To access private services on GKE, I created a static route to one of the GKE nodes using a command like this:
gcloud compute routes create vpn-to-gke-services --destination-range 10.x.x.x/20 --network mynetwork --next-hop-instance europe-west1-d/gke-instance-1
This works fine while that instance is up and running, but it doesn't survive things like upgrades or downscaling the cluster. How do I solve this in a future-proof way?
An option I thought of is to create the route at node startup. Are there any side effects if I would do that?
The most resilient way to solve this problem would be to write simple controller pod that runs inside your cluster and verifies that at least N such routes exist at all times. N can be 1 (like you have now) or you can set it to a larger number for redundancy (if you create multiple GCE routes with the same cidr range and different next hop instances, they will be rotated between automatically).
The controller would watch the nodes in the cluster and reconcile the routes for the service CIDR with the nodes. Then as nodes come and go (either through upgrades or scaling) you can ensure that the routes automatically stay up to date.