Document working with private clusters

[eitah]

TL;DR

We want to be able to use the deploy action to get connected to our private cluster, so we've set up a GSA with the right permissions but are stumped by firewall issues.

Detailed design

Seems like the deploy job has some amount of access to be able to get cluster details as suggested might be the case from the docs, but then hits some kind of firewall or private connectivity issue where the calls to the Kubernetes api are getting blocked.

Error: failed to apply deployment: failed to check if deployed object with kind "Namespace" and name "deployment" exists: failed to get config of deployed object: command to get kubernetes config: E1226 18:51:18.798792      24 memcache.go:265] couldn't get current server API group list: Get "https://10.3.0.50/api?timeout=32s": dial tcp 10.3.0.50:443: i/o timeout
E1226 18:51:48.801921      24 memcache.go:265] couldn't get current server API group list: Get "https://10.3.0.50/api?timeout=32s": dial tcp 10.3.0.50:443: i/o timeout

Additional information

Where's the source code for gke-deploy [command]? Perhaps I could come to understand what CLI commands are running to debug the issue locally. Perhaps per the readme it's here? https://github.com/GoogleCloudPlatform/cloud-builders/tree/master/gke-deploy. Thanks!

[codebydant]

I am getting the same error with a deployment to a private cluster.

[mercerdavid]

You need to setup the private cluster adding it to a fleet. Then setup Connect Gateway in order to access your private cluster using the SA and Workload Identity specifying the gateway connect in the github action...

e.g.

• name: Get GKE credentials (via Connect Gateway)
  uses: google-github-actions/get-gke-credentials@v2
  with:
  cluster_name: ${{ GKE_CLUSTER_NAME }}
  location: ${{ REGION }}
  project_id: ${{ PROJECT_ID }}
  use_connect_gateway: 'true'