pinniped/pipelines/shared-tasks/deploy-gke-cluster/task.sh

#!/bin/bash

# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

set -euo pipefail

# When the kubeconfig is generated by gcloud below, this env var asks gcloud to use the new
# gke-gcloud-auth-plugin client credentials auth plugin in the kubeconfig file.
# See https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
export USE_GKE_GCLOUD_AUTH_PLUGIN=True

cd deploy-gke-cluster-output
gcloud auth activate-service-account "$GCP_SERVICE_ACCOUNT" --key-file <(echo "$GCP_JSON_KEY") --project "$GCP_PROJECT"

# Decide if we want a regional or zonal cluster.
if [[ -n "$CLUSTER_REGION" ]]; then
  region_or_zone_flag="--region=$CLUSTER_REGION"
  region_or_zone_suffix="region-$CLUSTER_REGION"
else
  region_or_zone_flag="--zone=$CLUSTER_ZONE"
  region_or_zone_suffix="zone-$CLUSTER_ZONE"
fi

if [ -n "$KUBE_VERSION" ]; then
  echo
  echo "Trying to use Kubernetes version $KUBE_VERSION"

  # Look up the latest GKE version for KUBE_VERSION.
  GKE_VERSIONS="$(gcloud container get-server-config "$region_or_zone_flag" --format json \
    | jq -r '.validMasterVersions[]')"
  echo
  echo "Found all versions of Kubernetes supported by GKE:"
  echo "$GKE_VERSIONS"

  GKE_VERSION="$(echo "$GKE_VERSIONS" | grep -F "$KUBE_VERSION" \
    | sort -rn \
    | head -1)"
  echo
  echo "Selected GKE version $GKE_VERSION"

  export VERSION_FLAG="--cluster-version=$GKE_VERSION"
else
  export VERSION_FLAG="--release-channel=${GKE_CHANNEL:-"regular"}"
fi

# Include the region or zone of the cluster in its name. This will allow us to change our preferred region/zone for new
# clusters anytime we want, and the existing clusters can still be deleted because the old region/zone can
# be parsed out from the cluster name at deletion time.
CLUSTER_NAME="gke-$(openssl rand -hex 4)-${region_or_zone_suffix}"

# The cluster name becomes the name of the lock in the pool.
echo "$CLUSTER_NAME" >name

# Start the cluster
# Note that --enable-network-policy is required to enable NetworkPolicy resources. Otherwise they are ignored.
gcloud container clusters create "$CLUSTER_NAME" \
  "$region_or_zone_flag" \
  "$VERSION_FLAG" \
  --num-nodes 1 \
  --machine-type e2-standard-8 \
  --preemptible \
  --issue-client-certificate \
  --no-enable-basic-auth \
  --enable-network-policy \
  --tags "gke-broadcom" \
  --enable-master-authorized-networks \
  --master-authorized-networks "10.0.0.0/8" \
  --enable-private-nodes \
  --enable-private-endpoint \
  --enable-ip-alias \
  --network "projects/${SHARED_VPC_PROJECT}/global/networks/${SHARED_VPC_NAME}" \
  --subnetwork "projects/${SHARED_VPC_PROJECT}/regions/${SUBNET_REGION}/subnetworks/${SUBNET_NAME}" \
  --cluster-secondary-range-name "services" \
  --services-secondary-range-name "pods"

# Get the cluster details back, including the admin certificate:
gcloud container clusters describe "$CLUSTER_NAME" "$region_or_zone_flag" --format json \
  > /tmp/cluster.json

# Make a new kubeconfig user "cluster-admin" using the admin cert.
jq -r .masterAuth.clientCertificate /tmp/cluster.json | base64 -d > /tmp/client.crt
jq -r .masterAuth.clientKey /tmp/cluster.json | base64 -d > /tmp/client.key
kubectl config set-credentials cluster-admin \
  --client-certificate=/tmp/client.crt \
  --client-key=/tmp/client.key

# Give the "client" user cluster-admin access
kubectl create clusterrolebinding test-client-is-admin --clusterrole cluster-admin --user client

# Set the kubeconfig context to use the cluster-admin user.
kubectl config set-context --current --user cluster-admin

# The kubeconfig file becomes the value of the lock in the pool.
kubectl config view --minify --flatten -o yaml > metadata