DOC-854-ensure CPU and SSD headroom for GCP

[micheleRP]

Description

This pull request adds a prereq for GCP quotas required for BYOC and BYOVPC cluster creation. The changes ensure users are aware of the necessary quota headroom and provide formulas and examples for calculating spare capacity.

• Added a new partial file gpq-quotas.adoc with detailed information on required GCP quotas, including headroom formulas and example calculations for vCPU and Local SSD quotas.

• Included the new GCP quota requirements partial in the BYOC cluster creation guide (create-byoc-cluster-gcp.adoc)

• Included the GCP quota requirements partial in the VPC BYOC guide (vpc-byo-gcp.adoc)

Resolves https://redpandadata.atlassian.net/browse/DOC-854
Review deadline:

Page previews

Create a BYOC cluster on GCP - Prereqs
Create a BYOVPC cluster on GCP - Prereqs

Checks

• New feature
• Content gap
• Support Follow-up
• Small fix (typos, links, copyedits, etc)

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	4ced7de
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/68b1ceecee925a0008621a22
😎 Deploy Preview	https://deploy-preview-401--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

The PR updates GCP BYOC documentation. It adds a new quotas partial (gpq-quotas.adoc) and includes it in the BYOC GCP creation and BYOVPC guides. The BYOC creation page gains detailed step-by-step instructions, notes on private networking and CIDR overlap, advanced labels, and deployment guidance. The BYOVPC guide is expanded with prescriptive service-account–based authentication, new service accounts and roles, explicit workload identity bindings, VPC/NAT/firewall setup steps, validation commands, and a new limitation about not changing VPC post-creation.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User
  participant CloudUI as Redpanda Cloud UI
  participant GCP as GCP (Quotas/Resources)

  Note over User,CloudUI: Create BYOC (GCP)
  User->>CloudUI: Open Create BYOC cluster
  CloudUI-->>User: Display tiers, regions, quota headroom notes
  User->>CloudUI: Enter cluster details (name, region, version)
  User->>CloudUI: Configure networking (BYOVPC, CIDRs)
  alt Quota insufficient
    CloudUI-->>User: Show quota headroom guidance
  else Quota sufficient
    User->>CloudUI: Deploy
    CloudUI->>GCP: Provision resources (async)
    GCP-->>CloudUI: Status updates
    CloudUI-->>User: Deployment status
  end

Loading

sequenceDiagram
  autonumber
  participant Admin as GCP Admin
  participant gcloud as gcloud CLI
  participant GCP IAM as GCP IAM
  participant RPK as rpk

  Note over Admin,gcloud: Service-account based setup (BYOVPC)
  Admin->>gcloud: Create service accounts and roles
  gcloud->>GCP IAM: Apply roles and workload identity bindings
  Admin->>gcloud: Set GOOGLE_APPLICATION_CREDENTIALS / active account
  Admin->>RPK: rpk cloud byoc gcp apply --validate-only
  RPK->>GCP IAM: Check permissions
  GCP IAM-->>RPK: Validation result
  RPK-->>Admin: Report validation status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Include CPU and SSD headroom guidance for BYOVPC (DOC-854)	✅

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Added prescriptive service-account creation, new roles, and workload identity bindings with multiple gcloud iam service-accounts add-iam-policy-binding commands (modules/get-started/pages/cluster-types/byoc/gcp/vpc-byo-gcp.adoc)	These authentication/authorization steps exceed the quota headroom documentation requirement of DOC-854.
Introduced detailed VPC/NAT/Cloud Router/firewall setup commands and webhook firewall rules (modules/get-started/pages/cluster-types/byoc/gcp/vpc-byo-gcp.adoc)	Network provisioning guidance is not part of the CPU/SSD quota headroom objective.
Added limitation: BYOVPC cluster cannot change to a different VPC after creation (modules/get-started/pages/cluster-types/byoc/gcp/vpc-byo-gcp.adoc)	Policy/limitation update is unrelated to the quota headroom objective.
Expanded BYOC creation workflow, labels, CIDR overlap notes, and deployment steps (modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc)	These UX/workflow instructions are outside the scope of documenting quota headroom.

Possibly related PRs

• BYOVPC support for secrets and Iceberg REST catalogs  #313 — Also updates BYOVPC GCP docs with service-account/role and workload-identity bindings.
• DOC-1497 update Customer-managed to BYOVPC #352 — Modifies the GCP BYOVPC networking section that this PR extensively updates.
• DOC-1622 Make VPC CIDRs and networking expectations more explicit #395 — Adjusts BYOC networking guidance around CIDR ranges, similar to this PR’s CIDR and private networking notes.

Suggested reviewers

• paulohtb6
• c4milo
• david-yu

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch DOC-854-Ensure-customer-guides-include-CPU-and-SSD-headroom-for-BYOVPC

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

modules/get-started/pages/cluster-types/byoc/gcp/vpc-byo-gcp.adoc (2)

62-62: Add --project to address creation to match host project used by router/NAT.

Without --project <host-project-id>, the address may be created in the default project and break NAT config.

-gcloud compute addresses create <address-name> --region <region> 
+gcloud compute addresses create <address-name> --project <host-project-id> --region <region>

---

351-353: Line continuation bug: trailing space after backslash breaks the command.

The backslash must be the final character on the line; otherwise the next line is parsed as a new command.

-gcloud iam service-accounts create redpanda-connect-api \ 
+gcloud iam service-accounts create redpanda-connect-api \
   --display-name="Redpanda Connect API Service Account" 

🧹 Nitpick comments (2)

modules/get-started/partials/gpq-quotas.adoc (2)

7-9: Clarify scope: apply headroom per VM family and per node pool.

Readers with multiple node pools or families may misapply the formula. Add a one-line note to state the calculation applies per VM family in the region.

 * Local SSD spare (GB) = `3 x (Storage size per node in GB)`
+
+Note: If your cluster uses multiple node pools or VM families, apply these headroom calculations per VM family in the selected region.

---

3-3: Use exact GCP quota display names to avoid confusion.

Minor copy edit to align with Console labels (“CPUs” and “Local SSD (GB)”) while keeping the API key reference.

-Quotas such as vCPUs per VM family (for example, N2D) and Local SSD total per VM family (quota key: `LOCAL_SSD_TOTAL_GB_PER_VM_FAMILY`) are listed for each tier on the *Create BYOC cluster* page in the Redpanda Cloud UI.
+Quotas such as CPUs per VM family (for example, N2D) and Local SSD (GB) per VM family (Cloud API quota key: `LOCAL_SSD_TOTAL_GB_PER_VM_FAMILY`) are listed for each tier on the *Create BYOC cluster* page in the Redpanda Cloud UI.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 3051de1 and 4356b05.

📒 Files selected for processing (3)

• modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc (1 hunks)
• modules/get-started/pages/cluster-types/byoc/gcp/vpc-byo-gcp.adoc (1 hunks)
• modules/get-started/partials/gpq-quotas.adoc (1 hunks)

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#377
File: modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc:35-71
Timestamp: 2025-08-07T16:36:45.111Z
Learning: In Redpanda Cloud documentation, NAT subnet and firewall rule creation commands for GCP Private Service Connect are producer-side infrastructure steps that only BYOC (Bring Your Own Cloud) customers need to perform, since they manage their own VPC. Dedicated cluster customers don't need these steps because Redpanda manages the infrastructure for them. The ifdef::env-byoc[] guard correctly hides these commands from Dedicated users.

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#361
File: modules/networking/pages/cloud-security-network.adoc:176-179
Timestamp: 2025-07-21T21:52:17.061Z
Learning: In Redpanda Cloud documentation, BYOVPC and BYOVNet are different product names for different cloud providers: BYOVPC is used for AWS and GCP, while BYOVNet is used for Azure. When documentation sections cover multiple cloud providers, the combined notation "BYOVPC/BYOVNet" is correct and should not be changed to use only one term.

📚 Learning: 2025-08-07T16:36:45.111Z

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#377
File: modules/networking/pages/dedicated/gcp/configure-psc-in-ui.adoc:35-71
Timestamp: 2025-08-07T16:36:45.111Z
Learning: In Redpanda Cloud documentation, NAT subnet and firewall rule creation commands for GCP Private Service Connect are producer-side infrastructure steps that only BYOC (Bring Your Own Cloud) customers need to perform, since they manage their own VPC. Dedicated cluster customers don't need these steps because Redpanda manages the infrastructure for them. The ifdef::env-byoc[] guard correctly hides these commands from Dedicated users.

Applied to files:

• modules/get-started/partials/gpq-quotas.adoc
• modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc
• modules/get-started/pages/cluster-types/byoc/gcp/vpc-byo-gcp.adoc

📚 Learning: 2025-07-21T21:52:17.061Z

Learnt from: micheleRP
PR: redpanda-data/cloud-docs#361
File: modules/networking/pages/cloud-security-network.adoc:176-179
Timestamp: 2025-07-21T21:52:17.061Z
Learning: In Redpanda Cloud documentation, BYOVPC and BYOVNet are different product names for different cloud providers: BYOVPC is used for AWS and GCP, while BYOVNet is used for Azure. When documentation sections cover multiple cloud providers, the combined notation "BYOVPC/BYOVNet" is correct and should not be changed to use only one term.

Applied to files:

• modules/get-started/pages/cluster-types/byoc/gcp/vpc-byo-gcp.adoc

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Redirect rules - rp-cloud
• GitHub Check: Header rules - rp-cloud
• GitHub Check: Pages changed - rp-cloud

🔇 Additional comments (3)

modules/get-started/partials/gpq-quotas.adoc (1)

3-3: Confirmed GCP quota display names and API keys

• CPU quotas in the Quotas UI appear as “CPUs” (for project-wide/regional limits) and as “<VM family> CPUs” for family-specific limits (e.g. “N2D CPUs”). Corresponding API keys include CPUS, N2D_CPUS, and, for families that share a pool, CPUS_PER_VM_FAMILY (cloud.google.com)
• Local SSD quotas are labeled “Local SSD per machine family (GB)” in the Compute Engine Quotas page and “Local SSD disk per VM family (GB)” in Cloud Monitoring. The API key remains LOCAL_SSD_TOTAL_GB_PER_VM_FAMILY (cloud.google.com)
• Local SSD device sizes continue to be sold in 375 GiB (and, for certain machine types, 3 TiB) increments; the gcloud CLI only accepts 375 GB per --local-ssd flag, up to 24 partitions (9 TB total) (cloud.google.com)

Please update the snippet to use these exact display names and API keys before merging.

modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc (1)

11-13: Good call including quotas in Prerequisites.

Placing the quotas partial up front is clear and aligns with the PR goal to prevent upgrade/creation stalls.

modules/get-started/pages/cluster-types/byoc/gcp/vpc-byo-gcp.adoc (1)

24-25: Quotas partial inclusion is appropriate here.

Surfacing quota headroom in BYOVPC prereqs matches customer-managed capacity responsibilities.

[simonlord]

Minor tweak: The maintenance is done by us, not GKE

[Feediver1]

lgtm