HOWTO: Provision a GCP Operations Runner

Purpose: Deploy a Jenkins agent in GCP and validate it can execute HybridOps GCP-target module runs and Cloud SQL health checks from a pipeline.

Difficulty: Intermediate

Track: Contract-Driven Automation

---

Overview

The GCP operations runner (the execution agent for platform operations) is the counterpart to the on-prem runner: it provides a trusted execution context inside the cloud boundary, with direct access to GCP APIs via Workload Identity. This HOWTO covers provisioning and validating the runner, with the Cloud SQL DR lane (isolated execution environment) as the primary use case.

---

1. Module Overview

• Module ID: infra/gcp/ops-runner.
• Compute instance in the GCP management VPC.
• Jenkins controller registration via VPN tunnel.

2. Module Inputs

• GCP project, region, and machine type.
• VPC and subnet for the runner instance.
• Jenkins controller URL and agent credential reference.
• Workload Identity service account.
• HybridOps CLI version.

3. Provisioning the Runner

• Terraform-backed instance provisioning.
• Workload Identity binding.
• Jenkins agent registration.

4. GCP API Access Validation

• Cloud SQL admin API: instance list.
• Secret Manager API: test secret read.
• Confirming Workload Identity is used (no static key).

5. Pipeline Validation

• Test pipeline: Cloud SQL health check module from GCP runner.
• GSM secret read as a pipeline step.
• Confirm run record written correctly.

---

References

• HOWTO: Provision On-Prem Ops Runner
• HOWTO: Provision Cloud SQL Standby
• HOWTO: Sync Secrets to GSM

---

License: MIT-0 for code, CC-BY-4.0 for documentation unless otherwise stated.