with during local development,
create an alias using gel instance link.
The command groups gel instance and gel project are not
intended to manage production instances.
$
echo $PASSWORD | gel instance link \
--dsn $GEL_DSN \
--password-from-stdin \
--non-interactive \
--trust-tls-cert \
my_gcp_instanceYou can now refer to the remote instance using the alias my_gcp_instance.
Use this alias wherever an instance name is expected:
$
gel -I my_gcp_instanceGel x.x Type \help for help, \quit to quit. gel>
Or apply migrations:
$
gel -I my_gcp_instance migrateUsing in your application​
Set these environment variables where you deploy your application:
GEL_DSN="gel://admin:<password>@<external-ip>:5656"
# For self-signed certificates, provide the CA cert:
GEL_TLS_CA_FILE="/path/to/gel-tls-cert.pem"
# Or embed the certificate content directly:
GEL_TLS_CA="<certificate content>"
# Or (for development only) disable TLS verification:
# GEL_CLIENT_TLS_SECURITY=insecureGel's client libraries will automatically read these environment variables.
Health Checks​
Using an HTTP client, you can perform health checks to monitor the status of your Gel instance. Learn how to use them with our health checks guide.
