From 4632c86e844cc68519df7793742315ee6dfadbe6 Mon Sep 17 00:00:00 2001
From: Grant Sorbo <gtsorbo@google.com>
Date: Tue, 24 Sep 2024 16:20:13 +0000
Subject: [PATCH] feat: connect gateway

---
 examples/gh-runner-gke-simple/providers.tf |  8 ++++----
 modules/gh-runner-gke/main.tf              | 22 +++++++++++++++++++++-
 modules/gh-runner-gke/outputs.tf           |  5 +++++
 modules/gh-runner-gke/variables.tf         |  4 ++--
 test/setup/main.tf                         |  4 +++-
 5 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/examples/gh-runner-gke-simple/providers.tf b/examples/gh-runner-gke-simple/providers.tf
index a259f8b..fd8bc73 100644
--- a/examples/gh-runner-gke-simple/providers.tf
+++ b/examples/gh-runner-gke-simple/providers.tf
@@ -22,16 +22,16 @@ data "google_client_config" "default" {
 }
 
 provider "kubernetes" {
-  host                   = "https://${module.runner-gke.kubernetes_endpoint}"
+  host                   = module.runner-gke.connect_gateway_endpoint
   token                  = data.google_client_config.default.access_token
-  cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)
+  # cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)
 }
 
 provider "helm" {
   kubernetes {
-    host                   = "https://${module.runner-gke.kubernetes_endpoint}"
+    host                   = module.runner-gke.connect_gateway_endpoint
     token                  = data.google_client_config.default.access_token
-    cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)
+    # cluster_ca_certificate = base64decode(module.runner-gke.ca_certificate)
     exec {
       api_version = "client.authentication.k8s.io/v1beta1"
       command     = "gke-gcloud-auth-plugin"
diff --git a/modules/gh-runner-gke/main.tf b/modules/gh-runner-gke/main.tf
index 966b709..c8cd2d6 100644
--- a/modules/gh-runner-gke/main.tf
+++ b/modules/gh-runner-gke/main.tf
@@ -17,6 +17,11 @@ locals {
   network_name    = var.create_network ? google_compute_network.gh-network[0].name : var.network_name
   subnet_name     = var.create_network ? google_compute_subnetwork.gh-subnetwork[0].name : var.subnet_name
   service_account = var.service_account == "" ? "create" : var.service_account
+  connect_gateway = "https://connectgateway.googleapis.com/v1/projects/${data.google_project.project.number}/locations/${module.hub.location}/gkeMemberships/${module.hub.cluster_membership_id}"
+}
+
+data "google_project" "project" {
+  project_id = var.project_id
 }
 
 /*****************************************
@@ -43,7 +48,7 @@ resource "google_compute_subnetwork" "gh-subnetwork" {
 
   secondary_ip_range {
     range_name    = var.ip_range_services_name
-    ip_cidr_range = var.ip_range_services_cider
+    ip_cidr_range = var.ip_range_services_cidr
   }
 }
 /*****************************************
@@ -71,6 +76,12 @@ module "runner-cluster" {
   service_account          = local.service_account
   gce_pd_csi_driver        = true
   deletion_protection      = false
+  master_authorized_networks = [
+    {
+      cidr_block   = google_compute_subnetwork.gh-subnetwork[0].ip_cidr_range
+      display_name = "VPC"
+    }
+  ]
   node_pools = [
     {
       name          = "runner-pool"
@@ -83,6 +94,15 @@ module "runner-cluster" {
   ]
 }
 
+module "hub" {
+  source              = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership"
+  version             = "~> 32.0"
+  project_id          = var.project_id
+  cluster_name        = module.runner-cluster.name
+  location            = module.runner-cluster.location
+  membership_location = var.region
+}
+
 data "google_client_config" "default" {
 }
 
diff --git a/modules/gh-runner-gke/outputs.tf b/modules/gh-runner-gke/outputs.tf
index fe48a39..6c5ecea 100644
--- a/modules/gh-runner-gke/outputs.tf
+++ b/modules/gh-runner-gke/outputs.tf
@@ -20,6 +20,11 @@ output "kubernetes_endpoint" {
   value       = module.runner-cluster.endpoint
 }
 
+output "connect_gateway_endpoint" {
+  description = "Cluster endpoint for connecting via Connect Gateway, required for private clusters"
+  value       = local.connect_gateway
+}
+
 output "client_token" {
   description = "The bearer token for auth"
   sensitive   = true
diff --git a/modules/gh-runner-gke/variables.tf b/modules/gh-runner-gke/variables.tf
index aaf831d..3974dcd 100644
--- a/modules/gh-runner-gke/variables.tf
+++ b/modules/gh-runner-gke/variables.tf
@@ -49,7 +49,7 @@ variable "ip_range_pods_cidr" {
   default     = "192.168.0.0/18"
 }
 
-variable "ip_range_services_cider" {
+variable "ip_range_services_cidr" {
   type        = string
   description = "The secondary ip range cidr to use for services"
   default     = "192.168.64.0/18"
@@ -199,5 +199,5 @@ variable "enable_private_nodes" {
 variable "master_ipv4_cidr_block" {
   description = "The IP range in CIDR notation to use for the hosted master network of the GKE cluster."
   type        = string
-  default     = "10.1.0.0/28"
+  default     = "172.16.0.0/28"
 }
diff --git a/test/setup/main.tf b/test/setup/main.tf
index ac90901..d6827ed 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -29,7 +29,8 @@ module "project" {
     "storage-api.googleapis.com",
     "iam.googleapis.com",
     "container.googleapis.com",
-    "serviceusage.googleapis.com"
+    "serviceusage.googleapis.com",
+    "gkehub.googleapis.com",
   ]
 }
 
@@ -51,6 +52,7 @@ module "project-gke" {
     "storage-component.googleapis.com",
     "logging.googleapis.com",
     "monitoring.googleapis.com",
+    "gkehub.googleapis.com",
   ]
 }