chore: added cluster bringup

Author: mchmarny

.github/workflows/integration-gcp.yml

@@ -39,9 +39,11 @@ jobs:
       SERVICE_ACCOUNT: "[email protected]"
       PROJECT_ID: "proj-dgxc-nvsentinel"
     steps:
+      # Checkout Repo
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
 
+      # Configure GCP AuthN
       - name: Get AuthN Token
         id: auth
         uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093  # v3
@@ -50,22 +52,14 @@ jobs:
           workload_identity_provider: ${{ env.IDENTITY_PROVIDER }}
           service_account: ${{ env.SERVICE_ACCOUNT }}
 
+      # Copy Images to GCP Artifact Registry
       - name: Authenticate to GCP Artifact Registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
         with:
           registry: ${{ env.TARGET_REG }}
           username: oauth2accesstoken
           password: ${{ steps.auth.outputs.access_token }} 
 
-      - name: Setup gcloud CLI
-        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db  # v3.0.1
-        with:
-          version: '>= 543.0.0'
-
-      - name: Show gcloud CLI Info
-        run: |
-          gcloud info
-
       - name: Install crane
         shell: bash
         env:
@@ -90,12 +84,36 @@ jobs:
         env:
           CI_COMMIT_REF_NAME: ${{ env.IMAGE_TAG }}
         run: |
-          ./scripts/build-image-list.sh
+          scripts/build-image-list.sh
           cat versions.txt
 
       - name: Copy Images to GCP Artifact Registry
         shell: bash
         env:
           TARGET_REG: "${{ env.TARGET_REG }}/${{ env.PROJECT_ID }}/${{ env.TARGET_REPO }}"
         run: |
-          ./scripts/copy-images.sh "$TARGET_REG" versions.txt
+          scripts/copy-images.sh "$TARGET_REG" versions.txt
+
+      # Create GKE Cluster
+      - name: Setup gcloud CLI
+        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db  # v3.0.1
+        with:
+          version: '>= 543.0.0'
+
+      - name: Show gcloud CLI Info
+        run: |
+          gcloud info
+
+      - name: Create Cluster
+        shell: bash
+        env:
+          TARGET_REG: "${{ env.TARGET_REG }}/${{ env.PROJECT_ID }}/${{ env.TARGET_REPO }}"
+        run: |
+          scripts/gcp-cluster-up.sh
+
+      - name: Destroy Cluster
+        shell: bash
+        env:
+          TARGET_REG: "${{ env.TARGET_REG }}/${{ env.PROJECT_ID }}/${{ env.TARGET_REPO }}"
+        run: |
+          scripts/gcp-cluster-down.sh

scripts/gcp-cluster-down.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -euo pipefail
+
+DIR="$(dirname "$0")"
+. "${DIR}/gcp-cluster-env.sh"
+
+echo "Deleting GKE cluster: $CLUSTER_NAME in region $REGION"
+
+# Delete regional GKE cluster
+gcloud container clusters delete "$CLUSTER_NAME" \
+    --region="$REGION" \
+    --quiet
+
+echo "✅ Cluster deletion complete!"

scripts/gcp-cluster-env.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -euo pipefail
+
+# validation 
+gcloud=$(which gcloud) || ( echo "gcloud not found" && exit 1 )
+
+# Check gcloud is authenticated.
+ACCOUNT=$(gcloud auth list --filter=status:ACTIVE --format="value(account)")
+if [[ -z "${ACCOUNT}" ]]; then
+  echo "Run 'gcloud auth login' to authenticate to GCP first."
+  exit 1
+fi;
+
+# Check project is set
+export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
+if [[ -z "${PROJECT_ID}" ]]; then
+  echo "`gcloud config set project YOUR_PROJECT_ID` note set."
+  exit 1
+fi;
+
+# Check region is set
+export REGION=$(gcloud config list --format 'value(compute.region)')
+if [[ -z "${REGION}" ]]; then
+  echo "Warning: \`gcloud config set compute/region YOUR_REGION\` not set, using default."
+  export REGION="us-central1"
+fi
+
+# Config
+export CLUSTER_NAME="${CLUSTER_NAME:-validation}"
+export CLUSTER_CHANNEL="${CLUSTER_CHANNEL:-regular}"
+export SYSTEM_NODE_TYPE="${SYSTEM_NODE_TYPE:-e2-standard-4}"
+export SYSTEM_NODE_COUNT="${SYSTEM_NODE_COUNT:-3}"
+
+# SERVICE_ACCOUNT is optional - set by workflow or provide manually
+export SERVICE_ACCOUNT="${SERVICE_ACCOUNT:-}"
+
+# Print variables
+cat << EOF
+
+Configuration:
+  PROJECT_ID:        ${PROJECT_ID}
+  ACCOUNT:           ${ACCOUNT}
+  REGION:            ${REGION}
+  CLUSTER_NAME:      ${CLUSTER_NAME}
+  CLUSTER_CHANNEL:   ${CLUSTER_CHANNEL}
+  NODE_TYPE:         ${SYSTEM_NODE_TYPE}
+  NODE_COUNT:        ${SYSTEM_NODE_COUNT}
+  SERVICE_ACCOUNT:   ${SERVICE_ACCOUNT:-<not set>}
+
+EOF

scripts/gcp-cluster-up.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+set -euo pipefail
+
+DIR="$(dirname "$0")"
+. "${DIR}/gcp-cluster-env.sh"
+
+# Assumptions:
+# - gcloud is installed and configured
+# - OIDC configured (see https://github.com/mchmarny/oidc-for-gcp-using-terraform)
+
+echo "Creating GKE cluster..."
+
+# Create regional cluster
+gcloud container clusters create "$CLUSTER_NAME" \
+    --scopes=cloud-platform \
+    --disk-size="200" \
+    --disk-type="pd-standard" \
+    --enable-cloud-logging \
+    --enable-cloud-monitoring \
+    --enable-image-streaming \
+    --enable-ip-alias \
+    --enable-shielded-nodes \
+    --enable-autorepair \
+    --enable-network-policy \
+    --image-type="COS_CONTAINERD" \
+    --labels=source=github,environment=validation \
+    --logging=SYSTEM,WORKLOAD \
+    --machine-type="$SYSTEM_NODE_TYPE" \
+    --monitoring=SYSTEM \
+    --num-nodes="$SYSTEM_NODE_COUNT" \
+    --region="$REGION" \
+    --release-channel="$CLUSTER_CHANNEL" \
+    --workload-metadata="GKE_METADATA" \
+    --workload-pool="${PROJECT_ID}.svc.id.goog" \
+    --addons=HttpLoadBalancing,HorizontalPodAutoscaling
+
+# Get cluster version 
+echo "Cluster version:"
+gcloud container clusters describe "$CLUSTER_NAME" \
+    --region="$REGION" \
+    --format="value(currentMasterVersion)"
+
+# Create policy binding between service account and k8s service account (optional)
+if [[ -n "${SERVICE_ACCOUNT}" ]]; then
+    echo "Creating IAM policy binding for service account..."
+    gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}" \
+        --member="serviceAccount:${PROJECT_ID}.svc.id.goog[cnrm-system/cnrm-controller-manager]" \
+        --role="roles/iam.workloadIdentityUser"
+else
+    echo "SERVICE_ACCOUNT not set, skipping IAM policy binding"
+fi
+
+# Get cluster credentials
+echo "Getting cluster credentials..."
+gcloud container clusters get-credentials "$CLUSTER_NAME" --region="$REGION"
+
+echo "✅ Cluster creation complete!"