feat: Add GKE example for GitOps flow with umbrella helm chart (#666)

Narunas-K · narunas-castai · dvoros-castai · web-flow · commit d4da95d9b3a9 · 2026-03-19T16:45:55.000+02:00
Co-authored-by: Narunas Kapocius &lt;narunas@cast.ai&gt;
Co-authored-by: Daniel Voros &lt;daniel.voros@cast.ai&gt;
diff --git a/examples/gke/gke_cluster_gitops_umbrella_chart/README.md b/examples/gke/gke_cluster_gitops_umbrella_chart/README.md
@@ -0,0 +1,121 @@
+# GKE + CAST AI GitOps example — umbrella Helm chart
+
+## Overview
+
+This example demonstrates a **GitOps onboarding flow** using the CAST AI umbrella Helm chart (`castai-helm/castai`).
+The umbrella chart replaces individual per-component charts and lets you switch between operating modes with a single `helm upgrade` command.
+
+### When is Terraform needed?
+
+| Mode | Terraform required? | What Terraform does |
+|---|---|---|
+| **Read-only** | No | — |
+| **Workload Autoscaler** | No | — |
+| **Node Autoscaler / Full** | **Yes** | Creates GCP service account with IAM permissions needed for node provisioning |
+
+> For read-only and workload autoscaler modes you only need a CAST AI API key and Helm. Start there and add Terraform later only if you want node autoscaling.
+
+---
+
+## Umbrella chart modes
+
+The umbrella chart uses **tags** to control which sub-charts are installed.
+
+| Tag | Installed components | Use-case |
+|---|---|---|
+| `tags.readonly=true` | agent, spot-handler, kvisor, gpu-metrics-exporter | Observe the cluster — no changes made to workloads or nodes |
+| `tags.workload-autoscaler=true` | above + cluster-controller, evictor, pod-mutator, workload-autoscaler, workload-autoscaler-exporter | Right-size workload CPU/memory requests automatically |
+| `tags.full=true` | all components incl. pod-pinner, live | Full node autoscaler + workload autoscaler |
+
+> Only one tag should be `true` at a time. When upgrading modes use `--reset-then-reuse-values` and flip the tags (see examples below).
+
+---
+
+## Prerequisites
+
+- CAST AI account
+- CAST AI **organization member API key** from [console.cast.ai → Service Accounts](https://console.cast.ai/organization/management/access-control/service-accounts)
+- `castai-helm` Helm repo:
+  ```sh
+  helm repo add castai-helm https://castai.github.io/helm-charts
+  helm repo update
+  ```
+
+---
+
+## Step 1 — Install in read-only mode (Helm only)
+
+No Terraform needed. The API key here is the CAST AI **member** key (not a full-access key).
+
+```sh
+helm upgrade -i castai castai-helm/castai -n castai-agent --create-namespace \
+  --set global.castai.apiKey="<your-castai-api-key>" \
+  --set global.castai.provider="gke" \
+  --set tags.readonly=true
+```
+
+After the pods become ready your cluster appears as **Read only** in the CAST AI console.
+CAST AI can now observe the cluster — no changes are made to your workloads or nodes.
+
+---
+
+## Step 2 (optional) — Upgrade to Workload Autoscaler (Helm only)
+
+When you are ready to let CAST AI right-size CPU/memory requests for your workloads, upgrade the release.
+**No Terraform changes required.**
+
+`--reset-then-reuse-values` keeps all previously set values and only applies the overrides you specify.
+
+```sh
+helm upgrade castai castai-helm/castai -n castai-agent \
+  --reset-then-reuse-values \
+  --set tags.readonly=false \
+  --set tags.workload-autoscaler=true
+```
+
+---
+
+## Step 3 (optional) — Upgrade to Full mode / Node Autoscaler (Terraform + Helm)
+
+Full mode enables node provisioning, bin-packing, spot instance handling, eviction, and pod pinning.
+This requires a **GCP service account** with the correct IAM permissions — Terraform creates it.
+
+### 3a. Run Terraform
+
+Fill in your values:
+
+```sh
+cp tf.vars.example terraform.tfvars
+# edit terraform.tfvars
+```
+
+Apply:
+
+```sh
+terraform init
+terraform apply
+```
+
+This registers the cluster with CAST AI and creates the GCP service account.
+
+Capture the outputs — you'll need them to configure the Helm release:
+
+```sh
+terraform output cluster_id
+terraform output -raw cluster_token
+```
+
+> `cluster_token` expires after a few hours if no CAST AI component connects. Run the Helm upgrade promptly after this step.
+
+### 3b. Upgrade the Helm release
+
+If you were already running read-only or workload-autoscaler mode, upgrade using `--reset-then-reuse-values`.
+If this is a fresh install, use `helm upgrade -i` and pass `cluster_token` and `cluster_id` from step 3a.
+
+```sh
+helm upgrade castai castai-helm/castai -n castai-agent \
+  --reset-then-reuse-values \
+  --set tags.readonly=false \
+  --set tags.workload-autoscaler=false \
+  --set tags.full=true
+```
diff --git a/examples/gke/gke_cluster_gitops_umbrella_chart/castai.tf b/examples/gke/gke_cluster_gitops_umbrella_chart/castai.tf
@@ -0,0 +1,16 @@
+resource "castai_gke_cluster" "this" {
+  project_id                 = var.project_id
+  location                   = var.cluster_region
+  name                       = var.cluster_name
+  delete_nodes_on_disconnect = var.delete_nodes_on_disconnect
+
+  credentials_json = module.castai-gke-iam.private_key
+}
+
+module "castai-gke-iam" {
+  source  = "castai/gke-iam/castai"
+  version = "~> 0.5"
+
+  project_id       = var.project_id
+  gke_cluster_name = var.cluster_name
+}
diff --git a/examples/gke/gke_cluster_gitops_umbrella_chart/outputs.tf b/examples/gke/gke_cluster_gitops_umbrella_chart/outputs.tf
@@ -0,0 +1,10 @@
+output "cluster_id" {
+  value       = castai_gke_cluster.this.id
+  description = "CAST AI cluster ID."
+}
+
+output "cluster_token" {
+  value       = castai_gke_cluster.this.cluster_token
+  description = "CAST AI cluster token used by Castware to authenticate to Mothership."
+  sensitive   = true
+}
diff --git a/examples/gke/gke_cluster_gitops_umbrella_chart/providers.tf b/examples/gke/gke_cluster_gitops_umbrella_chart/providers.tf
@@ -0,0 +1,4 @@
+provider "castai" {
+  api_url   = var.castai_api_url
+  api_token = var.castai_api_token
+}
diff --git a/examples/gke/gke_cluster_gitops_umbrella_chart/tf.vars.example b/examples/gke/gke_cluster_gitops_umbrella_chart/tf.vars.example
@@ -0,0 +1,5 @@
+castai_api_token = "PLACEHOLDER"
+project_id       = "PLACEHOLDER"
+cluster_region   = "PLACEHOLDER"   # e.g. "us-central1" or "us-central1-a"
+cluster_name     = "PLACEHOLDER"
+subnets          = ["PLACEHOLDER", "PLACEHOLDER"]    # e.g. ["default"]
diff --git a/examples/gke/gke_cluster_gitops_umbrella_chart/variables.tf b/examples/gke/gke_cluster_gitops_umbrella_chart/variables.tf
@@ -0,0 +1,36 @@
+variable "project_id" {
+  type        = string
+  description = "GCP project ID in which GKE cluster is located."
+}
+
+variable "cluster_name" {
+  type        = string
+  description = "GKE cluster name in GCP project."
+}
+
+variable "cluster_region" {
+  type        = string
+  description = "Region of the cluster to be connected to CAST AI."
+}
+
+variable "subnets" {
+  type        = list(string)
+  description = "Subnet IDs used by CAST AI to provision nodes."
+}
+
+variable "delete_nodes_on_disconnect" {
+  type        = bool
+  description = "Optionally delete Cast AI created nodes when the cluster is destroyed."
+  default     = false
+}
+
+variable "castai_api_token" {
+  type        = string
+  description = "CAST AI API token created in console.cast.ai API Access keys section."
+}
+
+variable "castai_api_url" {
+  type        = string
+  description = "CAST AI api url."
+  default     = "https://api.cast.ai"
+}
diff --git a/examples/gke/gke_cluster_gitops_umbrella_chart/versions.tf b/examples/gke/gke_cluster_gitops_umbrella_chart/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.2"
+
+  required_providers {
+    castai = {
+      source  = "castai/castai"
+      version = ">= 3.11.0"
+    }
+  }
+}
