From 078426674f74e8783b9d9554ba2b6d271b8a094b Mon Sep 17 00:00:00 2001
From: Chi Zhang <chizhg@google.com>
Date: Mon, 19 Jul 2021 13:53:07 -0700
Subject: [PATCH] Enable Private Google Access for subnets used by private
 clusters

---
 kubetest2-gke/deployer/network.go | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/kubetest2-gke/deployer/network.go b/kubetest2-gke/deployer/network.go
index 4fa356f7..2d0d16e7 100644
--- a/kubetest2-gke/deployer/network.go
+++ b/kubetest2-gke/deployer/network.go
@@ -188,15 +188,22 @@ func (d *Deployer) CreateSubnets() error {
 		parts := strings.Split(nr, " ")
 		// The subnetwork name is in the format of `[main_network]-[service_project_id]`.
 		subnetName := d.Network + "-" + serviceProject
-		if err := runWithOutput(exec.Command("gcloud", "compute", "networks", "subnets", "create",
+		createSubnetCommand := []string{
+			"gcloud", "compute", "networks", "subnets", "create",
 			subnetName,
-			"--project="+hostProject,
-			"--region="+regionFromLocation(d.Regions, d.Zones, d.retryCount),
-			"--network="+d.Network,
-			"--range="+parts[0],
+			"--project=" + hostProject,
+			"--region=" + regionFromLocation(d.Regions, d.Zones, d.retryCount),
+			"--network=" + d.Network,
+			"--range=" + parts[0],
 			"--secondary-range",
 			fmt.Sprintf("%s-services=%s,%s-pods=%s", subnetName, parts[1], subnetName, parts[2]),
-		)); err != nil {
+		}
+		// Enabling `Private Google Access` on the subnet is needed for private
+		// cluster nodes to reach storage.googleapis.com.
+		if d.PrivateClusterAccessLevel != "" {
+			createSubnetCommand = append(createSubnetCommand, "--enable-private-ip-google-access")
+		}
+		if err := runWithOutput(exec.Command(createSubnetCommand[0], createSubnetCommand[1:]...)); err != nil {
 			return err
 		}
 	}