Prerequisites
This page outlines the requirements and prerequisites necessary for deploying AI/Run CodeMie on Google Cloud Platform (GCP). Please ensure all requirements are met before proceeding with the installation.
GCP Account Requirements
Required Access and Permissions
To deploy AI/Run CodeMie on GCP, you need:
- Active GCP Project with sufficient quota for the required resources
- Project Owner or Editor Role for the deployment user with the following permissions:
- Ability to create and manage IAM Roles and Service Accounts
- Access to create and manage GCP resources (GKE, VPC, Cloud SQL, etc.)
Complete Resource List
For a detailed list of all GCP resources that will be provisioned, refer to the Infrastructure Deployment section or review the Terraform modules in the deployment repository.
- Ability to bind the following IAM roles to service accounts:
roles/aiplatform.user- For Vertex AI accessroles/storage.admin- For Cloud Storage managementroles/cloudkms.cryptoKeyEncrypterDecrypter- For encryption key operations
Required GCP APIs
The following APIs must be enabled in your GCP project before deployment:
| API | Purpose |
|---|---|
| Cloud Identity-Aware Proxy API | Secure identity-based access control |
| Service Networking API | Private service connectivity |
| Secret Manager API | Centralized secrets management |
| Vertex AI API | AI model integration and inference |
Make sure you are familiar with Gemini models, their parameters, available regions, and other crucial details in the Vertex AI documentation.
Network Requirements
Domain Name and DNS
- Registered domain name delegated to Cloud DNS with permissions to create DNS records
- Valid wildcard TLS certificate must be available for HTTPS connections (see Ingress NGINX TLS guide)
Network Requirements
Outbound Connectivity
Your GKE cluster's firewall or VPC firewall rules must allow outbound access to the following endpoints:
| Destination | Purpose |
|---|---|
europe-west3-docker.pkg.dev | AI/Run CodeMie container registry (Google Container Registry) |
quay.io | Third-party container images |
docker.io | Docker Hub container images |
registry.developers.crunchydata.com | PostgreSQL operator images |
| Your integration services | GitLab, GitHub, or other services you plan to use with CodeMie |
AI/Run CodeMie container images are hosted on Google Container Registry (GCR). You will need gcloud CLI installed on your deployment machine to authenticate and pull helm charts from GCR.
Inbound Connectivity on Corporate Services
If you plan to integrate AI/Run CodeMie with external corporate services (e.g., GitLab, GitHub, internal APIs):
- Configure the firewall on your external service to allow inbound traffic from the AI/Run CodeMie Cloud NAT public IP address
- This allows AI/Run CodeMie to make outbound API calls to your external services (e.g., GitLab API, GitHub API, internal services)
The AI/Run CodeMie Cloud NAT public IP address will only be available after infrastructure deployment. You will need to configure external service firewalls after the installation is complete.
Access Control Network List
To restrict access to AI/Run CodeMie and prevent unauthorized access from the public internet, prepare a list of allowed networks:
- Corporate network CIDR ranges from which users will access AI/Run CodeMie
- VPN network ranges if remote users connect via VPN
- Office locations and their public IP addresses or CIDR blocks
- Any other trusted networks that require access to the platform
Kubernetes Cluster Requirements
Requirements for GKE cluster deployment.
Administrative Permissions
The deployment user must have:
- GKE Admin permissions with the ability to create and manage namespaces
- Access to configure cluster-level resources (if deploying to an existing cluster)
Admission Control and Resource Requirements
If deploying to an existing GKE cluster, ensure that admission webhooks allow the creation of the following Kubernetes resources:
- NATS Messaging
- Keycloak Operator
- PostgreSQL Operator
- Security Context
Kubernetes API: Service (LoadBalancer type)
Purpose: NATS is a core component of the CodeMie Plugin Engine, providing messaging infrastructure for communication between the codemie-plugins CLI tool with MCP and the AI/Run CodeMie platform.
The LoadBalancer configuration depends on where the CLI tool will be executed:
| CLI Tool Execution Location | LoadBalancer Type | Description |
|---|---|---|
| Same VPC as GKE cluster | Internal LoadBalancer | Secure, private network communication within the VPC |
| External to GKE VPC | Public LoadBalancer | Cross-network communication when CLI is run outside the VPC |
Kubernetes APIs: ClusterRole, ClusterRoleBinding, Role, RoleBinding, Custom Resource Definitions (CRDs), Custom Resources (CRs)
Purpose: Manages Keycloak configuration including realms, clients, and user federation
Requires cluster-wide permissions for identity and access management operations.
Kubernetes APIs: ClusterRole, ClusterRoleBinding, Custom Resource Definitions (CRDs), Custom Resources (CRs)
Purpose: Manages PostgreSQL database instances and their lifecycle
Requires cluster-wide permissions for database provisioning and management.
Kubernetes API: Pod with securityContext
Requirement: All AI/Run CodeMie components require readOnlyRootFilesystem: false in their security context for proper operation
GKE Cluster Configuration
VPC-Native Networking and Container-Native Load Balancing
AI/Run CodeMie requires GKE clusters configured with VPC-native networking and container-native load balancing (NEGs) for proper Ingress functionality.
Required Configuration:
- Networking Mode:
VPC_NATIVEwith IP allocation policy (secondary ranges for pods and services) - HTTP Load Balancing Addon: Enabled (default)
If your cluster uses GKE Network Policy or Calico, container-native load balancing will NOT be enabled automatically. This causes Ingress errors:
service "namespace/service" is type "ClusterIP", expected "NodePort" or "LoadBalancer"
Solution: Manually enable NEGs by adding this annotation to all Services exposed via Ingress in chart values. For example:
service:
type: ClusterIP
port: 8080
annotations:
cloud.google.com/neg: '{"ingress": true}'
Deployment Machine Requirements
Required Software Tools
The following tools must be pre-installed and properly configured on your deployment machine (laptop, workstation, or VDI instance):
| Tool | Version | Purpose |
|---|---|---|
| Terraform | 1.5.7 | Infrastructure as Code provisioning |
| kubectl | latest | Kubernetes cluster management |
| Helm | 3.16.0+ | Kubernetes package management |
| gcloud CLI | latest | Authentication to AI/Run CodeMie container registry (GCR) |
| Docker | latest | Container operations |
| natscli | latest | NATS messaging CLI |
| nsc | latest | NATS security configuration |
| jq | latest | JSON processing and parsing |
| curl | latest | HTTP requests and file transfers |
htpasswd | linux package | Password hash generation |
For GCP deployments, gcloud CLI serves dual purposes: GCP resource management and authentication to AI/Run CodeMie container registry (GCR).
Required Repository Access
You will need access to the following repositories to complete the deployment:
- Terraform Remote Backend: codemie-terraform-gcp-remote-backend
- Terraform Platform Modules: codemie-terraform-gcp-platform
- Helm Charts: codemie-helm-charts
If your deployment machine operates in an isolated environment without direct internet or repository access, the repositories can be provided as ZIP/TAR archives and transferred through approved channels.
Next Steps
Once all prerequisites are met, proceed to the Architecture Overview to understand the deployment architecture, or continue directly to Infrastructure Deployment to begin the installation process.