This is a model for creating in Python an GKE environment with the GCP provider on Pulumi using GitHub Actions.
- Access "https://github.com/smashse/pulumi-iac-gke"
- Click in "Use this template"
- Create a new repository from template "pulumi-iac-gke"(example "pulumi-iac-gke") and chose as "Private"
cd /tmp
sudo touch /etc/apt/sources.list.d/google-cloud-sdk.list
sudo chmod 666 /etc/apt/sources.list.d/google-cloud-sdk.list
sudo curl -fsSL 'https://packages.cloud.google.com/apt/doc/apt-key.gpg' | sudo apt-key add -
sudo echo "deb [arch=amd64] https://packages.cloud.google.com/apt cloud-sdk main" > "/etc/apt/sources.list.d/google-cloud-sdk.list"
sudo chmod 644 /etc/apt/sources.list.d/google-cloud-sdk.list
sudo apt-key adv --keyserver hkp:https://keyserver.ubuntu.com:80 --recv-keys 54A647F9048D5688D7DA2ABE6A030B21BA07F4FB
sudo apt update --fix-missing
sudo apt -y install google-cloud-sdk
gcloud init
gcloud auth login
gcloud organizations list
gcloud beta billing accounts list --filter=open=true
Note: Project IDs are immutable and can be set only during project creation. They must start with a lowercase letter and can have lowercase ASCII letters, digits or hyphens. Project IDs must be between 6 and 30 characters. To avoid conflicts, when creating a project the ID is generated randomly, if you want to use a fixed ID after the project name, do as below.
export PROJECT_ID=`date +%M%S%N`
gcloud projects create gke-project-$PROJECT_ID --name=gke-project --set-as-default
gcloud config set project gke-project-$PROJECT_ID
gcloud beta billing projects link gke-project-$PROJECT_ID --billing-account `gcloud beta billing accounts list --filter=open=true --uri | cut -f 6 -d "/"`
gcloud iam service-accounts create gkeadmin --display-name "GKE Admin"
gcloud iam service-accounts keys create ~/.config/gcloud/gkeadmin-account.json --iam-account gkeadmin@gke-project-$PROJECT_ID.iam.gserviceaccount.com
gcloud services enable cloudbilling.googleapis.com
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable container.googleapis.com
gcloud services enable gkeconnect.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable serviceusage.googleapis.com
gcloud projects add-iam-policy-binding gke-project-$PROJECT_ID --member serviceAccount:gkeadmin@gke-project-$PROJECT_ID.iam.gserviceaccount.com --role roles/compute.admin
gcloud projects add-iam-policy-binding gke-project-$PROJECT_ID --member serviceAccount:gkeadmin@gke-project-$PROJECT_ID.iam.gserviceaccount.com --role roles/container.clusterAdmin
gcloud projects add-iam-policy-binding gke-project-$PROJECT_ID --member serviceAccount:gkeadmin@gke-project-$PROJECT_ID.iam.gserviceaccount.com --role roles/iam.serviceAccountAdmin
gcloud projects add-iam-policy-binding gke-project-$PROJECT_ID --member serviceAccount:gkeadmin@gke-project-$PROJECT_ID.iam.gserviceaccount.com --role roles/iam.serviceAccountKeyAdmin
gcloud projects add-iam-policy-binding gke-project-$PROJECT_ID --member serviceAccount:gkeadmin@gke-project-$PROJECT_ID.iam.gserviceaccount.com --role roles/iam.serviceAccountUser
gcloud projects add-iam-policy-binding gke-project-$PROJECT_ID --member serviceAccount:gkeadmin@gke-project-$PROJECT_ID.iam.gserviceaccount.com --role roles/iap.httpsResourceAccessor
gcloud projects add-iam-policy-binding gke-project-$PROJECT_ID --member serviceAccount:gkeadmin@gke-project-$PROJECT_ID.iam.gserviceaccount.com --role roles/storage.admin
gcloud projects add-iam-policy-binding gke-project-$PROJECT_ID --member serviceAccount:gkeadmin@gke-project-$PROJECT_ID.iam.gserviceaccount.com --role roles/viewer
mkdir -p $HOME/Pulumi
cd $HOME/Pulumi
git clone https://github.com/yourgithubuser/pulumi-iac-gke.git
cd pulumi-iac-gke
curl -fsSL https://get.pulumi.com | sh && bash
sudo apt -y install python3-virtualenv
cd $HOME/Pulumi/pulumi-iac-gke/pulumi_gke_py
Note: If you want to change the name given to Kubernetes cluster, execute the command below in the template folder.
sed -i "s/"template-"/"desiredname-"/g" *.py
python3 -m venv venv
source venv/bin/activate
python -m pip install --upgrade pip setuptools wheel
python -m pip install -r requirements.txt
pulumi login
pulumi stack init pulumi_gke_py
pulumi config set gcp:project gke-project-$PROJECT_ID
pulumi config set gcp:zone us-west1-a
pulumi preview
cd $HOME/Pulumi/pulumi-iac-gke/.github/workflows
mv pull_request.yml.template pull_request.yml
mv push.yml.template push.yml
There are a number of Environment Variables that can be set to interact with the action:
- By default, Pulumi will try to connect to the Pulumi SaaS. For this to happen, the GitHub Action needs to be passed a "PULUMI_ACCESS_TOKEN".
For GCP, you'll need to create or use or use an existing service account key. Please see the Pulumi documentation page for pointers to the relevant GCP documentation for doing this.
As soon as you have credentials in hand, you'll set the environment variable "GOOGLE_CREDENTIALS" to contain the credentials JSON using GitHub Secrets, and then consume it in your action:
How to get JSON for credentials?
gcloud auth application-default login
cat $HOME/.config/gcloud/application_default_credentials.json
Note: Go to Settings> Secrets and add "PULUMI_ACCESS_TOKEN" and "GOOGLE_CREDENTIALS" as new repository secret.
cd $HOME/Pulumi/pulumi-iac-gke/
git add *
git add .github/workflows/*
git add .pulumi/*
git add pulumi_gke_py/*
git commit -m "pulumi-iac-gke"
git push
sudo snap install kubectl --classic
pulumi stack output kubeconfig > kubeconfig.yaml
KUBECONFIG=./kubeconfig.yaml kubectl get po --all-namespaces
cd $HOME/Pulumi/pulumi-iac-gke/pulumi_gke_py
pulumi destroy
cd $HOME/Pulumi/pulumi-iac-gke/pulumi_gke_py
pulumi stack rm pulumi_gke_py
https://www.pulumi.com/docs/get-started/
https://www.pulumi.com/docs/reference/pkg/
https://www.pulumi.com/docs/intro/concepts/state/
https://www.pulumi.com/docs/guides/continuous-delivery/github-actions/