From c3abc08fd5c803b69ebbe869850c8c595918d553 Mon Sep 17 00:00:00 2001 From: Bharath KKB Date: Thu, 21 Dec 2023 17:23:22 -0600 Subject: [PATCH 001/176] chore: update examples to use registry (#1821) --- build/int.cloudbuild.yaml | 3 +++ examples/deploy_service/main.tf | 4 +++- examples/disable_client_cert/main.tf | 3 ++- examples/node_pool/main.tf | 4 +++- examples/node_pool/variables.tf | 1 + examples/node_pool_update_variant/main.tf | 4 +++- examples/node_pool_update_variant_beta/main.tf | 4 +++- .../node_pool_update_variant_public_beta/main.tf | 4 +++- examples/private_zonal_with_networking/main.tf | 4 +++- .../main.tf | 4 +++- examples/safer_cluster/main.tf | 4 +++- examples/safer_cluster_iap_bastion/cluster.tf | 3 ++- examples/shared_vpc/main.tf | 4 +++- examples/simple_autopilot_private/main.tf | 4 +++- .../main.tf | 4 +++- examples/simple_autopilot_public/main.tf | 4 +++- examples/simple_regional/main.tf | 4 +++- examples/simple_regional_beta/main.tf | 4 +++- examples/simple_regional_private/main.tf | 4 +++- examples/simple_regional_private_beta/main.tf | 4 +++- .../main.tf | 4 +++- .../simple_regional_with_gateway_api/main.tf | 4 +++- examples/simple_regional_with_kubeconfig/main.tf | 7 +++++-- examples/simple_regional_with_networking/main.tf | 4 +++- examples/simple_windows_node_pool/main.tf | 4 +++- examples/simple_zonal_private/main.tf | 4 +++- examples/simple_zonal_with_acm/acm.tf | 4 +++- examples/simple_zonal_with_acm/main.tf | 4 +++- examples/simple_zonal_with_asm/main.tf | 8 ++++++-- examples/simple_zonal_with_hub/hub.tf | 4 +++- examples/simple_zonal_with_hub/main.tf | 4 +++- examples/simple_zonal_with_hub_kubeconfig/hub.tf | 4 +++- examples/stub_domains/main.tf | 4 +++- examples/stub_domains_private/main.tf | 3 ++- .../stub_domains_upstream_nameservers/main.tf | 4 +++- examples/upstream_nameservers/main.tf | 4 +++- examples/workload_identity/main.tf | 16 ++++++++++++---- examples/workload_metadata_config/main.tf | 4 +++- 38 files changed, 123 insertions(+), 41 deletions(-) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 0d75bbd3ab..4aa54827ab 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -14,6 +14,9 @@ timeout: 12600s steps: +- id: swap-module-refs + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['module-swapper'] - id: prepare name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && prepare_environment ; chmod 600 /builder/home/.netrc && sleep 120'] diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index 1083e81859..eca6e989c3 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" region = var.region diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf index aa11abfba4..b44178ab04 100644 --- a/examples/disable_client_cert/main.tf +++ b/examples/disable_client_cert/main.tf @@ -27,7 +27,8 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index cacc051975..59eb35cd19 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../modules/beta-public-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" region = var.region diff --git a/examples/node_pool/variables.tf b/examples/node_pool/variables.tf index 616acc56e8..4f3128ce7c 100644 --- a/examples/node_pool/variables.tf +++ b/examples/node_pool/variables.tf @@ -80,4 +80,5 @@ variable "cluster_autoscaling" { auto_upgrade = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" + } diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf index fc3f418dc5..10489bc5a9 100644 --- a/examples/node_pool_update_variant/main.tf +++ b/examples/node_pool_update_variant/main.tf @@ -33,7 +33,9 @@ provider "kubernetes" { } module "gke" { - source = "../../modules/private-cluster-update-variant" + source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster-update-variant" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = false diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf index 7d33e7c1c8..438a0b0ec2 100644 --- a/examples/node_pool_update_variant_beta/main.tf +++ b/examples/node_pool_update_variant_beta/main.tf @@ -38,7 +38,9 @@ provider "kubernetes" { } module "gke" { - source = "../../modules/beta-private-cluster-update-variant" + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster-update-variant" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = false diff --git a/examples/node_pool_update_variant_public_beta/main.tf b/examples/node_pool_update_variant_public_beta/main.tf index 4b223b5eb5..c096e1c28c 100644 --- a/examples/node_pool_update_variant_public_beta/main.tf +++ b/examples/node_pool_update_variant_public_beta/main.tf @@ -38,7 +38,9 @@ provider "kubernetes" { } module "gke" { - source = "../../modules/beta-public-cluster-update-variant" + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster-update-variant" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" region = var.region diff --git a/examples/private_zonal_with_networking/main.tf b/examples/private_zonal_with_networking/main.tf index 6896155159..889582fb8e 100644 --- a/examples/private_zonal_with_networking/main.tf +++ b/examples/private_zonal_with_networking/main.tf @@ -60,7 +60,9 @@ data "google_compute_subnetwork" "subnetwork" { } module "gke" { - source = "../../modules/private-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" + version = "~> 29.0" + project_id = var.project_id name = var.cluster_name regional = false diff --git a/examples/regional_private_node_pool_oauth_scopes/main.tf b/examples/regional_private_node_pool_oauth_scopes/main.tf index bf1fc70137..98c3c561dd 100644 --- a/examples/regional_private_node_pool_oauth_scopes/main.tf +++ b/examples/regional_private_node_pool_oauth_scopes/main.tf @@ -15,7 +15,9 @@ */ module "gke" { - source = "../../modules/private-cluster" + source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" + version = "~> 29.0" + project_id = var.project_id name = "random-test-cluster" region = "us-west1" diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index bf0037cea6..771f4970ff 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -51,7 +51,9 @@ resource "random_shuffle" "version" { } module "gke" { - source = "../../modules/safer-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster-${random_string.suffix.result}" regional = true diff --git a/examples/safer_cluster_iap_bastion/cluster.tf b/examples/safer_cluster_iap_bastion/cluster.tf index 7731c758e1..2525476181 100644 --- a/examples/safer_cluster_iap_bastion/cluster.tf +++ b/examples/safer_cluster_iap_bastion/cluster.tf @@ -15,7 +15,8 @@ */ module "gke" { - source = "../../modules/safer-cluster" + source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" + version = "~> 29.0" project_id = module.enabled_google_apis.project_id name = var.cluster_name diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf index 43d115e77a..d95626f694 100644 --- a/examples/shared_vpc/main.tf +++ b/examples/shared_vpc/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" region = var.region diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf index 7a50463263..33bc104262 100644 --- a/examples/simple_autopilot_private/main.tf +++ b/examples/simple_autopilot_private/main.tf @@ -34,7 +34,9 @@ provider "kubernetes" { } module "gke" { - source = "../../modules/beta-autopilot-private-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster" regional = true diff --git a/examples/simple_autopilot_private_non_default_sa/main.tf b/examples/simple_autopilot_private_non_default_sa/main.tf index cd61608e4c..0bb1fde3e6 100644 --- a/examples/simple_autopilot_private_non_default_sa/main.tf +++ b/examples/simple_autopilot_private_non_default_sa/main.tf @@ -34,7 +34,9 @@ provider "kubernetes" { } module "gke" { - source = "../../modules/beta-autopilot-private-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster" regional = true diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index 3a673fa089..d791840c75 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -33,7 +33,9 @@ provider "kubernetes" { } module "gke" { - source = "../../modules/beta-autopilot-public-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-public-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster" regional = true diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index d26114eadc..ad4122d5c2 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = true diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index a572d3396f..667965d3d1 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../modules/beta-public-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = var.regional diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf index ad85a3774a..d6a9b3f963 100644 --- a/examples/simple_regional_private/main.tf +++ b/examples/simple_regional_private/main.tf @@ -33,7 +33,9 @@ data "google_compute_subnetwork" "subnetwork" { } module "gke" { - source = "../../modules/private-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = true diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index bc439415f5..861c4a08e0 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -33,7 +33,9 @@ data "google_compute_subnetwork" "subnetwork" { } module "gke" { - source = "../../modules/beta-private-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = true diff --git a/examples/simple_regional_private_with_cluster_version/main.tf b/examples/simple_regional_private_with_cluster_version/main.tf index 065e0f42e1..bf511e6c3a 100644 --- a/examples/simple_regional_private_with_cluster_version/main.tf +++ b/examples/simple_regional_private_with_cluster_version/main.tf @@ -33,7 +33,9 @@ data "google_compute_subnetwork" "subnetwork" { } module "gke" { - source = "../../modules/private-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = true diff --git a/examples/simple_regional_with_gateway_api/main.tf b/examples/simple_regional_with_gateway_api/main.tf index ad778840f8..60405c2181 100644 --- a/examples/simple_regional_with_gateway_api/main.tf +++ b/examples/simple_regional_with_gateway_api/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = true diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf index 0c35a3a0eb..18a6e574c9 100644 --- a/examples/simple_regional_with_kubeconfig/main.tf +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = true @@ -42,7 +44,8 @@ module "gke" { } module "gke_auth" { - source = "../../modules/auth" + source = "terraform-google-modules/kubernetes-engine/google//modules/auth" + version = "~> 29.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_regional_with_networking/main.tf b/examples/simple_regional_with_networking/main.tf index b9bcec3303..9a45243897 100644 --- a/examples/simple_regional_with_networking/main.tf +++ b/examples/simple_regional_with_networking/main.tf @@ -52,7 +52,9 @@ module "gcp-network" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = var.cluster_name regional = true diff --git a/examples/simple_windows_node_pool/main.tf b/examples/simple_windows_node_pool/main.tf index 4ff9dc6fd8..3dcbac05c4 100644 --- a/examples/simple_windows_node_pool/main.tf +++ b/examples/simple_windows_node_pool/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../modules/beta-public-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" + version = "~> 29.0" + project_id = var.project_id regional = false region = var.region diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf index 1dbe43df70..c892b0d0bf 100644 --- a/examples/simple_zonal_private/main.tf +++ b/examples/simple_zonal_private/main.tf @@ -33,7 +33,9 @@ data "google_compute_subnetwork" "subnetwork" { } module "gke" { - source = "../../modules/private-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = false diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index 3c8d299633..010df6a0f1 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -15,7 +15,9 @@ */ module "acm" { - source = "../../modules/acm" + source = "terraform-google-modules/kubernetes-engine/google//modules/acm" + version = "~> 29.0" + project_id = var.project_id location = module.gke.location cluster_name = module.gke.name diff --git a/examples/simple_zonal_with_acm/main.tf b/examples/simple_zonal_with_acm/main.tf index d57d2edf27..9f66f7bab1 100644 --- a/examples/simple_zonal_with_acm/main.tf +++ b/examples/simple_zonal_with_acm/main.tf @@ -31,7 +31,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id regional = false region = var.region diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index 1c26f6b206..d60873aa49 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -27,7 +27,9 @@ data "google_project" "project" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = "test-prefix-cluster-test-suffix" regional = false @@ -54,7 +56,9 @@ module "gke" { } module "asm" { - source = "../../modules/asm" + source = "terraform-google-modules/kubernetes-engine/google//modules/asm" + version = "~> 29.0" + project_id = var.project_id cluster_name = module.gke.name cluster_location = module.gke.location diff --git a/examples/simple_zonal_with_hub/hub.tf b/examples/simple_zonal_with_hub/hub.tf index 08b912c4ff..c838b44cbf 100644 --- a/examples/simple_zonal_with_hub/hub.tf +++ b/examples/simple_zonal_with_hub/hub.tf @@ -15,7 +15,9 @@ */ module "hub" { - source = "../../modules/fleet-membership" + source = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership" + version = "~> 29.0" + project_id = var.project_id location = module.gke.location cluster_name = module.gke.name diff --git a/examples/simple_zonal_with_hub/main.tf b/examples/simple_zonal_with_hub/main.tf index db47ffe9a6..2fbbeddc78 100644 --- a/examples/simple_zonal_with_hub/main.tf +++ b/examples/simple_zonal_with_hub/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id regional = false region = var.region diff --git a/examples/simple_zonal_with_hub_kubeconfig/hub.tf b/examples/simple_zonal_with_hub_kubeconfig/hub.tf index 2fe50463af..5e500327b7 100644 --- a/examples/simple_zonal_with_hub_kubeconfig/hub.tf +++ b/examples/simple_zonal_with_hub_kubeconfig/hub.tf @@ -15,7 +15,9 @@ */ module "hub" { - source = "../../modules/hub-legacy" + source = "terraform-google-modules/kubernetes-engine/google//modules/hub-legacy" + version = "~> 29.0" + project_id = var.project_id location = "remote" cluster_name = kind_cluster.test-cluster.name diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf index 79c6f2d8a3..00a6c85eed 100644 --- a/examples/stub_domains/main.tf +++ b/examples/stub_domains/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" region = var.region diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf index 5f54705e4b..3c483acc13 100644 --- a/examples/stub_domains_private/main.tf +++ b/examples/stub_domains_private/main.tf @@ -29,7 +29,8 @@ data "google_compute_subnetwork" "subnetwork" { } module "gke" { - source = "../../modules/private-cluster" + source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" + version = "~> 29.0" ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf index 65be8b4c92..75fabb9aaa 100644 --- a/examples/stub_domains_upstream_nameservers/main.tf +++ b/examples/stub_domains_upstream_nameservers/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" region = var.region diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf index 644878bd02..7eb438547c 100644 --- a/examples/upstream_nameservers/main.tf +++ b/examples/upstream_nameservers/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" region = var.region diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index 2fd5159894..84d05f073d 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" region = var.region @@ -51,7 +53,9 @@ module "gke" { # example without existing KSA module "workload_identity" { - source = "../../modules/workload-identity" + source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" + version = "~> 29.0" + project_id = var.project_id name = "iden-${module.gke.name}" namespace = "default" @@ -69,7 +73,9 @@ resource "kubernetes_service_account" "test" { } module "workload_identity_existing_ksa" { - source = "../../modules/workload-identity" + source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" + version = "~> 29.0" + project_id = var.project_id name = "existing-${module.gke.name}" cluster_name = module.gke.name @@ -86,7 +92,9 @@ resource "google_service_account" "custom" { } module "workload_identity_existing_gsa" { - source = "../../modules/workload-identity" + source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" + version = "~> 29.0" + project_id = var.project_id name = google_service_account.custom.account_id use_existing_gcp_sa = true diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index 770ab96454..fce542bd95 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -33,7 +33,9 @@ data "google_compute_subnetwork" "subnetwork" { } module "gke" { - source = "../../modules/private-cluster/" + source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" + version = "~> 29.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = false From 0d7f63858d283ffb6c66d9f3a162ee0845db57f0 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 26 Dec 2023 08:21:18 -0800 Subject: [PATCH 002/176] fix!: Revert create least privilege default service account (#1757) (#1827) --- autogen/main/sa.tf.tmpl | 25 +++++++++++++++++-- docs/upgrading_to_v30.0.md | 7 ++++++ modules/beta-autopilot-private-cluster/sa.tf | 25 +++++++++++++++++-- modules/beta-autopilot-public-cluster/sa.tf | 25 +++++++++++++++++-- .../beta-private-cluster-update-variant/sa.tf | 25 +++++++++++++++++-- modules/beta-private-cluster/sa.tf | 25 +++++++++++++++++-- .../beta-public-cluster-update-variant/sa.tf | 25 +++++++++++++++++-- modules/beta-public-cluster/sa.tf | 25 +++++++++++++++++-- modules/private-cluster-update-variant/sa.tf | 25 +++++++++++++++++-- modules/private-cluster/sa.tf | 25 +++++++++++++++++-- sa.tf | 25 +++++++++++++++++-- 11 files changed, 237 insertions(+), 20 deletions(-) create mode 100644 docs/upgrading_to_v30.0.md diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index dbc17213ac..cae74cd594 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -45,10 +45,31 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-nodeService_account" { +resource "google_project_iam_member" "cluster_service_account-log_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/container.nodeServiceAccount" + role = "roles/logging.logWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-log_writer[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-metric_writer[0].project + role = "roles/monitoring.viewer" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project + role = "roles/stackdriver.resourceMetadata.writer" member = google_service_account.cluster_service_account[0].member } diff --git a/docs/upgrading_to_v30.0.md b/docs/upgrading_to_v30.0.md new file mode 100644 index 0000000000..74f8047e91 --- /dev/null +++ b/docs/upgrading_to_v30.0.md @@ -0,0 +1,7 @@ +# Upgrading to v30.0 +The v30.0 release of *kubernetes-engine* is a backwards incompatible +release. + +### Default cluster service account permissions modified + +When `create_service_account` is `true`, the service account will now be created with the `Logs Writer`, `Monitoring Metric Writer`, `Monitoring Viewer` and `Stackdriver Resource Metadata Writer` roles instead of the deprecated `Kubernetes Engine Node Service Account` role. diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf index a19843e0f9..9a13a24909 100644 --- a/modules/beta-autopilot-private-cluster/sa.tf +++ b/modules/beta-autopilot-private-cluster/sa.tf @@ -45,10 +45,31 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-nodeService_account" { +resource "google_project_iam_member" "cluster_service_account-log_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/container.nodeServiceAccount" + role = "roles/logging.logWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-log_writer[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-metric_writer[0].project + role = "roles/monitoring.viewer" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project + role = "roles/stackdriver.resourceMetadata.writer" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf index a19843e0f9..9a13a24909 100644 --- a/modules/beta-autopilot-public-cluster/sa.tf +++ b/modules/beta-autopilot-public-cluster/sa.tf @@ -45,10 +45,31 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-nodeService_account" { +resource "google_project_iam_member" "cluster_service_account-log_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/container.nodeServiceAccount" + role = "roles/logging.logWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-log_writer[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-metric_writer[0].project + role = "roles/monitoring.viewer" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project + role = "roles/stackdriver.resourceMetadata.writer" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index a19843e0f9..9a13a24909 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -45,10 +45,31 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-nodeService_account" { +resource "google_project_iam_member" "cluster_service_account-log_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/container.nodeServiceAccount" + role = "roles/logging.logWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-log_writer[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-metric_writer[0].project + role = "roles/monitoring.viewer" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project + role = "roles/stackdriver.resourceMetadata.writer" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index a19843e0f9..9a13a24909 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -45,10 +45,31 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-nodeService_account" { +resource "google_project_iam_member" "cluster_service_account-log_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/container.nodeServiceAccount" + role = "roles/logging.logWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-log_writer[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-metric_writer[0].project + role = "roles/monitoring.viewer" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project + role = "roles/stackdriver.resourceMetadata.writer" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index a19843e0f9..9a13a24909 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -45,10 +45,31 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-nodeService_account" { +resource "google_project_iam_member" "cluster_service_account-log_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/container.nodeServiceAccount" + role = "roles/logging.logWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-log_writer[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-metric_writer[0].project + role = "roles/monitoring.viewer" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project + role = "roles/stackdriver.resourceMetadata.writer" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index a19843e0f9..9a13a24909 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -45,10 +45,31 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-nodeService_account" { +resource "google_project_iam_member" "cluster_service_account-log_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/container.nodeServiceAccount" + role = "roles/logging.logWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-log_writer[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-metric_writer[0].project + role = "roles/monitoring.viewer" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project + role = "roles/stackdriver.resourceMetadata.writer" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf index a19843e0f9..9a13a24909 100644 --- a/modules/private-cluster-update-variant/sa.tf +++ b/modules/private-cluster-update-variant/sa.tf @@ -45,10 +45,31 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-nodeService_account" { +resource "google_project_iam_member" "cluster_service_account-log_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/container.nodeServiceAccount" + role = "roles/logging.logWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-log_writer[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-metric_writer[0].project + role = "roles/monitoring.viewer" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project + role = "roles/stackdriver.resourceMetadata.writer" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index a19843e0f9..9a13a24909 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -45,10 +45,31 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-nodeService_account" { +resource "google_project_iam_member" "cluster_service_account-log_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/container.nodeServiceAccount" + role = "roles/logging.logWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-log_writer[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-metric_writer[0].project + role = "roles/monitoring.viewer" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project + role = "roles/stackdriver.resourceMetadata.writer" member = google_service_account.cluster_service_account[0].member } diff --git a/sa.tf b/sa.tf index a19843e0f9..9a13a24909 100644 --- a/sa.tf +++ b/sa.tf @@ -45,10 +45,31 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-nodeService_account" { +resource "google_project_iam_member" "cluster_service_account-log_writer" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/container.nodeServiceAccount" + role = "roles/logging.logWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-log_writer[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-metric_writer[0].project + role = "roles/monitoring.viewer" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project + role = "roles/stackdriver.resourceMetadata.writer" member = google_service_account.cluster_service_account[0].member } From 13e79af0f7a99b8c20099431df4a14ee145f9b03 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 26 Dec 2023 10:13:27 -0800 Subject: [PATCH 003/176] feat(TPG>=5.6)!: use hub membership location for output (#1824) --- modules/fleet-membership/main.tf | 4 +++- modules/fleet-membership/outputs.tf | 3 +-- modules/fleet-membership/versions.tf | 10 ++++------ 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/modules/fleet-membership/main.tf b/modules/fleet-membership/main.tf index f39b113f90..92d5d83f7f 100644 --- a/modules/fleet-membership/main.tf +++ b/modules/fleet-membership/main.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2023 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,6 +18,8 @@ locals { hub_project_id = var.hub_project_id == "" ? var.project_id : var.hub_project_id gke_hub_membership_name_complete = var.membership_name != "" ? var.membership_name : "${var.project_id}-${var.location}-${var.cluster_name}" gke_hub_membership_name = trimsuffix(substr(local.gke_hub_membership_name_complete, 0, 63), "-") + gke_hub_membership_location = regex(local.gke_hub_membership_location_re, data.google_container_cluster.primary.fleet[0].membership)[0] + gke_hub_membership_location_re = "//gkehub.googleapis.com/projects/[^/]*/locations/([^/]*)/memberships/[^/]*$" } # Retrieve GKE cluster info diff --git a/modules/fleet-membership/outputs.tf b/modules/fleet-membership/outputs.tf index 1531ea4ad4..f7e2c42802 100644 --- a/modules/fleet-membership/outputs.tf +++ b/modules/fleet-membership/outputs.tf @@ -30,7 +30,6 @@ output "project_id" { } output "location" { - # TODO: google_gke_hub_membership b/300473592 description = "The location of the hub membership." - value = "global" + value = var.enable_fleet_registration ? google_gke_hub_membership.primary[0].location : local.gke_hub_membership_location } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 0bacaf89ae..f4ef6d69f6 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -20,14 +20,12 @@ terraform { required_providers { google = { - source = "hashicorp/google" - # Avoid v4.49 and v4.50 for https://github.com/hashicorp/terraform-provider-google/issues/13507 - version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 6" + source = "hashicorp/google" + version = ">= 5.6.0, < 6" } google-beta = { - source = "hashicorp/google-beta" - # Avoid v4.49 and v4.50 for https://github.com/hashicorp/terraform-provider-google/issues/13507 - version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 6" + source = "hashicorp/google-beta" + version = ">= 5.6.0, < 6" } } From 752332e8ba9f0f6c4c5226d0ebc4ea7b14440696 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 26 Dec 2023 19:11:12 +0000 Subject: [PATCH 004/176] chore(deps): Update module github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test to v0.11.0 (#1826) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 4 +++- test/integration/go.sum | 34 ++++++++++++++++++---------------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 6920d50c57..5a4da9c200 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -5,7 +5,7 @@ go 1.21 toolchain go1.21.5 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.10.3 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.0 github.com/gruntwork-io/terratest v0.46.8 github.com/stretchr/testify v1.8.4 ) @@ -47,7 +47,9 @@ require ( github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-safetemp v1.0.0 // indirect github.com/hashicorp/go-version v1.6.0 // indirect + github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f // indirect github.com/hashicorp/hcl/v2 v2.18.0 // indirect + github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72 // indirect github.com/hashicorp/terraform-json v0.17.1 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/jinzhu/copier v0.4.0 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index 35d8bc362a..6a7c748298 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,10 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.10.1 h1:eOqSlege+69h9JhR/ydpHCBLCfQmJuznPGdhLY/SDcU= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.10.1/go.mod h1:R0AXqSshPDVYHGopYGwPxguApNpFFOdaVAJ8XO2BxJ0= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.10.3 h1:+9yoC2MqfIWzRfsyNm0VUtFR0Fq0JnQwGqq8HOpJzcs= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.10.3/go.mod h1:2YEDqxvHykrzy33Mu9Npm6LLY6DScML5tAAciIqc8Bs= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.0 h1:VgDItnbULfVKPiWqfGj0f1SpZbaT3LEjHs6Bi36imxI= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.0/go.mod h1:pYB95x/fhOwzbo5yp0zTTVE9Haq4B3x1cEzHXVIDpp4= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -198,6 +196,7 @@ github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kd github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go v1.45.5 h1:bxilnhv9FngUgdPNJmOIv2bk+2sP0dpqX3e4olhWcGM= github.com/aws/aws-sdk-go v1.45.5/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= @@ -262,7 +261,9 @@ github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+ github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI= github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= +github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -329,6 +330,7 @@ github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIG github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -372,8 +374,6 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0= github.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk= -github.com/gruntwork-io/terratest v0.46.7 h1:oqGPBBO87SEsvBYaA0R5xOq+Lm2Xc5dmFVfxEolfZeU= -github.com/gruntwork-io/terratest v0.46.7/go.mod h1:6gI5MlLeyF+SLwqocA5GBzcTix+XiuxCy1BPwKuT+WM= github.com/gruntwork-io/terratest v0.46.8 h1:rgK7z6Dy/eMGFaclKR0WVG9Z54tR+Ehl7S09+8Y25j0= github.com/gruntwork-io/terratest v0.46.8/go.mod h1:6MxfmOFQQEpQZjpuWRwuAK8qm836hYgAOCzSIZIWTmg= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -391,8 +391,12 @@ github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mO github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f h1:UdxlrJz4JOnY8W+DbLISwf2B8WXEolNRA8BGCwI9jws= +github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f/go.mod h1:oZtUIOe8dh44I2q6ScRibXws4Ajl+d+nod3AaR9vL5w= github.com/hashicorp/hcl/v2 v2.18.0 h1:wYnG7Lt31t2zYkcquwgKo6MWXzRUDIeIVU5naZwHLl8= github.com/hashicorp/hcl/v2 v2.18.0/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE= +github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72 h1:nZ5gGjbe5o7XUu1d7j+Y5Ztcxlp+yaumTKH9i0D3wlg= +github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72/go.mod h1:l8HcFPm9cQh6Q0KSWoYPiePqMvRFenybP1CH2MjKdlg= github.com/hashicorp/terraform-json v0.17.1 h1:eMfvh/uWggKmY7Pmb3T85u86E2EQg6EQHgyRwf3RkyA= github.com/hashicorp/terraform-json v0.17.1/go.mod h1:Huy6zt6euxaY9knPAFKjUITn8QxUFIe9VuSzb4zn/0o= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -419,11 +423,13 @@ github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQs github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -448,7 +454,9 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= +github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM= github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= +github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -458,8 +466,11 @@ github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1: github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= @@ -794,6 +805,7 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1047,16 +1059,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.28.1 h1:i+0O8k2NPBCPYaMB+uCkseEbawEt/eFaiRqUx8aB108= -k8s.io/api v0.28.1/go.mod h1:uBYwID+66wiL28Kn2tBjBYQdEU0Xk0z5qF8bIBqk/Dg= k8s.io/api v0.28.4 h1:8ZBrLjwosLl/NYgv1P7EQLqoO8MGQApnbgH8tu3BMzY= k8s.io/api v0.28.4/go.mod h1:axWTGrY88s/5YE+JSt4uUi6NMM+gur1en2REMR7IRj0= -k8s.io/apimachinery v0.28.1 h1:EJD40og3GizBSV3mkIoXQBsws32okPOy+MkRyzh6nPY= -k8s.io/apimachinery v0.28.1/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw= k8s.io/apimachinery v0.28.4 h1:zOSJe1mc+GxuMnFzD4Z/U1wst50X28ZNsn5bhgIIao8= k8s.io/apimachinery v0.28.4/go.mod h1:wI37ncBvfAoswfq626yPTe6Bz1c22L7uaJ8dho83mgg= -k8s.io/client-go v0.28.1 h1:pRhMzB8HyLfVwpngWKE8hDcXRqifh1ga2Z/PU9SXVK8= -k8s.io/client-go v0.28.1/go.mod h1:pEZA3FqOsVkCc07pFVzK076R+P/eXqsgx5zuuRWukNE= k8s.io/client-go v0.28.4 h1:Np5ocjlZcTrkyRJ3+T3PkXDpe4UpatQxj85+xjaD2wY= k8s.io/client-go v0.28.4/go.mod h1:0VDZFpgoZfelyP5Wqu0/r/TRYcLYuJ2U1KEeoaPa1N4= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= @@ -1070,13 +1076,9 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/kyaml v0.15.0 h1:ynlLMAxDhrY9otSg5GYE2TcIz31XkGZ2Pkj7SdolD84= -sigs.k8s.io/kustomize/kyaml v0.15.0/go.mod h1:+uMkBahdU1KNOj78Uta4rrXH+iH7wvg+nW7+GULvREA= sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0= sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4= sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From db591ba0cd54fd387106cb84328c7c017cbe27d8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 27 Dec 2023 08:33:58 -0800 Subject: [PATCH 005/176] chore(deps): Update module github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test to v0.11.1 (#1831) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 10 +++++----- test/integration/go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 5a4da9c200..73a813225e 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -5,7 +5,7 @@ go 1.21 toolchain go1.21.5 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.0 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.1 github.com/gruntwork-io/terratest v0.46.8 github.com/stretchr/testify v1.8.4 ) @@ -80,14 +80,14 @@ require ( github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect github.com/zclconf/go-cty v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/crypto v0.14.0 // indirect + golang.org/x/crypto v0.17.0 // indirect golang.org/x/mod v0.14.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.3.0 // indirect - golang.org/x/sys v0.13.0 // indirect - golang.org/x/term v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect + golang.org/x/sys v0.15.0 // indirect + golang.org/x/term v0.15.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/api v0.138.0 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index 6a7c748298..d80cc61065 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.0 h1:VgDItnbULfVKPiWqfGj0f1SpZbaT3LEjHs6Bi36imxI= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.0/go.mod h1:pYB95x/fhOwzbo5yp0zTTVE9Haq4B3x1cEzHXVIDpp4= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.1 h1:S4Y7o5RKRC9Bk71VszCx9NeheWjdSAn5ejPuD1W6lNE= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.1/go.mod h1:v4TFK9TmX4mYyXL3v9wFXVN3A5vrt2LaVDBX2/OVU7Y= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -530,8 +530,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -725,13 +725,13 @@ golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -743,8 +743,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 3c9a634ceef3fe8fc073de161f17f0064f424c04 Mon Sep 17 00:00:00 2001 From: teeheehs <135158194+teeheehs@users.noreply.github.com> Date: Wed, 27 Dec 2023 11:54:39 -0500 Subject: [PATCH 006/176] chore: readme (#1828) --- modules/asm/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/asm/README.md b/modules/asm/README.md index 782626b309..0c8d7197af 100644 --- a/modules/asm/README.md +++ b/modules/asm/README.md @@ -4,11 +4,11 @@ This module installs [Anthos Service Mesh](https://cloud.google.com/service-mesh ## Usage - The ASM module requires Terraform 0.14+. There are a few prerequisites to using this module that can be done either through Terraform and/or manually: +The ASM module requires Terraform 0.14+. There are a few prerequisites to using this module that can be done either through Terraform and/or manually: 1. Enable the `mesh.googleapis.com` service -1. Enable the `servicemesh` feature on the cluster hub -1. Register target cluster to the servicemesh-enabled hub +1. [Enable](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_feature#example-usage---gkehub-feature-anthos-service-mesh) the GKEhub `servicemesh` feature +1. [Register](https://cloud.google.com/anthos/fleet-management/docs/register/gke#terraform) target cluster to the servicemesh-enabled hub 1. Configure the [Kubernetes Provider](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs) for the target cluster, for example: ```tf From d6cb39062cc6ecc2f86af463afd883d1fd780657 Mon Sep 17 00:00:00 2001 From: Ghaleb Al-Habian Date: Wed, 3 Jan 2024 11:27:47 -0500 Subject: [PATCH 007/176] feat: dual stack (IPV4_IPV6) support (#1818) Co-authored-by: Jonathan Meyers Co-authored-by: Jonathan Meyers Co-authored-by: Bharath KKB Co-authored-by: Ghaleb Co-authored-by: Ghaleb Al-Habian Co-authored-by: Andrew Peabody --- .kitchen.yml | 7 + README.md | 1 + autogen/main/cluster.tf.tmpl | 1 + autogen/main/variables.tf.tmpl | 6 + cluster.tf | 1 + examples/simple_regional_with_ipv6/README.md | 45 ++++ examples/simple_regional_with_ipv6/main.tf | 45 ++++ examples/simple_regional_with_ipv6/outputs.tf | 35 ++++ .../simple_regional_with_ipv6/test_outputs.tf | 63 ++++++ .../simple_regional_with_ipv6/variables.tf | 52 +++++ .../simple_regional_with_ipv6/versions.tf | 27 +++ examples/simple_zonal_with_acm/acm.tf | 2 +- .../beta-autopilot-private-cluster/README.md | 1 + .../beta-autopilot-private-cluster/cluster.tf | 1 + .../variables.tf | 6 + .../beta-autopilot-public-cluster/README.md | 1 + .../beta-autopilot-public-cluster/cluster.tf | 1 + .../variables.tf | 6 + .../README.md | 1 + .../cluster.tf | 1 + .../variables.tf | 6 + modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 1 + modules/beta-private-cluster/variables.tf | 6 + .../README.md | 1 + .../cluster.tf | 1 + .../variables.tf | 6 + modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 1 + modules/beta-public-cluster/variables.tf | 6 + .../private-cluster-update-variant/README.md | 1 + .../private-cluster-update-variant/cluster.tf | 1 + .../variables.tf | 6 + modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 1 + modules/private-cluster/variables.tf | 6 + .../simple_regional_with_ipv6/example.tf | 34 ++++ .../simple_regional_with_ipv6/network.tf | 50 +++++ .../simple_regional_with_ipv6/outputs.tf | 85 ++++++++ .../simple_regional_with_ipv6/variables.tf | 47 +++++ .../controls/gcloud.rb | 192 ++++++++++++++++++ .../simple_regional_with_ipv6/inspec.yml | 31 +++ variables.tf | 6 + 43 files changed, 793 insertions(+), 1 deletion(-) create mode 100644 examples/simple_regional_with_ipv6/README.md create mode 100644 examples/simple_regional_with_ipv6/main.tf create mode 100644 examples/simple_regional_with_ipv6/outputs.tf create mode 100755 examples/simple_regional_with_ipv6/test_outputs.tf create mode 100644 examples/simple_regional_with_ipv6/variables.tf create mode 100644 examples/simple_regional_with_ipv6/versions.tf create mode 100644 test/fixtures/simple_regional_with_ipv6/example.tf create mode 100644 test/fixtures/simple_regional_with_ipv6/network.tf create mode 100644 test/fixtures/simple_regional_with_ipv6/outputs.tf create mode 100644 test/fixtures/simple_regional_with_ipv6/variables.tf create mode 100644 test/integration/simple_regional_with_ipv6/controls/gcloud.rb create mode 100644 test/integration/simple_regional_with_ipv6/inspec.yml diff --git a/.kitchen.yml b/.kitchen.yml index a48a53aca2..68fd13b68a 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -87,6 +87,13 @@ suites: systems: - name: simple_regional_with_gateway_api backend: local + - name: "simple_regional_with_ipv6" + driver: + root_module_directory: test/fixtures/simple_regional_with_ipv6 + verifier: + systems: + - name: simple_regional_with_ipv6 + backend: local - name: "simple_regional_with_kubeconfig" driver: root_module_directory: test/fixtures/simple_regional_with_kubeconfig diff --git a/README.md b/README.md index 8668b49981..0075dcdde3 100644 --- a/README.md +++ b/README.md @@ -222,6 +222,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 459f4f712c..61d6e10772 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -360,6 +360,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } + stack_type = var.stack_type } maintenance_policy { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d97f8b4ee1..060731e294 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -150,6 +150,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + {% if autopilot_cluster != true %} variable "node_pools" { type = list(map(any)) diff --git a/cluster.tf b/cluster.tf index 3f8c070a61..3429442a9c 100644 --- a/cluster.tf +++ b/cluster.tf @@ -232,6 +232,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } + stack_type = var.stack_type } maintenance_policy { diff --git a/examples/simple_regional_with_ipv6/README.md b/examples/simple_regional_with_ipv6/README.md new file mode 100644 index 0000000000..e0442d4208 --- /dev/null +++ b/examples/simple_regional_with_ipv6/README.md @@ -0,0 +1,45 @@ +# Simple Regional Cluster + +This example illustrates how to create a simple cluster. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no | +| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | `any` | n/a | yes | +| ip\_range\_pods | The secondary ip range to use for pods | `any` | n/a | yes | +| ip\_range\_services | The secondary ip range to use for services | `any` | n/a | yes | +| network | The VPC network to host the cluster in | `any` | n/a | yes | +| project\_id | The project ID to host the cluster in | `any` | n/a | yes | +| region | The region to host the cluster in | `any` | n/a | yes | +| stack\_type | The stack type | `any` | n/a | yes | +| subnetwork | The subnetwork to host the cluster in | `any` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | n/a | +| client\_token | n/a | +| cluster\_name | Cluster name | +| ip\_range\_pods | The secondary IP range used for pods | +| ip\_range\_services | The secondary IP range used for services | +| kubernetes\_endpoint | n/a | +| location | n/a | +| master\_kubernetes\_version | The master Kubernetes version | +| network | n/a | +| project\_id | n/a | +| region | n/a | +| service\_account | The default service account used for running nodes. | +| subnetwork | n/a | +| zones | List of zones in which the cluster resides | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/simple_regional_with_ipv6/main.tf b/examples/simple_regional_with_ipv6/main.tf new file mode 100644 index 0000000000..59831f93ce --- /dev/null +++ b/examples/simple_regional_with_ipv6/main.tf @@ -0,0 +1,45 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cluster_type = "simple-regional-ipv6" +} + +data "google_client_config" "default" {} + +provider "kubernetes" { + host = "https://${module.gke.endpoint}" + token = data.google_client_config.default.access_token + cluster_ca_certificate = base64decode(module.gke.ca_certificate) +} + +module "gke" { + source = "../../" + project_id = var.project_id + name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" + regional = true + region = var.region + network = var.network + subnetwork = var.subnetwork + ip_range_pods = var.ip_range_pods + ip_range_services = var.ip_range_services + stack_type = var.stack_type + create_service_account = false + service_account = var.compute_engine_service_account + enable_cost_allocation = true + datapath_provider = "ADVANCED_DATAPATH" + deletion_protection = false +} diff --git a/examples/simple_regional_with_ipv6/outputs.tf b/examples/simple_regional_with_ipv6/outputs.tf new file mode 100644 index 0000000000..01a13147c2 --- /dev/null +++ b/examples/simple_regional_with_ipv6/outputs.tf @@ -0,0 +1,35 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "kubernetes_endpoint" { + sensitive = true + value = module.gke.endpoint +} + +output "client_token" { + sensitive = true + value = base64encode(data.google_client_config.default.access_token) +} + +output "ca_certificate" { + value = module.gke.ca_certificate +} + +output "service_account" { + description = "The default service account used for running nodes." + value = module.gke.service_account +} + diff --git a/examples/simple_regional_with_ipv6/test_outputs.tf b/examples/simple_regional_with_ipv6/test_outputs.tf new file mode 100755 index 0000000000..a0bc9a28f0 --- /dev/null +++ b/examples/simple_regional_with_ipv6/test_outputs.tf @@ -0,0 +1,63 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// These outputs are used to test the module with kitchen-terraform +// They do not need to be included in real-world uses of this module + +output "project_id" { + value = var.project_id +} + +output "region" { + value = module.gke.region +} + +output "cluster_name" { + description = "Cluster name" + value = module.gke.name +} + +output "network" { + value = var.network +} + +output "subnetwork" { + value = var.subnetwork +} + +output "location" { + value = module.gke.location +} + +output "ip_range_pods" { + description = "The secondary IP range used for pods" + value = var.ip_range_pods +} + +output "ip_range_services" { + description = "The secondary IP range used for services" + value = var.ip_range_services +} + +output "zones" { + description = "List of zones in which the cluster resides" + value = module.gke.zones +} + +output "master_kubernetes_version" { + description = "The master Kubernetes version" + value = module.gke.master_version +} diff --git a/examples/simple_regional_with_ipv6/variables.tf b/examples/simple_regional_with_ipv6/variables.tf new file mode 100644 index 0000000000..d717933474 --- /dev/null +++ b/examples/simple_regional_with_ipv6/variables.tf @@ -0,0 +1,52 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project ID to host the cluster in" +} + +variable "cluster_name_suffix" { + description = "A suffix to append to the default cluster name" + default = "" +} + +variable "region" { + description = "The region to host the cluster in" +} + +variable "network" { + description = "The VPC network to host the cluster in" +} + +variable "subnetwork" { + description = "The subnetwork to host the cluster in" +} + +variable "ip_range_pods" { + description = "The secondary ip range to use for pods" +} + +variable "ip_range_services" { + description = "The secondary ip range to use for services" +} + +variable "stack_type" { + description = "The stack type" +} + +variable "compute_engine_service_account" { + description = "Service account to associate to the nodes in the cluster" +} diff --git a/examples/simple_regional_with_ipv6/versions.tf b/examples/simple_regional_with_ipv6/versions.tf new file mode 100644 index 0000000000..61934a306b --- /dev/null +++ b/examples/simple_regional_with_ipv6/versions.tf @@ -0,0 +1,27 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index 010df6a0f1..2d2f70a697 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -30,7 +30,7 @@ module "acm" { secret_type = "ssh" - policy_bundles = ["https://github.com/GoogleCloudPlatform/acm-policy-controller-library/bundles/policy-essentials-v2022?ref=981cdf31878b886b53decdade23d8f76e80140fc"] + policy_bundles = ["https://github.com/GoogleCloudPlatform/gke-policy-library/bundles/policy-essentials-v2022?ref=7a5f87d7e1a2f63582505d14c2c90f496bcf263d"] create_metrics_gcp_sa = true } diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 0065139e59..3881493c2c 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -135,6 +135,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index f736408691..539b173783 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -155,6 +155,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 4bb85fac2c..373fa527a2 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -142,6 +142,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "enable_cost_allocation" { type = bool diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index e80fb4b925..7b93e80d9a 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -124,6 +124,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 7e0bccf5b4..2c9bf25fc0 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -155,6 +155,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index cadce988a5..2c5679d00b 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -142,6 +142,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "enable_cost_allocation" { type = bool diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index ce955dc88a..176188b9de 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -274,6 +274,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index c07a41aa1c..e211c69bf6 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -290,6 +290,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index b4e79f3c33..5c18f14727 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -148,6 +148,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 5e6b8f4d70..63c4048513 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -252,6 +252,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 830e70a93e..e8d40bb54a 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -290,6 +290,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index b4e79f3c33..5c18f14727 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -148,6 +148,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 1596ee9f62..d091fcba9b 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -263,6 +263,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index d0671e557f..5752bbaee2 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -290,6 +290,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 653adb3516..e6f3eab0e4 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -148,6 +148,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index ddd7dd4c76..c022ab2487 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -241,6 +241,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index f757f769df..f64bae3fdb 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -290,6 +290,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 653adb3516..e6f3eab0e4 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -148,6 +148,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 608f8a120d..4e2d0a90f0 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -255,6 +255,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index a6bbfa9b59..210a883ad0 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -232,6 +232,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index c593f7b3ed..2f3de8bc6d 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -148,6 +148,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index cbc62c36dc..2daf73c439 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -233,6 +233,7 @@ Then perform the following commands on the root folder: | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | +| stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index e8eefa20df..097fc722bd 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -232,6 +232,7 @@ resource "google_container_cluster" "primary" { pod_range_names = var.additional_ip_range_pods } } + stack_type = var.stack_type } maintenance_policy { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index c593f7b3ed..2f3de8bc6d 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -148,6 +148,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" diff --git a/test/fixtures/simple_regional_with_ipv6/example.tf b/test/fixtures/simple_regional_with_ipv6/example.tf new file mode 100644 index 0000000000..f03848a8e3 --- /dev/null +++ b/test/fixtures/simple_regional_with_ipv6/example.tf @@ -0,0 +1,34 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cluster_index = 1 +} + +module "example" { + source = "../../../examples/simple_regional_with_ipv6" + + project_id = var.project_ids[local.cluster_index] + cluster_name_suffix = "-${random_string.suffix.result}" + region = var.region + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + stack_type = "IPV4_IPV6" + compute_engine_service_account = var.compute_engine_service_accounts[local.cluster_index] + +} diff --git a/test/fixtures/simple_regional_with_ipv6/network.tf b/test/fixtures/simple_regional_with_ipv6/network.tf new file mode 100644 index 0000000000..0a260d36fe --- /dev/null +++ b/test/fixtures/simple_regional_with_ipv6/network.tf @@ -0,0 +1,50 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +provider "google" { + project = var.project_ids[local.cluster_index] +} + +resource "google_compute_network" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "main" { + name = "cft-gke-test-${random_string.suffix.result}" + ip_cidr_range = "10.0.0.0/17" + region = var.region + network = google_compute_network.main.self_link + stack_type = "IPV4_IPV6" + ipv6_access_type = "EXTERNAL" + + secondary_ip_range { + range_name = "cft-gke-test-pods-${random_string.suffix.result}" + ip_cidr_range = "192.168.0.0/18" + } + + secondary_ip_range { + range_name = "cft-gke-test-services-${random_string.suffix.result}" + ip_cidr_range = "192.168.64.0/18" + } +} + diff --git a/test/fixtures/simple_regional_with_ipv6/outputs.tf b/test/fixtures/simple_regional_with_ipv6/outputs.tf new file mode 100644 index 0000000000..a62317bf64 --- /dev/null +++ b/test/fixtures/simple_regional_with_ipv6/outputs.tf @@ -0,0 +1,85 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "project_id" { + value = module.example.project_id +} + +output "region" { + value = module.example.region +} + +output "cluster_name" { + description = "Cluster name" + value = module.example.cluster_name +} + +output "network" { + value = google_compute_network.main.name +} + +output "subnetwork" { + value = google_compute_subnetwork.main.name +} + +output "location" { + value = module.example.location +} + +output "ip_range_pods" { + description = "The secondary IP range used for pods" + value = google_compute_subnetwork.main.secondary_ip_range[0].range_name +} + +output "ip_range_services" { + description = "The secondary IP range used for services" + value = google_compute_subnetwork.main.secondary_ip_range[1].range_name +} + +output "zones" { + description = "List of zones in which the cluster resides" + value = module.example.zones +} + +output "master_kubernetes_version" { + description = "The master Kubernetes version" + value = module.example.master_kubernetes_version +} + +output "kubernetes_endpoint" { + sensitive = true + value = module.example.kubernetes_endpoint +} + +output "client_token" { + sensitive = true + value = module.example.client_token +} + +output "ca_certificate" { + description = "The cluster CA certificate" + value = module.example.ca_certificate + sensitive = true +} + +output "service_account" { + description = "The service account to default running nodes as if not overridden in `node_pools`." + value = module.example.service_account +} + +output "registry_project_ids" { + value = var.registry_project_ids +} diff --git a/test/fixtures/simple_regional_with_ipv6/variables.tf b/test/fixtures/simple_regional_with_ipv6/variables.tf new file mode 100644 index 0000000000..8cf5823b20 --- /dev/null +++ b/test/fixtures/simple_regional_with_ipv6/variables.tf @@ -0,0 +1,47 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_ids" { + type = list(string) + description = "The GCP projects to use for integration tests" +} + +variable "region" { + description = "The GCP region to create and test resources in" + default = "us-central1" +} + +variable "zones" { + type = list(string) + description = "The GCP zones to create and test resources in, for applicable tests" + default = ["us-central1-a", "us-central1-b", "us-central1-c"] +} + +variable "compute_engine_service_accounts" { + type = list(string) + description = "The email addresses of the service account to associate with the GKE cluster" +} + +variable "registry_project_ids" { + description = "Projects to use for granting access to GCR registries, if requested" + type = list(string) +} + +variable "kubernetes_version" { + type = string + description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region." + default = "latest" +} diff --git a/test/integration/simple_regional_with_ipv6/controls/gcloud.rb b/test/integration/simple_regional_with_ipv6/controls/gcloud.rb new file mode 100644 index 0000000000..6b3e65e3ce --- /dev/null +++ b/test/integration/simple_regional_with_ipv6/controls/gcloud.rb @@ -0,0 +1,192 @@ +# Copyright 2019 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +project_id = attribute('project_id') +location = attribute('location') +cluster_name = attribute('cluster_name') + +control "gcloud" do + title "Google Compute Engine GKE configuration" + describe command("gcloud --project=#{project_id} container clusters --zone=#{location} describe #{cluster_name} --format=json") do + its(:exit_status) { should eq 0 } + its(:stderr) { should eq '' } + + let!(:data) do + if subject.exit_status == 0 + JSON.parse(subject.stdout) + else + {} + end + end + + describe "cluster" do + it "is running" do + expect(data['status']).to eq 'RUNNING' + end + + it "is regional" do + expect(data['location']).to match(/^.*[1-9]$/) + end + + it "uses public nodes and master endpoint" do + expect(data['privateClusterConfig']['enablePrivateEndpoint']).to eq nil + expect(data['privateClusterConfig']['enablePrivateNodes']).to eq nil + end + + it "has the expected addon settings" do + expect(data['addonsConfig']).to include( + "horizontalPodAutoscaling" => {}, + "httpLoadBalancing" => {}, + "kubernetesDashboard" => { + "disabled" => true, + }, + "networkPolicyConfig" => { + "disabled" => true, + }, + ) + end + + it "has dual stack enabled" do + expect(data['ipAllocationPolicy']).to include( + "stackType" => "IPV4_IPV6", + ) + end + + it "has the expected databaseEncryption config" do + expect(data['databaseEncryption']).to eq({ + "state" => 'DECRYPTED', + }) + end + + it "has the expected shieldedNodes config" do + expect(data['shieldedNodes']).to eq({ + "enabled" => true, + }) + end + + end + + describe "default node pool" do + let(:default_node_pool) { data['nodePools'].select { |p| p['name'] == "default-pool" }.first } + + it "exists" do + expect(data['nodePools']).to include( + including( + "name" => "default-pool", + ) + ) + end + end + + describe "node pool" do + let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } } + + it "has autoscaling enabled" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "enabled" => true, + ), + ) + ) + end + + it "has the expected minimum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "minNodeCount" => 1, + ), + ) + ) + end + + it "has the expected maximum node count" do + expect(node_pools).to include( + including( + "autoscaling" => including( + "maxNodeCount" => 100, + ), + ) + ) + end + + it "is the expected machine type" do + expect(node_pools).to include( + including( + "config" => including( + "machineType" => "e2-medium", + ), + ) + ) + end + + it "has the expected disk size" do + expect(node_pools).to include( + including( + "config" => including( + "diskSizeGb" => 100, + ), + ) + ) + end + + it "has the expected labels" do + expect(node_pools).to include( + including( + "config" => including( + "labels" => including( + "cluster_name" => cluster_name, + "node_pool" => "default-node-pool", + ), + ), + ) + ) + end + + it "has the expected network tags" do + expect(node_pools).to include( + including( + "config" => including( + "tags" => match_array([ + "gke-#{cluster_name}", + "gke-#{cluster_name}-default-node-pool", + ]), + ), + ) + ) + end + + it "has autorepair enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoRepair" => true, + ), + ) + ) + end + + it "has autoupgrade enabled" do + expect(node_pools).to include( + including( + "management" => including( + "autoUpgrade" => true, + ), + ) + ) + end + end + end +end diff --git a/test/integration/simple_regional_with_ipv6/inspec.yml b/test/integration/simple_regional_with_ipv6/inspec.yml new file mode 100644 index 0000000000..e91bbc6ca9 --- /dev/null +++ b/test/integration/simple_regional_with_ipv6/inspec.yml @@ -0,0 +1,31 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +name: simple_regional_with_gateway_api +attributes: + - name: project_id + required: true + type: string + - name: location + required: true + type: string + - name: cluster_name + required: true + type: string + - name: kubernetes_endpoint + required: true + type: string + - name: client_token + required: true + type: string diff --git a/variables.tf b/variables.tf index a67db04b38..5a6c4b16b9 100644 --- a/variables.tf +++ b/variables.tf @@ -148,6 +148,12 @@ variable "ip_range_services" { description = "The _name_ of the secondary subnet range to use for services" } +variable "stack_type" { + type = string + description = "The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`." + default = "IPV4" +} + variable "node_pools" { type = list(map(any)) description = "List of maps containing node pools" From d82c50c9cd059fd581f7ab5fe943dfada3cce0c3 Mon Sep 17 00:00:00 2001 From: CFT Bot Date: Wed, 3 Jan 2024 12:13:15 -0800 Subject: [PATCH 008/176] chore: update .github/workflows/stale.yml --- .github/workflows/stale.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 1f92bf9a70..f56aead563 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -30,4 +30,5 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' - exempt-issue-labels: triaged,dependencies + exempt-issue-labels: 'triaged' + exempt-pr-labels: 'dependencies,autorelease: pending' From e4be8853c0efe4e74b51a0db936830e8875c105d Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 9 Jan 2024 09:37:26 -0800 Subject: [PATCH 009/176] chore(CI): fix test data (#1837) --- .../sandbox_enabled/testdata/TestSandboxEnabled.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json b/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json index c915fc944d..cb2ffe680c 100755 --- a/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json +++ b/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json @@ -2,9 +2,7 @@ "addonsConfig": { "configConnectorConfig": {}, "dnsCacheConfig": {}, - "gcePersistentDiskCsiDriverConfig": { - "enabled": true - }, + "gcePersistentDiskCsiDriverConfig": {}, "gcpFilestoreCsiDriverConfig": {}, "gkeBackupAgentConfig": {}, "horizontalPodAutoscaling": {}, From 67b67f38e46306c7a4e0a1690d7fcb9b551874e1 Mon Sep 17 00:00:00 2001 From: Pavel Rudnitskiy Date: Tue, 9 Jan 2024 23:00:37 +0100 Subject: [PATCH 010/176] fix: alpha option for cluster creation (#1796) --- autogen/main/cluster.tf.tmpl | 5 +++++ cluster.tf | 5 +++++ modules/beta-private-cluster-update-variant/cluster.tf | 5 +++++ modules/beta-private-cluster/cluster.tf | 5 +++++ modules/beta-public-cluster-update-variant/cluster.tf | 5 +++++ modules/beta-public-cluster/cluster.tf | 5 +++++ modules/private-cluster-update-variant/cluster.tf | 5 +++++ modules/private-cluster/cluster.tf | 5 +++++ 8 files changed, 40 insertions(+) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 61d6e10772..fea3e367ac 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -424,6 +424,11 @@ resource "google_container_cluster" "primary" { name = "default-pool" initial_node_count = var.initial_node_count + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + node_config { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") diff --git a/cluster.tf b/cluster.tf index 3429442a9c..895750c4be 100644 --- a/cluster.tf +++ b/cluster.tf @@ -291,6 +291,11 @@ resource "google_container_cluster" "primary" { name = "default-pool" initial_node_count = var.initial_node_count + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + node_config { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index e211c69bf6..f153d61d74 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -349,6 +349,11 @@ resource "google_container_cluster" "primary" { name = "default-pool" initial_node_count = var.initial_node_count + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + node_config { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index e8d40bb54a..18dec1ba3b 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -349,6 +349,11 @@ resource "google_container_cluster" "primary" { name = "default-pool" initial_node_count = var.initial_node_count + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + node_config { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 5752bbaee2..aab67d6d1b 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -349,6 +349,11 @@ resource "google_container_cluster" "primary" { name = "default-pool" initial_node_count = var.initial_node_count + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + node_config { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index f64bae3fdb..a7224d24ae 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -349,6 +349,11 @@ resource "google_container_cluster" "primary" { name = "default-pool" initial_node_count = var.initial_node_count + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + node_config { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 210a883ad0..4c30546a92 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -291,6 +291,11 @@ resource "google_container_cluster" "primary" { name = "default-pool" initial_node_count = var.initial_node_count + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + node_config { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 097fc722bd..802ce4fa64 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -291,6 +291,11 @@ resource "google_container_cluster" "primary" { name = "default-pool" initial_node_count = var.initial_node_count + management { + auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) + auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) + } + node_config { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") From 1835f80a7005a840b981dc60e999dfd8ca099184 Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Fri, 12 Jan 2024 00:09:41 +0100 Subject: [PATCH 011/176] fix: Add project ID to the fleet feature membership for ASM (#1832) Co-authored-by: Andrew Peabody --- modules/asm/hub.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/asm/hub.tf b/modules/asm/hub.tf index a10f044b5d..15e44cc82f 100644 --- a/modules/asm/hub.tf +++ b/modules/asm/hub.tf @@ -37,6 +37,7 @@ resource "google_gke_hub_feature" "mesh" { resource "google_gke_hub_feature_membership" "mesh_feature_membership" { count = var.enable_fleet_registration && var.enable_mesh_feature && var.mesh_management != "" ? 1 : 0 + project = local.fleet_id location = "global" feature = google_gke_hub_feature.mesh[0].name membership = google_gke_hub_membership.membership[0].membership_id From 8e5d01c9c9380a1aa19d185a5fc6b0bb1c003bf3 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 16 Jan 2024 08:37:57 -0800 Subject: [PATCH 012/176] chore: add retry for CI for concurrent policy changes (#1842) --- .../beta_cluster/beta_cluster_test.go | 8 +++++-- .../deploy_service/deploy_service_test.go | 11 ++++++---- .../disable_client_cert_test.go | 8 +++++-- .../private_zonal_with_networking_test.go | 8 +++++-- .../safer_cluster/safer_cluster_test.go | 8 +++++-- .../sandbox_enabled/sandbox_enabled_test.go | 8 +++++-- .../integration/shared_vpc/shared_vpc_test.go | 8 +++++-- .../simple_autopilot_private_test.go | 8 +++++-- ...e_autopilot_private_non_default_sa_test.go | 9 ++++++-- .../simple_autopiliot_public_test.go | 8 +++++-- .../simple_regional/simple_regional_test.go | 8 +++++-- .../simple_regional_private_test.go | 8 +++++-- .../simple_regional_with_kubeconfig_test.go | 8 +++++-- .../simple_regional_with_networking_test.go | 8 +++++-- .../simple_windows_node_pool_test.go | 8 +++++-- .../simple_zonal/simple_zonal_test.go | 8 +++++-- .../simple_zonal_private_test.go | 8 +++++-- .../simple_zonal_with_asm_test.go | 8 +++++-- test/integration/testutils/retry.go | 22 +++++++++++++++++++ test/integration/utils/utils.go | 8 +++++-- 20 files changed, 138 insertions(+), 40 deletions(-) create mode 100644 test/integration/testutils/retry.go diff --git a/test/integration/beta_cluster/beta_cluster_test.go b/test/integration/beta_cluster/beta_cluster_test.go index 8032a50958..7fb0bf0357 100755 --- a/test/integration/beta_cluster/beta_cluster_test.go +++ b/test/integration/beta_cluster/beta_cluster_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -17,16 +17,20 @@ package beta_cluster import ( "fmt" "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestBetaCluster(t *testing.T) { - gke := tft.NewTFBlueprintTest(t) + gke := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) gke.DefineVerify(func(assert *assert.Assertions) { // Commenting Default Verify due to issue 1478 for location Policy diff --git a/test/integration/deploy_service/deploy_service_test.go b/test/integration/deploy_service/deploy_service_test.go index db134b53ba..793763d03b 100755 --- a/test/integration/deploy_service/deploy_service_test.go +++ b/test/integration/deploy_service/deploy_service_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,7 +15,7 @@ package deploy_service import ( "fmt" - "io/ioutil" + "io" "net/http" "testing" "time" @@ -25,10 +25,13 @@ import ( "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/gruntwork-io/terratest/modules/k8s" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestDeployService(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { // bpt.DefaultVerify(assert) @@ -57,7 +60,7 @@ func TestDeployService(t *testing.T) { utils.Poll(t, pollHTTPEndPoint(serviceUrl), 20, 10*time.Second) response, err := http.Get(serviceUrl) assert.NoError(err) - responseData, err := ioutil.ReadAll(response.Body) + responseData, err := io.ReadAll(response.Body) assert.NoError(err) assert.Contains(string(responseData), "Thank you for using nginx.", "Service is Functional") }) diff --git a/test/integration/disable_client_cert/disable_client_cert_test.go b/test/integration/disable_client_cert/disable_client_cert_test.go index d1fe2768d7..6bb64e9055 100755 --- a/test/integration/disable_client_cert/disable_client_cert_test.go +++ b/test/integration/disable_client_cert/disable_client_cert_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -16,15 +16,19 @@ package disable_client_cert import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestDisableClientCert(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/private_zonal_with_networking/private_zonal_with_networking_test.go b/test/integration/private_zonal_with_networking/private_zonal_with_networking_test.go index 1ed6535a17..e6ce0c0473 100755 --- a/test/integration/private_zonal_with_networking/private_zonal_with_networking_test.go +++ b/test/integration/private_zonal_with_networking/private_zonal_with_networking_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -16,16 +16,20 @@ package private_zonal_with_networking import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestPrivateZonalWithNetworking(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { // Commenting Default Verify due to issue 1478 for location Policy diff --git a/test/integration/safer_cluster/safer_cluster_test.go b/test/integration/safer_cluster/safer_cluster_test.go index f440bc8c0e..dcf99c04ff 100644 --- a/test/integration/safer_cluster/safer_cluster_test.go +++ b/test/integration/safer_cluster/safer_cluster_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,15 +15,19 @@ package safer_cluster import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSaferCluster(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/sandbox_enabled/sandbox_enabled_test.go b/test/integration/sandbox_enabled/sandbox_enabled_test.go index 6ba79728f0..204876742c 100644 --- a/test/integration/sandbox_enabled/sandbox_enabled_test.go +++ b/test/integration/sandbox_enabled/sandbox_enabled_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 202-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,15 +15,19 @@ package sandbox_enabled import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSandboxEnabled(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/shared_vpc/shared_vpc_test.go b/test/integration/shared_vpc/shared_vpc_test.go index d614767651..6095ffeb25 100644 --- a/test/integration/shared_vpc/shared_vpc_test.go +++ b/test/integration/shared_vpc/shared_vpc_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,14 +15,18 @@ package shared_vpc import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSharedVPC(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_autopilot_private/simple_autopilot_private_test.go b/test/integration/simple_autopilot_private/simple_autopilot_private_test.go index 57aa5207dd..aa506b0e09 100644 --- a/test/integration/simple_autopilot_private/simple_autopilot_private_test.go +++ b/test/integration/simple_autopilot_private/simple_autopilot_private_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,15 +15,19 @@ package simple_autopilot_private import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSimpleAutopilotPrivate(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_autopilot_private_non_default_sa/simple_autopilot_private_non_default_sa_test.go b/test/integration/simple_autopilot_private_non_default_sa/simple_autopilot_private_non_default_sa_test.go index a5d83ae5ba..e14440edb4 100644 --- a/test/integration/simple_autopilot_private_non_default_sa/simple_autopilot_private_non_default_sa_test.go +++ b/test/integration/simple_autopilot_private_non_default_sa/simple_autopilot_private_non_default_sa_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -16,16 +16,21 @@ package simple_autopilot_private_non_default_sa import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/utils" ) func TestSimpleAutopilotPrivateNonDefaultSA(t *testing.T) { projectID := utils.GetTestProjectFromSetup(t, 1) - bpt := tft.NewTFBlueprintTest(t, tft.WithVars(map[string]interface{}{"project_id": projectID})) + bpt := tft.NewTFBlueprintTest(t, + tft.WithVars(map[string]interface{}{"project_id": projectID}), + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go b/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go index d2c86ecec6..0479efe84d 100644 --- a/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go +++ b/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,15 +15,19 @@ package simple_autopilot_public import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSimpleAutopilotPublic(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_regional/simple_regional_test.go b/test/integration/simple_regional/simple_regional_test.go index b03deab8f1..39b9675f06 100644 --- a/test/integration/simple_regional/simple_regional_test.go +++ b/test/integration/simple_regional/simple_regional_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,15 +15,19 @@ package simple_regional import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSimpleRegional(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_regional_private/simple_regional_private_test.go b/test/integration/simple_regional_private/simple_regional_private_test.go index aca109d8c6..e1e0c98bd7 100644 --- a/test/integration/simple_regional_private/simple_regional_private_test.go +++ b/test/integration/simple_regional_private/simple_regional_private_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,15 +15,19 @@ package simple_regional_private import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSimpleRegionalPrivate(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_regional_with_kubeconfig/simple_regional_with_kubeconfig_test.go b/test/integration/simple_regional_with_kubeconfig/simple_regional_with_kubeconfig_test.go index ff66d00218..59eac05b70 100644 --- a/test/integration/simple_regional_with_kubeconfig/simple_regional_with_kubeconfig_test.go +++ b/test/integration/simple_regional_with_kubeconfig/simple_regional_with_kubeconfig_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,15 +15,19 @@ package simple_regional_with_kubeconfig import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSimpleRegionalWithKubeConfig(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_regional_with_networking/simple_regional_with_networking_test.go b/test/integration/simple_regional_with_networking/simple_regional_with_networking_test.go index 8fda948f3d..244befa28c 100644 --- a/test/integration/simple_regional_with_networking/simple_regional_with_networking_test.go +++ b/test/integration/simple_regional_with_networking/simple_regional_with_networking_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,15 +15,19 @@ package simple_regional_with_networking import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSimpleRegionalWithNetworking(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_windows_node_pool/simple_windows_node_pool_test.go b/test/integration/simple_windows_node_pool/simple_windows_node_pool_test.go index a0ca93efe0..45d2ae9c09 100644 --- a/test/integration/simple_windows_node_pool/simple_windows_node_pool_test.go +++ b/test/integration/simple_windows_node_pool/simple_windows_node_pool_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -16,15 +16,19 @@ package simple_windows_node_pool import ( "fmt" "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSimpleWindowsNodePool(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_zonal/simple_zonal_test.go b/test/integration/simple_zonal/simple_zonal_test.go index 8c205fac04..38b79b3672 100644 --- a/test/integration/simple_zonal/simple_zonal_test.go +++ b/test/integration/simple_zonal/simple_zonal_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -16,6 +16,7 @@ package simple_zonal import ( "fmt" "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" @@ -23,10 +24,13 @@ import ( "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/gruntwork-io/terratest/modules/k8s" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSimpleZonal(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_zonal_private/simple_zonal_private_test.go b/test/integration/simple_zonal_private/simple_zonal_private_test.go index 44a0bf1e98..515ee59f82 100644 --- a/test/integration/simple_zonal_private/simple_zonal_private_test.go +++ b/test/integration/simple_zonal_private/simple_zonal_private_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,15 +15,19 @@ package simple_zonal_private import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSimpleZonalPrivate(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/simple_zonal_with_asm/simple_zonal_with_asm_test.go b/test/integration/simple_zonal_with_asm/simple_zonal_with_asm_test.go index d8abe5029d..7e10477ac1 100644 --- a/test/integration/simple_zonal_with_asm/simple_zonal_with_asm_test.go +++ b/test/integration/simple_zonal_with_asm/simple_zonal_with_asm_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -16,16 +16,20 @@ package simple_zonal_with_asm import ( "fmt" "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/gruntwork-io/terratest/modules/k8s" "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func TestSimpleZonalWithASM(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) + bpt := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) bpt.DefineVerify(func(assert *assert.Assertions) { //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token diff --git a/test/integration/testutils/retry.go b/test/integration/testutils/retry.go new file mode 100644 index 0000000000..be24ad448e --- /dev/null +++ b/test/integration/testutils/retry.go @@ -0,0 +1,22 @@ +// Copyright 2022-2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package testutils + +var ( + RetryableTransientErrors = map[string]string{ + // Error code 409 for concurrent policy changes. + ".*Error 409.*There were concurrent policy changes.*": "Concurrent policy changes.", + } +) diff --git a/test/integration/utils/utils.go b/test/integration/utils/utils.go index 3c7097ed0b..c96d8396e2 100644 --- a/test/integration/utils/utils.go +++ b/test/integration/utils/utils.go @@ -1,4 +1,4 @@ -// Copyright 2022 Google LLC +// Copyright 2022-2024 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -16,12 +16,16 @@ package utils import ( "testing" + "time" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" ) func GetTestProjectFromSetup(t *testing.T, idx int) string { - setup := tft.NewTFBlueprintTest(t) + setup := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) projectIDs := setup.GetTFSetupOutputListVal("project_ids") if len(projectIDs)-1 < idx { t.Fatalf("project_ids has %d elements, index of %d is invalid", len(projectIDs), idx) From 5bb1cd78ab8ef0cce708f2e5231cee0fce852c2c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 16 Jan 2024 10:24:46 -0800 Subject: [PATCH 013/176] chore(deps): Update module github.com/gruntwork-io/terratest to v0.46.9 (#1845) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 4 ++-- test/integration/go.sum | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 73a813225e..b5cbfee26f 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -6,7 +6,7 @@ toolchain go1.21.5 require ( github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.1 - github.com/gruntwork-io/terratest v0.46.8 + github.com/gruntwork-io/terratest v0.46.9 github.com/stretchr/testify v1.8.4 ) @@ -84,7 +84,7 @@ require ( golang.org/x/mod v0.14.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect - golang.org/x/sync v0.3.0 // indirect + golang.org/x/sync v0.4.0 // indirect golang.org/x/sys v0.15.0 // indirect golang.org/x/term v0.15.0 // indirect golang.org/x/text v0.14.0 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index d80cc61065..f08da557ec 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -374,8 +374,8 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0= github.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk= -github.com/gruntwork-io/terratest v0.46.8 h1:rgK7z6Dy/eMGFaclKR0WVG9Z54tR+Ehl7S09+8Y25j0= -github.com/gruntwork-io/terratest v0.46.8/go.mod h1:6MxfmOFQQEpQZjpuWRwuAK8qm836hYgAOCzSIZIWTmg= +github.com/gruntwork-io/terratest v0.46.9 h1:2K0503TC8bhz1SQTlw6vX8SjexztXmCp3WvWxE6g22c= +github.com/gruntwork-io/terratest v0.46.9/go.mod h1:DVZG/s7eP1u3KOQJJfE6n7FDriMWpDvnj85XIlZMEM8= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -469,8 +469,8 @@ github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjR github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= @@ -660,8 +660,8 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= -golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= From c63aa4fc3902aa53b2eea1f5bd0b7363383cacff Mon Sep 17 00:00:00 2001 From: Jirka Korejtko Date: Tue, 16 Jan 2024 21:50:48 +0100 Subject: [PATCH 014/176] feat!: Update least privilege default service account (#1844) Co-authored-by: Jirka Korejtko --- autogen/main/sa.tf.tmpl | 25 ++----------------- docs/upgrading_to_v30.0.md | 3 ++- modules/beta-autopilot-private-cluster/sa.tf | 25 ++----------------- modules/beta-autopilot-public-cluster/sa.tf | 25 ++----------------- .../beta-private-cluster-update-variant/sa.tf | 25 ++----------------- modules/beta-private-cluster/sa.tf | 25 ++----------------- .../beta-public-cluster-update-variant/sa.tf | 25 ++----------------- modules/beta-public-cluster/sa.tf | 25 ++----------------- modules/private-cluster-update-variant/sa.tf | 25 ++----------------- modules/private-cluster/sa.tf | 25 ++----------------- sa.tf | 25 ++----------------- 11 files changed, 22 insertions(+), 231 deletions(-) diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index cae74cd594..1ab198a8b5 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-log_writer" { +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/logging.logWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-log_writer[0].project - role = "roles/monitoring.metricWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-metric_writer[0].project - role = "roles/monitoring.viewer" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project - role = "roles/stackdriver.resourceMetadata.writer" + role = "roles/container.defaultNodeServiceAccount" member = google_service_account.cluster_service_account[0].member } diff --git a/docs/upgrading_to_v30.0.md b/docs/upgrading_to_v30.0.md index 74f8047e91..c5bb1a3922 100644 --- a/docs/upgrading_to_v30.0.md +++ b/docs/upgrading_to_v30.0.md @@ -4,4 +4,5 @@ release. ### Default cluster service account permissions modified -When `create_service_account` is `true`, the service account will now be created with the `Logs Writer`, `Monitoring Metric Writer`, `Monitoring Viewer` and `Stackdriver Resource Metadata Writer` roles instead of the deprecated `Kubernetes Engine Node Service Account` role. +When `create_service_account` is `true`, the service account will now be created with `Kubernetes Engine Default Node Service Account` role instead of `Kubernetes Engine Node Service Account` roles which is deprecated now. +This is the Google recommended least privileged role to be used for the service account attached to the GKE Nodes. diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf index 9a13a24909..6f89899bee 100644 --- a/modules/beta-autopilot-private-cluster/sa.tf +++ b/modules/beta-autopilot-private-cluster/sa.tf @@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-log_writer" { +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/logging.logWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-log_writer[0].project - role = "roles/monitoring.metricWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-metric_writer[0].project - role = "roles/monitoring.viewer" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project - role = "roles/stackdriver.resourceMetadata.writer" + role = "roles/container.defaultNodeServiceAccount" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf index 9a13a24909..6f89899bee 100644 --- a/modules/beta-autopilot-public-cluster/sa.tf +++ b/modules/beta-autopilot-public-cluster/sa.tf @@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-log_writer" { +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/logging.logWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-log_writer[0].project - role = "roles/monitoring.metricWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-metric_writer[0].project - role = "roles/monitoring.viewer" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project - role = "roles/stackdriver.resourceMetadata.writer" + role = "roles/container.defaultNodeServiceAccount" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index 9a13a24909..6f89899bee 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-log_writer" { +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/logging.logWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-log_writer[0].project - role = "roles/monitoring.metricWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-metric_writer[0].project - role = "roles/monitoring.viewer" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project - role = "roles/stackdriver.resourceMetadata.writer" + role = "roles/container.defaultNodeServiceAccount" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 9a13a24909..6f89899bee 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-log_writer" { +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/logging.logWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-log_writer[0].project - role = "roles/monitoring.metricWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-metric_writer[0].project - role = "roles/monitoring.viewer" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project - role = "roles/stackdriver.resourceMetadata.writer" + role = "roles/container.defaultNodeServiceAccount" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index 9a13a24909..6f89899bee 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-log_writer" { +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/logging.logWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-log_writer[0].project - role = "roles/monitoring.metricWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-metric_writer[0].project - role = "roles/monitoring.viewer" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project - role = "roles/stackdriver.resourceMetadata.writer" + role = "roles/container.defaultNodeServiceAccount" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 9a13a24909..6f89899bee 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-log_writer" { +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/logging.logWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-log_writer[0].project - role = "roles/monitoring.metricWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-metric_writer[0].project - role = "roles/monitoring.viewer" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project - role = "roles/stackdriver.resourceMetadata.writer" + role = "roles/container.defaultNodeServiceAccount" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf index 9a13a24909..6f89899bee 100644 --- a/modules/private-cluster-update-variant/sa.tf +++ b/modules/private-cluster-update-variant/sa.tf @@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-log_writer" { +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/logging.logWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-log_writer[0].project - role = "roles/monitoring.metricWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-metric_writer[0].project - role = "roles/monitoring.viewer" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project - role = "roles/stackdriver.resourceMetadata.writer" + role = "roles/container.defaultNodeServiceAccount" member = google_service_account.cluster_service_account[0].member } diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index 9a13a24909..6f89899bee 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-log_writer" { +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/logging.logWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-log_writer[0].project - role = "roles/monitoring.metricWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-metric_writer[0].project - role = "roles/monitoring.viewer" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project - role = "roles/stackdriver.resourceMetadata.writer" + role = "roles/container.defaultNodeServiceAccount" member = google_service_account.cluster_service_account[0].member } diff --git a/sa.tf b/sa.tf index 9a13a24909..6f89899bee 100644 --- a/sa.tf +++ b/sa.tf @@ -45,31 +45,10 @@ resource "google_service_account" "cluster_service_account" { display_name = "Terraform-managed service account for cluster ${var.name}" } -resource "google_project_iam_member" "cluster_service_account-log_writer" { +resource "google_project_iam_member" "cluster_service_account-nodeService_account" { count = var.create_service_account ? 1 : 0 project = google_service_account.cluster_service_account[0].project - role = "roles/logging.logWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-metric_writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-log_writer[0].project - role = "roles/monitoring.metricWriter" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-metric_writer[0].project - role = "roles/monitoring.viewer" - member = google_service_account.cluster_service_account[0].member -} - -resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { - count = var.create_service_account ? 1 : 0 - project = google_project_iam_member.cluster_service_account-monitoring_viewer[0].project - role = "roles/stackdriver.resourceMetadata.writer" + role = "roles/container.defaultNodeServiceAccount" member = google_service_account.cluster_service_account[0].member } From b387621c54235cf64d2c4cbc86c25a08fc6248fd Mon Sep 17 00:00:00 2001 From: Kosta Date: Tue, 16 Jan 2024 23:11:30 +0100 Subject: [PATCH 015/176] feat: workload-identity: Allow passing Google Service Account display_name and description (#1834) --- modules/workload-identity/README.md | 2 ++ modules/workload-identity/main.tf | 3 ++- modules/workload-identity/variables.tf | 24 ++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md index ce866a229a..5024cc7d33 100644 --- a/modules/workload-identity/README.md +++ b/modules/workload-identity/README.md @@ -103,6 +103,8 @@ already bear the `"iam.gke.io/gcp-service-account"` annotation. | annotate\_k8s\_sa | Annotate the kubernetes service account with 'iam.gke.io/gcp-service-account' annotation. Valid in cases when an existing SA is used. | `bool` | `true` | no | | automount\_service\_account\_token | Enable automatic mounting of the service account token | `bool` | `false` | no | | cluster\_name | Cluster name. Required if using existing KSA. | `string` | `""` | no | +| gcp\_sa\_description | The Service Google service account desciption; if null, will be left out | `string` | `null` | no | +| gcp\_sa\_display\_name | The Google service account display name; if null, a default string will be used | `string` | `null` | no | | gcp\_sa\_name | Name for the Google service account; overrides `var.name`. | `string` | `null` | no | | impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no | | k8s\_sa\_name | Name for the Kubernetes service account; overrides `var.name`. `cluster_name` and `location` must be set when this input is specified. | `string` | `null` | no | diff --git a/modules/workload-identity/main.tf b/modules/workload-identity/main.tf index af57063898..2c2d278ae3 100644 --- a/modules/workload-identity/main.tf +++ b/modules/workload-identity/main.tf @@ -43,7 +43,8 @@ resource "google_service_account" "cluster_service_account" { count = var.use_existing_gcp_sa ? 0 : 1 account_id = local.gcp_given_name - display_name = substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100) + display_name = coalesce(var.gcp_sa_display_name, substr("GCP SA bound to K8S SA ${local.k8s_sa_project_id}[${local.k8s_given_name}]", 0, 100)) + description = var.gcp_sa_description project = var.project_id } diff --git a/modules/workload-identity/variables.tf b/modules/workload-identity/variables.tf index 2d5fc6f6fa..32b1c861dc 100644 --- a/modules/workload-identity/variables.tf +++ b/modules/workload-identity/variables.tf @@ -113,3 +113,27 @@ variable "additional_projects" { type = map(list(string)) default = {} } + +variable "gcp_sa_display_name" { + description = "The Google service account display name; if null, a default string will be used" + type = string + nullable = true + default = null + + validation { + condition = var.gcp_sa_display_name == null ? true : length(var.gcp_sa_display_name) <= 100 + error_message = "The Google service account display name must be at most 100 characters" + } +} + +variable "gcp_sa_description" { + description = "The Service Google service account desciption; if null, will be left out" + type = string + nullable = true + default = null + + validation { + condition = var.gcp_sa_description == null ? true : length(var.gcp_sa_description) <= 256 + error_message = "The Google service account description must be at most 256 characters" + } +} From cf3f8a9102a92b98f680eea24d6f3f4326325fee Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 18 Jan 2024 08:05:25 -0800 Subject: [PATCH 016/176] chore(CI): retry on quota exceeded (#1847) --- test/integration/testutils/retry.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/integration/testutils/retry.go b/test/integration/testutils/retry.go index be24ad448e..502822c858 100644 --- a/test/integration/testutils/retry.go +++ b/test/integration/testutils/retry.go @@ -18,5 +18,8 @@ var ( RetryableTransientErrors = map[string]string{ // Error code 409 for concurrent policy changes. ".*Error 409.*There were concurrent policy changes.*": "Concurrent policy changes.", + + // API Rate limit exceeded errors can be retried. + ".*rateLimitExceeded.*": "Rate limit exceeded.", } ) From 95641a6e7b1eab8d59e6da48a7e15a5e662da203 Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Thu, 18 Jan 2024 20:37:29 +0100 Subject: [PATCH 017/176] fix: Do not ignore "mesh_id" label on "google_container_cluster" resource (#1836) --- autogen/main/cluster.tf.tmpl | 2 +- cluster.tf | 2 +- modules/beta-private-cluster-update-variant/cluster.tf | 2 +- modules/beta-private-cluster/cluster.tf | 2 +- modules/beta-public-cluster-update-variant/cluster.tf | 2 +- modules/beta-public-cluster/cluster.tf | 2 +- modules/private-cluster-update-variant/cluster.tf | 2 +- modules/private-cluster/cluster.tf | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index fea3e367ac..21a2ed4d1b 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -399,7 +399,7 @@ resource "google_container_cluster" "primary" { {% if autopilot_cluster != true %} lifecycle { - ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"], resource_labels["mesh_id"]] + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } {% endif %} diff --git a/cluster.tf b/cluster.tf index 895750c4be..c3b9d7d5b9 100644 --- a/cluster.tf +++ b/cluster.tf @@ -270,7 +270,7 @@ resource "google_container_cluster" "primary" { } lifecycle { - ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"], resource_labels["mesh_id"]] + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } dynamic "dns_config" { diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index f153d61d74..2e4d762f4d 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -328,7 +328,7 @@ resource "google_container_cluster" "primary" { } lifecycle { - ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"], resource_labels["mesh_id"]] + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } dynamic "dns_config" { diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 18dec1ba3b..f2975f2683 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -328,7 +328,7 @@ resource "google_container_cluster" "primary" { } lifecycle { - ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"], resource_labels["mesh_id"]] + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } dynamic "dns_config" { diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index aab67d6d1b..5c28b74514 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -328,7 +328,7 @@ resource "google_container_cluster" "primary" { } lifecycle { - ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"], resource_labels["mesh_id"]] + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } dynamic "dns_config" { diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index a7224d24ae..3c462677bb 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -328,7 +328,7 @@ resource "google_container_cluster" "primary" { } lifecycle { - ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"], resource_labels["mesh_id"]] + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } dynamic "dns_config" { diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 4c30546a92..65d072a852 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -270,7 +270,7 @@ resource "google_container_cluster" "primary" { } lifecycle { - ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"], resource_labels["mesh_id"]] + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } dynamic "dns_config" { diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 802ce4fa64..a2ff5ec7eb 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -270,7 +270,7 @@ resource "google_container_cluster" "primary" { } lifecycle { - ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"], resource_labels["mesh_id"]] + ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } dynamic "dns_config" { From 1c2c285db4682800c7115fd04f346bef5aef0c8a Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Fri, 19 Jan 2024 15:23:50 -0800 Subject: [PATCH 018/176] chore(CI): remove policy bundle from example (#1849) --- examples/simple_zonal_with_acm/acm.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index 2d2f70a697..3b19ad6b27 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -30,7 +30,5 @@ module "acm" { secret_type = "ssh" - - policy_bundles = ["https://github.com/GoogleCloudPlatform/gke-policy-library/bundles/policy-essentials-v2022?ref=7a5f87d7e1a2f63582505d14c2c90f496bcf263d"] create_metrics_gcp_sa = true } From 699fdb1221853624accc7bc5ef7502436624f5ca Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 24 Jan 2024 00:53:41 +0000 Subject: [PATCH 019/176] chore(deps): Update module github.com/gruntwork-io/terratest to v0.46.11 (#1854) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 2 +- test/integration/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index b5cbfee26f..ec5a0b2a8b 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -6,7 +6,7 @@ toolchain go1.21.5 require ( github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.1 - github.com/gruntwork-io/terratest v0.46.9 + github.com/gruntwork-io/terratest v0.46.11 github.com/stretchr/testify v1.8.4 ) diff --git a/test/integration/go.sum b/test/integration/go.sum index f08da557ec..e0fde47dff 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -374,8 +374,8 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0= github.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk= -github.com/gruntwork-io/terratest v0.46.9 h1:2K0503TC8bhz1SQTlw6vX8SjexztXmCp3WvWxE6g22c= -github.com/gruntwork-io/terratest v0.46.9/go.mod h1:DVZG/s7eP1u3KOQJJfE6n7FDriMWpDvnj85XIlZMEM8= +github.com/gruntwork-io/terratest v0.46.11 h1:1Z9G18I2FNuH87Ro0YtjW4NH9ky4GDpfzE7+ivkPeB8= +github.com/gruntwork-io/terratest v0.46.11/go.mod h1:DVZG/s7eP1u3KOQJJfE6n7FDriMWpDvnj85XIlZMEM8= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= From 495623eb38621976142d1e08edea94f6250f60aa Mon Sep 17 00:00:00 2001 From: Florian Mutter Date: Fri, 26 Jan 2024 18:08:16 +0100 Subject: [PATCH 020/176] feat(TPG>=5.9)!: cluster autoscaling profile is GA (#1839) --- README.md | 4 +- autogen/main/README.md | 4 +- autogen/main/cluster.tf.tmpl | 2 - autogen/main/variables.tf.tmpl | 4 -- autogen/main/versions.tf.tmpl | 6 +-- cluster.tf | 1 + .../beta-autopilot-private-cluster/README.md | 2 +- .../versions.tf | 4 +- .../beta-autopilot-public-cluster/README.md | 2 +- .../beta-autopilot-public-cluster/versions.tf | 4 +- .../README.md | 2 +- .../versions.tf | 4 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/versions.tf | 4 +- .../README.md | 2 +- .../versions.tf | 4 +- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/versions.tf | 4 +- .../private-cluster-update-variant/README.md | 4 +- .../private-cluster-update-variant/cluster.tf | 1 + .../variables.tf | 42 ++++++++++--------- .../versions.tf | 2 +- modules/private-cluster/README.md | 4 +- modules/private-cluster/cluster.tf | 1 + modules/private-cluster/variables.tf | 42 ++++++++++--------- modules/private-cluster/versions.tf | 2 +- variables.tf | 42 ++++++++++--------- versions.tf | 2 +- 28 files changed, 101 insertions(+), 98 deletions(-) diff --git a/README.md b/README.md index 0075dcdde3..6bba665485 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
    gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair   = bool
    auto_upgrade  = bool
    disk_size     = optional(number)
    disk_type     = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    disk_size           = optional(number)
    disk_type           = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | @@ -335,7 +335,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP][terraform-provider-google] v5 +- [Terraform Provider for GCP][terraform-provider-google] v5.9+ #### gcloud Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH. See the [module](https://github.com/terraform-google-modules/terraform-google-gcloud#downloading) documentation for more information. diff --git a/autogen/main/README.md b/autogen/main/README.md index 049165f61e..83227dc2f7 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -272,9 +272,9 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ {% if beta_cluster %} -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5 +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5.9+ {% else %} -- [Terraform Provider for GCP][terraform-provider-google] v5 +- [Terraform Provider for GCP][terraform-provider-google] v5.9+ {% endif %} #### gcloud Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH. diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 21a2ed4d1b..08b6264ae9 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -153,9 +153,7 @@ resource "google_container_cluster" "primary" { {% endif %} } } - {% if beta_cluster %} autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" - {% endif %} dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 060731e294..0f7f66474e 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -245,9 +245,7 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ enabled = bool -{% if beta_cluster %} autoscaling_profile = string -{% endif %} min_cpu_cores = number max_cpu_cores = number min_memory_gb = number @@ -260,9 +258,7 @@ variable "cluster_autoscaling" { }) default = { enabled = false -{% if beta_cluster %} autoscaling_profile = "BALANCED" -{% endif %} max_cpu_cores = 0 min_cpu_cores = 0 max_memory_gb = 0 diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 9f5ccf71f7..b7eafceeb6 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" @@ -46,7 +46,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/cluster.tf b/cluster.tf index c3b9d7d5b9..c8c6465d24 100644 --- a/cluster.tf +++ b/cluster.tf @@ -115,6 +115,7 @@ resource "google_container_cluster" "primary" { } } + autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 3881493c2c..1fd8c3deeb 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -197,7 +197,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5 +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5.9+ #### gcloud Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH. See the [module](https://github.com/terraform-google-modules/terraform-google-gcloud#downloading) documentation for more information. diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index ef228e7a97..662fb2214b 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 7b93e80d9a..56a0389895 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -184,7 +184,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5 +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5.9+ #### gcloud Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH. See the [module](https://github.com/terraform-google-modules/terraform-google-gcloud#downloading) documentation for more information. diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 1c27ab00be..bf7d191fb6 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 176188b9de..3bae57b7d9 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -406,7 +406,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5 +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5.9+ #### gcloud Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH. See the [module](https://github.com/terraform-google-modules/terraform-google-gcloud#downloading) documentation for more information. diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index a33ba28c09..cfd61248bc 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 63c4048513..090a04a96e 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -384,7 +384,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5 +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5.9+ #### gcloud Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH. See the [module](https://github.com/terraform-google-modules/terraform-google-gcloud#downloading) documentation for more information. diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index bf338436de..6543103e8e 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index d091fcba9b..4811bc831d 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -394,7 +394,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5 +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5.9+ #### gcloud Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH. See the [module](https://github.com/terraform-google-modules/terraform-google-gcloud#downloading) documentation for more information. diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 905709d021..f85f90ef34 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index c022ab2487..9376103d03 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -372,7 +372,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5 +- [Terraform Provider for GCP Beta][terraform-provider-google-beta] v5.9+ #### gcloud Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH. See the [module](https://github.com/terraform-google-modules/terraform-google-gcloud#downloading) documentation for more information. diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 76bae1a64b..e8f58c4a3b 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 4e2d0a90f0..21737fcee0 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -165,7 +165,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
    gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair   = bool
    auto_upgrade  = bool
    disk_size     = optional(number)
    disk_type     = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    disk_size           = optional(number)
    disk_type           = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | @@ -370,7 +370,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP][terraform-provider-google] v5 +- [Terraform Provider for GCP][terraform-provider-google] v5.9+ #### gcloud Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH. See the [module](https://github.com/terraform-google-modules/terraform-google-gcloud#downloading) documentation for more information. diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 65d072a852..ce5ba2801e 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -115,6 +115,7 @@ resource "google_container_cluster" "primary" { } } + autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 2f3de8bc6d..c8484137a4 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -239,28 +239,30 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) }) default = { - enabled = false - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 38c8a77480..373bc7a49b 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 2daf73c439..f6625e314e 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -143,7 +143,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled       = bool
    min_cpu_cores = number
    max_cpu_cores = number
    min_memory_gb = number
    max_memory_gb = number
    gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair   = bool
    auto_upgrade  = bool
    disk_size     = optional(number)
    disk_type     = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    disk_size           = optional(number)
    disk_type           = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | @@ -348,7 +348,7 @@ The [project factory](https://github.com/terraform-google-modules/terraform-goog - [kubectl](https://github.com/kubernetes/kubernetes/releases) 1.9.x #### Terraform and Plugins - [Terraform](https://www.terraform.io/downloads.html) 1.3+ -- [Terraform Provider for GCP][terraform-provider-google] v5 +- [Terraform Provider for GCP][terraform-provider-google] v5.9+ #### gcloud Some submodules use the [terraform-google-gcloud](https://github.com/terraform-google-modules/terraform-google-gcloud) module. By default, this module assumes you already have gcloud installed in your $PATH. See the [module](https://github.com/terraform-google-modules/terraform-google-gcloud#downloading) documentation for more information. diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index a2ff5ec7eb..6172828642 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -115,6 +115,7 @@ resource "google_container_cluster" "primary" { } } + autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 2f3de8bc6d..c8484137a4 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -239,28 +239,30 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) }) default = { - enabled = false - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index c9ff13135a..44d5b15cbe 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/variables.tf b/variables.tf index 5a6c4b16b9..a3d70374a9 100644 --- a/variables.tf +++ b/variables.tf @@ -239,28 +239,30 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) }) default = { - enabled = false - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/versions.tf b/versions.tf index 7f1995c251..9746524790 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.0.0, < 6" + version = ">= 5.9.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" From 322a5ee978c5211d33c8b4605b91f0b4804994a4 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Fri, 26 Jan 2024 20:16:03 +0200 Subject: [PATCH 021/176] feat: Make confidential_nodes GA (#1815) Signed-off-by: drfaust92 --- README.md | 1 + autogen/main/cluster.tf.tmpl | 3 +-- autogen/main/main.tf.tmpl | 2 +- autogen/main/variables.tf.tmpl | 2 +- cluster.tf | 7 +++++++ main.tf | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 1 + modules/beta-autopilot-private-cluster/main.tf | 2 +- modules/beta-autopilot-public-cluster/cluster.tf | 1 + modules/beta-autopilot-public-cluster/main.tf | 2 +- modules/beta-private-cluster-update-variant/cluster.tf | 1 + modules/beta-private-cluster-update-variant/main.tf | 2 +- modules/beta-private-cluster/cluster.tf | 1 + modules/beta-private-cluster/main.tf | 2 +- modules/beta-public-cluster-update-variant/cluster.tf | 1 + modules/beta-public-cluster-update-variant/main.tf | 2 +- modules/beta-public-cluster/cluster.tf | 1 + modules/beta-public-cluster/main.tf | 2 +- modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 7 +++++++ modules/private-cluster-update-variant/main.tf | 1 + modules/private-cluster-update-variant/variables.tf | 5 +++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 7 +++++++ modules/private-cluster/main.tf | 1 + modules/private-cluster/variables.tf | 5 +++++ variables.tf | 5 +++++ 27 files changed, 57 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 6bba665485..e6a8945f55 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 08b6264ae9..e04d86406d 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -70,14 +70,13 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } -{% if beta_cluster %} + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { enabled = confidential_nodes.value.enabled } } -{% endif %} subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index d5c4bf784d..2b75d8e5ca 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -219,6 +219,7 @@ locals { cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] {% if autopilot_cluster != true %} cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates @@ -234,7 +235,6 @@ locals { {% endif %} cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 0f7f66474e..7445f9d476 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -544,12 +544,12 @@ variable "shadow_firewall_rules_log_config" { } } -{% if beta_cluster %} variable "enable_confidential_nodes" { type = bool description = "An optional flag to enable confidential node config." default = false } +{% if beta_cluster %} variable "workload_vulnerability_mode" { description = "(beta) Vulnerability mode." diff --git a/cluster.tf b/cluster.tf index c8c6465d24..2228fe8bbf 100644 --- a/cluster.tf +++ b/cluster.tf @@ -65,6 +65,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "confidential_nodes" { + for_each = local.confidential_node_config + content { + enabled = confidential_nodes.value.enabled + } + } + subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" default_snat_status { diff --git a/main.tf b/main.tf index 8ad332d19d..89889acbf1 100644 --- a/main.tf +++ b/main.tf @@ -162,6 +162,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 539b173783..00c767d99a 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -56,6 +56,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index b5ce225a9c..a7e90a1f5f 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -121,13 +121,13 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 2c9bf25fc0..bb7f73ae6b 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -56,6 +56,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 8b204a0404..0199ec231b 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -120,13 +120,13 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 2e4d762f4d..434bfedbb7 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -64,6 +64,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 3fea94230a..b7f8f664ed 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -181,6 +181,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -191,7 +192,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index f2975f2683..1c8e68452c 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -64,6 +64,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 3fea94230a..b7f8f664ed 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -181,6 +181,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -191,7 +192,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 5c28b74514..a79bf757d0 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -64,6 +64,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 9264dab4b1..ee6ec17917 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -180,6 +180,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -190,7 +191,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 3c462677bb..57f7d04c18 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -64,6 +64,7 @@ resource "google_container_cluster" "primary" { enabled = var.enable_cost_allocation } } + dynamic "confidential_nodes" { for_each = local.confidential_node_config content { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 9264dab4b1..ee6ec17917 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -180,6 +180,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -190,7 +191,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] # /BETA features diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 21737fcee0..646278d5ca 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -184,6 +184,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index ce5ba2801e..2c97d719c6 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -65,6 +65,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "confidential_nodes" { + for_each = local.confidential_node_config + content { + enabled = confidential_nodes.value.enabled + } + } + subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" default_snat_status { diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 386f42b3c0..98283ce979 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -163,6 +163,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index c8484137a4..483f3f3f48 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -513,6 +513,11 @@ variable "shadow_firewall_rules_log_config" { } } +variable "enable_confidential_nodes" { + type = bool + description = "An optional flag to enable confidential node config." + default = false +} variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index f6625e314e..f6f4851284 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -162,6 +162,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 6172828642..b410c17958 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -65,6 +65,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "confidential_nodes" { + for_each = local.confidential_node_config + content { + enabled = confidential_nodes.value.enabled + } + } + subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" default_snat_status { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 386f42b3c0..98283ce979 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -163,6 +163,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index c8484137a4..483f3f3f48 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -513,6 +513,11 @@ variable "shadow_firewall_rules_log_config" { } } +variable "enable_confidential_nodes" { + type = bool + description = "An optional flag to enable confidential node config." + default = false +} variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." diff --git a/variables.tf b/variables.tf index a3d70374a9..ea04722045 100644 --- a/variables.tf +++ b/variables.tf @@ -483,6 +483,11 @@ variable "shadow_firewall_rules_log_config" { } } +variable "enable_confidential_nodes" { + type = bool + description = "An optional flag to enable confidential node config." + default = false +} variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." From ba788191e67a97d6b8eda40d7ba6e0d71c46ff52 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Tue, 30 Jan 2024 00:44:02 +0200 Subject: [PATCH 022/176] feat: promote tpu to ga (#1856) --- README.md | 2 ++ autogen/main/cluster.tf.tmpl | 3 +- autogen/main/firewall.tf.tmpl | 3 -- autogen/main/outputs.tf.tmpl | 10 +++--- autogen/main/variables.tf.tmpl | 3 +- cluster.tf | 2 +- firewall.tf | 35 +++++++++++++++++++ .../firewall.tf | 1 - .../beta-autopilot-private-cluster/outputs.tf | 10 +++--- .../variables.tf | 1 + .../beta-autopilot-public-cluster/firewall.tf | 1 - .../beta-autopilot-public-cluster/outputs.tf | 10 +++--- .../variables.tf | 1 + .../cluster.tf | 5 ++- .../firewall.tf | 1 - .../outputs.tf | 10 +++--- .../variables.tf | 1 + modules/beta-private-cluster/cluster.tf | 5 ++- modules/beta-private-cluster/firewall.tf | 1 - modules/beta-private-cluster/outputs.tf | 10 +++--- modules/beta-private-cluster/variables.tf | 1 + .../cluster.tf | 5 ++- .../firewall.tf | 1 - .../outputs.tf | 10 +++--- .../variables.tf | 1 + modules/beta-public-cluster/cluster.tf | 5 ++- modules/beta-public-cluster/firewall.tf | 1 - modules/beta-public-cluster/outputs.tf | 10 +++--- modules/beta-public-cluster/variables.tf | 1 + .../private-cluster-update-variant/README.md | 2 ++ .../private-cluster-update-variant/cluster.tf | 2 +- .../firewall.tf | 32 +++++++++++++++++ .../private-cluster-update-variant/outputs.tf | 5 +++ .../variables.tf | 6 ++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 2 +- modules/private-cluster/firewall.tf | 32 +++++++++++++++++ modules/private-cluster/outputs.tf | 5 +++ modules/private-cluster/variables.tf | 6 ++++ outputs.tf | 5 +++ variables.tf | 6 ++++ 41 files changed, 192 insertions(+), 63 deletions(-) diff --git a/README.md b/README.md index e6a8945f55..581cf77bc3 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,7 @@ Then perform the following commands on the root folder: | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | +| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | @@ -257,6 +258,7 @@ Then perform the following commands on the root folder: | region | Cluster region | | release\_channel | The release channel of this cluster | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether vertical pod autoscaling enabled | | zones | List of zones in which the cluster resides | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index e04d86406d..bec9779ea5 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -189,10 +189,9 @@ resource "google_container_cluster" "primary" { } enable_kubernetes_alpha = var.enable_kubernetes_alpha - + enable_tpu = var.enable_tpu {% if beta_cluster %} enable_intranode_visibility = var.enable_intranode_visibility - enable_tpu = var.enable_tpu dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl index 90efd57d37..73c44d1ddd 100644 --- a/autogen/main/firewall.tf.tmpl +++ b/autogen/main/firewall.tf.tmpl @@ -57,7 +57,6 @@ resource "google_compute_firewall" "intra_egress" { } -{% if beta_cluster %} /****************************************** Allow egress to the TPU IPv4 CIDR block @@ -95,8 +94,6 @@ resource "google_compute_firewall" "tpu_egress" { {% endif %} } - -{% endif %} /****************************************** Allow GKE master to hit non 443 ports for Webhooks/Admission Controllers diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 832054f9cc..eb84418487 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -171,6 +171,11 @@ output "identity_namespace" { ] } +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + {% if autopilot_cluster != true %} output "mesh_certificates_config" { description = "Mesh certificates configuration" @@ -228,9 +233,4 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } - -output "tpu_ipv4_cidr_block" { - description = "The IP range in CIDR notation used for the TPUs" - value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null -} {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 7445f9d476..682ea65300 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -600,13 +600,12 @@ variable "deletion_protection" { default = true } -{% if beta_cluster %} variable "enable_tpu" { type = bool description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } -{% endif %} + {% if autopilot_cluster != true %} variable "network_policy" { type = bool diff --git a/cluster.tf b/cluster.tf index 2228fe8bbf..be4e3cbc3f 100644 --- a/cluster.tf +++ b/cluster.tf @@ -146,7 +146,7 @@ resource "google_container_cluster" "primary" { } enable_kubernetes_alpha = var.enable_kubernetes_alpha - + enable_tpu = var.enable_tpu dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/firewall.tf b/firewall.tf index 94cec9e103..b99cecd357 100644 --- a/firewall.tf +++ b/firewall.tf @@ -55,6 +55,41 @@ resource "google_compute_firewall" "intra_egress" { } +/****************************************** + Allow egress to the TPU IPv4 CIDR block + + This rule is defined separately from the + intra_egress rule above since it requires + an output from the google_container_cluster + resource. + + https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1124 + *****************************************/ +resource "google_compute_firewall" "tpu_egress" { + count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" + description = "Managed by terraform gke module: Allow pods to communicate with TPUs" + project = local.network_project_id + network = var.network + priority = var.firewall_priority + direction = "EGRESS" + + target_tags = [local.cluster_network_tag] + destination_ranges = [google_container_cluster.primary.tpu_ipv4_cidr_block] + + # Allow all possible protocols + allow { protocol = "tcp" } + allow { protocol = "udp" } + allow { protocol = "icmp" } + allow { protocol = "sctp" } + allow { protocol = "esp" } + allow { protocol = "ah" } + + depends_on = [ + google_container_cluster.primary, + ] +} + /****************************************** Allow GKE master to hit non 443 ports for Webhooks/Admission Controllers diff --git a/modules/beta-autopilot-private-cluster/firewall.tf b/modules/beta-autopilot-private-cluster/firewall.tf index 4701c82a2c..3908a63364 100644 --- a/modules/beta-autopilot-private-cluster/firewall.tf +++ b/modules/beta-autopilot-private-cluster/firewall.tf @@ -84,7 +84,6 @@ resource "google_compute_firewall" "tpu_egress" { } - /****************************************** Allow GKE master to hit non 443 ports for Webhooks/Admission Controllers diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index 0d955524ae..8ba200ea1c 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -142,6 +142,11 @@ output "identity_namespace" { ] } +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + output "master_ipv4_cidr_block" { @@ -183,8 +188,3 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } - -output "tpu_ipv4_cidr_block" { - description = "The IP range in CIDR notation used for the TPUs" - value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null -} diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 373fa527a2..2a24cc62dd 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -433,6 +433,7 @@ variable "enable_tpu" { description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/modules/beta-autopilot-public-cluster/firewall.tf b/modules/beta-autopilot-public-cluster/firewall.tf index 1e61965ca2..b99cecd357 100644 --- a/modules/beta-autopilot-public-cluster/firewall.tf +++ b/modules/beta-autopilot-public-cluster/firewall.tf @@ -90,7 +90,6 @@ resource "google_compute_firewall" "tpu_egress" { ] } - /****************************************** Allow GKE master to hit non 443 ports for Webhooks/Admission Controllers diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index e33c8aafa6..e60b61f903 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -142,6 +142,11 @@ output "identity_namespace" { ] } +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + output "cloudrun_enabled" { @@ -173,8 +178,3 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } - -output "tpu_ipv4_cidr_block" { - description = "The IP range in CIDR notation used for the TPUs" - value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null -} diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 2c5679d00b..caf41cda82 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -403,6 +403,7 @@ variable "enable_tpu" { description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 434bfedbb7..9aaf838470 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -152,10 +152,9 @@ resource "google_container_cluster" "primary" { } } - enable_kubernetes_alpha = var.enable_kubernetes_alpha - - enable_intranode_visibility = var.enable_intranode_visibility + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu + enable_intranode_visibility = var.enable_intranode_visibility dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] diff --git a/modules/beta-private-cluster-update-variant/firewall.tf b/modules/beta-private-cluster-update-variant/firewall.tf index 4701c82a2c..3908a63364 100644 --- a/modules/beta-private-cluster-update-variant/firewall.tf +++ b/modules/beta-private-cluster-update-variant/firewall.tf @@ -84,7 +84,6 @@ resource "google_compute_firewall" "tpu_egress" { } - /****************************************** Allow GKE master to hit non 443 ports for Webhooks/Admission Controllers diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index 72aee4055d..64465ccde9 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -161,6 +161,11 @@ output "identity_namespace" { ] } +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + output "mesh_certificates_config" { description = "Mesh certificates configuration" value = local.cluster_mesh_certificates_config @@ -209,8 +214,3 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } - -output "tpu_ipv4_cidr_block" { - description = "The IP range in CIDR notation used for the TPUs" - value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null -} diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 5c18f14727..753d7b93bb 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -578,6 +578,7 @@ variable "enable_tpu" { description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 1c8e68452c..cc2ccb3999 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -152,10 +152,9 @@ resource "google_container_cluster" "primary" { } } - enable_kubernetes_alpha = var.enable_kubernetes_alpha - - enable_intranode_visibility = var.enable_intranode_visibility + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu + enable_intranode_visibility = var.enable_intranode_visibility dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] diff --git a/modules/beta-private-cluster/firewall.tf b/modules/beta-private-cluster/firewall.tf index 4701c82a2c..3908a63364 100644 --- a/modules/beta-private-cluster/firewall.tf +++ b/modules/beta-private-cluster/firewall.tf @@ -84,7 +84,6 @@ resource "google_compute_firewall" "tpu_egress" { } - /****************************************** Allow GKE master to hit non 443 ports for Webhooks/Admission Controllers diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index 72aee4055d..64465ccde9 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -161,6 +161,11 @@ output "identity_namespace" { ] } +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + output "mesh_certificates_config" { description = "Mesh certificates configuration" value = local.cluster_mesh_certificates_config @@ -209,8 +214,3 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } - -output "tpu_ipv4_cidr_block" { - description = "The IP range in CIDR notation used for the TPUs" - value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null -} diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 5c18f14727..753d7b93bb 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -578,6 +578,7 @@ variable "enable_tpu" { description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index a79bf757d0..fcc48cf172 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -152,10 +152,9 @@ resource "google_container_cluster" "primary" { } } - enable_kubernetes_alpha = var.enable_kubernetes_alpha - - enable_intranode_visibility = var.enable_intranode_visibility + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu + enable_intranode_visibility = var.enable_intranode_visibility dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] diff --git a/modules/beta-public-cluster-update-variant/firewall.tf b/modules/beta-public-cluster-update-variant/firewall.tf index 1e61965ca2..b99cecd357 100644 --- a/modules/beta-public-cluster-update-variant/firewall.tf +++ b/modules/beta-public-cluster-update-variant/firewall.tf @@ -90,7 +90,6 @@ resource "google_compute_firewall" "tpu_egress" { ] } - /****************************************** Allow GKE master to hit non 443 ports for Webhooks/Admission Controllers diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index bb7cdcc72c..5d199a4ed4 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -161,6 +161,11 @@ output "identity_namespace" { ] } +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + output "mesh_certificates_config" { description = "Mesh certificates configuration" value = local.cluster_mesh_certificates_config @@ -199,8 +204,3 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } - -output "tpu_ipv4_cidr_block" { - description = "The IP range in CIDR notation used for the TPUs" - value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null -} diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index e6f3eab0e4..5863324c52 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -548,6 +548,7 @@ variable "enable_tpu" { description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 57f7d04c18..dddf6c018e 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -152,10 +152,9 @@ resource "google_container_cluster" "primary" { } } - enable_kubernetes_alpha = var.enable_kubernetes_alpha - - enable_intranode_visibility = var.enable_intranode_visibility + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu + enable_intranode_visibility = var.enable_intranode_visibility dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf index 1e61965ca2..b99cecd357 100644 --- a/modules/beta-public-cluster/firewall.tf +++ b/modules/beta-public-cluster/firewall.tf @@ -90,7 +90,6 @@ resource "google_compute_firewall" "tpu_egress" { ] } - /****************************************** Allow GKE master to hit non 443 ports for Webhooks/Admission Controllers diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index bb7cdcc72c..5d199a4ed4 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -161,6 +161,11 @@ output "identity_namespace" { ] } +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + output "mesh_certificates_config" { description = "Mesh certificates configuration" value = local.cluster_mesh_certificates_config @@ -199,8 +204,3 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } - -output "tpu_ipv4_cidr_block" { - description = "The IP range in CIDR notation used for the TPUs" - value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null -} diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index e6f3eab0e4..5863324c52 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -548,6 +548,7 @@ variable "enable_tpu" { description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" default = false } + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 646278d5ca..9407ab5fb6 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -193,6 +193,7 @@ Then perform the following commands on the root folder: | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | +| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | @@ -292,6 +293,7 @@ Then perform the following commands on the root folder: | region | Cluster region | | release\_channel | The release channel of this cluster | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether vertical pod autoscaling enabled | | zones | List of zones in which the cluster resides | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 2c97d719c6..91f632c958 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -146,7 +146,7 @@ resource "google_container_cluster" "primary" { } enable_kubernetes_alpha = var.enable_kubernetes_alpha - + enable_tpu = var.enable_tpu dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster-update-variant/firewall.tf b/modules/private-cluster-update-variant/firewall.tf index a5d89cefe0..3908a63364 100644 --- a/modules/private-cluster-update-variant/firewall.tf +++ b/modules/private-cluster-update-variant/firewall.tf @@ -52,6 +52,38 @@ resource "google_compute_firewall" "intra_egress" { } +/****************************************** + Allow egress to the TPU IPv4 CIDR block + + This rule is defined separately from the + intra_egress rule above since it requires + an output from the google_container_cluster + resource. + + https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1124 + *****************************************/ +resource "google_compute_firewall" "tpu_egress" { + count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" + description = "Managed by terraform gke module: Allow pods to communicate with TPUs" + project = local.network_project_id + network = var.network + priority = var.firewall_priority + direction = "EGRESS" + + target_tags = [local.cluster_network_tag] + destination_ranges = [google_container_cluster.primary.tpu_ipv4_cidr_block] + + # Allow all possible protocols + allow { protocol = "tcp" } + allow { protocol = "udp" } + allow { protocol = "icmp" } + allow { protocol = "sctp" } + allow { protocol = "esp" } + allow { protocol = "ah" } + +} + /****************************************** Allow GKE master to hit non 443 ports for Webhooks/Admission Controllers diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 722e3b8fd1..5b6a461d7a 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -161,6 +161,11 @@ output "identity_namespace" { ] } +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + output "mesh_certificates_config" { description = "Mesh certificates configuration" value = local.cluster_mesh_certificates_config diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 483f3f3f48..3d493dc4a7 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -549,6 +549,12 @@ variable "deletion_protection" { default = true } +variable "enable_tpu" { + type = bool + description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index f6f4851284..54e5080862 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -171,6 +171,7 @@ Then perform the following commands on the root folder: | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | +| enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | @@ -270,6 +271,7 @@ Then perform the following commands on the root folder: | region | Cluster region | | release\_channel | The release channel of this cluster | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | | vertical\_pod\_autoscaling\_enabled | Whether vertical pod autoscaling enabled | | zones | List of zones in which the cluster resides | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index b410c17958..7bacc938d8 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -146,7 +146,7 @@ resource "google_container_cluster" "primary" { } enable_kubernetes_alpha = var.enable_kubernetes_alpha - + enable_tpu = var.enable_tpu dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf index a5d89cefe0..3908a63364 100644 --- a/modules/private-cluster/firewall.tf +++ b/modules/private-cluster/firewall.tf @@ -52,6 +52,38 @@ resource "google_compute_firewall" "intra_egress" { } +/****************************************** + Allow egress to the TPU IPv4 CIDR block + + This rule is defined separately from the + intra_egress rule above since it requires + an output from the google_container_cluster + resource. + + https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1124 + *****************************************/ +resource "google_compute_firewall" "tpu_egress" { + count = var.add_cluster_firewall_rules && var.enable_tpu ? 1 : 0 + name = "gke-${substr(var.name, 0, min(36, length(var.name)))}-tpu-egress" + description = "Managed by terraform gke module: Allow pods to communicate with TPUs" + project = local.network_project_id + network = var.network + priority = var.firewall_priority + direction = "EGRESS" + + target_tags = [local.cluster_network_tag] + destination_ranges = [google_container_cluster.primary.tpu_ipv4_cidr_block] + + # Allow all possible protocols + allow { protocol = "tcp" } + allow { protocol = "udp" } + allow { protocol = "icmp" } + allow { protocol = "sctp" } + allow { protocol = "esp" } + allow { protocol = "ah" } + +} + /****************************************** Allow GKE master to hit non 443 ports for Webhooks/Admission Controllers diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 722e3b8fd1..5b6a461d7a 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -161,6 +161,11 @@ output "identity_namespace" { ] } +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + output "mesh_certificates_config" { description = "Mesh certificates configuration" value = local.cluster_mesh_certificates_config diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 483f3f3f48..3d493dc4a7 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -549,6 +549,12 @@ variable "deletion_protection" { default = true } +variable "enable_tpu" { + type = bool + description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/outputs.tf b/outputs.tf index 04bbc957fe..232d0b1f29 100644 --- a/outputs.tf +++ b/outputs.tf @@ -161,6 +161,11 @@ output "identity_namespace" { ] } +output "tpu_ipv4_cidr_block" { + description = "The IP range in CIDR notation used for the TPUs" + value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null +} + output "mesh_certificates_config" { description = "Mesh certificates configuration" value = local.cluster_mesh_certificates_config diff --git a/variables.tf b/variables.tf index ea04722045..0b47543630 100644 --- a/variables.tf +++ b/variables.tf @@ -519,6 +519,12 @@ variable "deletion_protection" { default = true } +variable "enable_tpu" { + type = bool + description = "Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive!" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" From cc7dbb74909e828c8defd3b7c5b571af03ae687c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 29 Jan 2024 16:41:32 -0800 Subject: [PATCH 023/176] chore(deps): update cft/developer-tools docker tag to v1.19 (#1858) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Makefile | 2 +- build/int.cloudbuild.yaml | 2 +- build/lint.cloudbuild.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index beac484374..f92db301e4 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.18 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.19 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd DOCKER_BIN ?= docker diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 4aa54827ab..dc1ebab01a 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -519,6 +519,6 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.18' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.19' options: machineType: 'N1_HIGHCPU_8' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index db1450d6a9..d2d4c0c066 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -22,7 +22,7 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.18' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.19' options: machineType: 'N1_HIGHCPU_8' env: From e58c094c3655786c8f4274ca2ee1c5fe23944528 Mon Sep 17 00:00:00 2001 From: CFT Bot Date: Tue, 30 Jan 2024 10:30:18 -0800 Subject: [PATCH 024/176] chore: update .github/workflows/stale.yml --- .github/workflows/stale.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f56aead563..34a5677cde 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,4 +1,4 @@ -# Copyright 2022-2023 Google LLC +# Copyright 2022-2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +25,7 @@ jobs: if: github.repository_owner == 'GoogleCloudPlatform' || github.repository_owner == 'terraform-google-modules' runs-on: ubuntu-latest steps: - - uses: actions/stale@v8 + - uses: actions/stale@v9 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days' From 3d840c04ad339793fd1899d8a129af594ba0a48c Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Wed, 31 Jan 2024 13:55:16 -0800 Subject: [PATCH 025/176] fix(CI): extend wait time for ACM (#1861) --- modules/acm/creds.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/acm/creds.tf b/modules/acm/creds.tf index 75c332e74e..53f06aa916 100644 --- a/modules/acm/creds.tf +++ b/modules/acm/creds.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,7 +35,7 @@ resource "time_sleep" "wait_acm" { count = (var.create_ssh_key == true || var.ssh_auth_key != null || var.enable_policy_controller || var.enable_config_sync) ? 1 : 0 depends_on = [google_gke_hub_feature_membership.main] - create_duration = (length(var.policy_bundles) > 0) ? "600s" : "300s" + create_duration = "600s" } resource "google_service_account_iam_binding" "ksa_iam" { From 5a407bc2d55b7856e4fc57da6553f930e2f8f6a8 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:14:05 -0800 Subject: [PATCH 026/176] chore(master): release 30.0.0 (#1794) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 34 +++++++++++++++++++ autogen/main/versions.tf.tmpl | 4 +-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 +-- modules/asm/versions.tf | 4 +-- modules/auth/versions.tf | 2 +- .../versions.tf | 2 +- .../beta-autopilot-public-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- .../versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- .../safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 22 files changed, 58 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eef3a8bd21..935ede58f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,40 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [30.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v29.0.0...v30.0.0) (2024-01-31) + + +### âš  BREAKING CHANGES + +* **TPG>=5.9:** cluster autoscaling profile is GA ([#1839](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1839)) +* Update least privilege default service account ([#1844](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1844)) +* **TPG>=5.6:** use hub membership location for output ([#1824](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1824)) +* Revert create least privilege default service account ([#1757](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1757)) (#1827) +* **TF>=1.1:** Configure ASM management mode ([#1702](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1702)) + +### Features + +* add advanced datapath observability config option ([#1776](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1776)) ([90e9bdf](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/90e9bdfb2a348ab22d996711e477cc6a7aa27c28)) +* Add support for configuring allow_net_admin in autopilot clusters ([#1768](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1768)) ([493149d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/493149d37aa13bbda1fc8dbcaec1b40f051c642e)) +* add support for pod_range in private cluster ([#1803](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1803)) ([9c62f1f](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/9c62f1f53afacf664528f9b3187c7e5df8eea1fa)) +* dual stack (IPV4_IPV6) support ([#1818](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1818)) ([d6cb390](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/d6cb39062cc6ecc2f86af463afd883d1fd780657)) +* Make confidential_nodes GA ([#1815](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1815)) ([322a5ee](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/322a5ee978c5211d33c8b4605b91f0b4804994a4)) +* promote tpu to ga ([#1856](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1856)) ([ba78819](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/ba788191e67a97d6b8eda40d7ba6e0d71c46ff52)) +* **TF>=1.1:** Configure ASM management mode ([#1702](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1702)) ([a9de2d7](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/a9de2d79d68b19dfee5b6bd8ee0c646ee621bbee)) +* **TPG>=5.6:** use hub membership location for output ([#1824](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1824)) ([13e79af](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/13e79af0f7a99b8c20099431df4a14ee145f9b03)) +* **TPG>=5.9:** cluster autoscaling profile is GA ([#1839](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1839)) ([495623e](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/495623eb38621976142d1e08edea94f6250f60aa)) +* Update least privilege default service account ([#1844](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1844)) ([c63aa4f](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/c63aa4fc3902aa53b2eea1f5bd0b7363383cacff)) +* workload-identity: Allow passing Google Service Account display_name and description ([#1834](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1834)) ([b387621](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/b387621c54235cf64d2c4cbc86c25a08fc6248fd)) + + +### Bug Fixes + +* Add project ID to the fleet feature membership for ASM ([#1832](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1832)) ([1835f80](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/1835f80a7005a840b981dc60e999dfd8ca099184)) +* alpha option for cluster creation ([#1796](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1796)) ([67b67f3](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/67b67f38e46306c7a4e0a1690d7fcb9b551874e1)) +* **CI:** extend wait time for ACM ([#1861](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1861)) ([3d840c0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/3d840c04ad339793fd1899d8a129af594ba0a48c)) +* Do not ignore "mesh_id" label on "google_container_cluster" resource ([#1836](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1836)) ([95641a6](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/95641a6e7b1eab8d59e6da48a7e15a5e662da203)) +* Revert create least privilege default service account ([#1757](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1757)) ([#1827](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1827)) ([0d7f638](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/0d7f63858d283ffb6c66d9f3a162ee0845db57f0)) + ## [29.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v28.0.0...v29.0.0) (2023-11-02) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index b7eafceeb6..3b93e48cc9 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.0.0" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.0.0" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 58932dde10..8dd35a33f1 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.0.0" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 164143f2cf..c24898975d 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.0.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.0.0" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 958bab4728..933f50a41c 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.0.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.0.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index dff2c99edf..1c8f405ba7 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.0.0" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 662fb2214b..4ff8f3fb3c 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.0.0" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index bf7d191fb6..1e674be455 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.0.0" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index cfd61248bc..b432332bd7 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.0.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 6543103e8e..ad4034c518 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.0.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index f85f90ef34..0e8e0b4f07 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.0.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index e8f58c4a3b..40150b132d 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.0.0" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 983bbd032b..de201913b2 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.0.0" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index f4ef6d69f6..2fccb43e5b 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.0.0" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index e7c938dcb5..72acc25d2c 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.0.0" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 373bc7a49b..5cb3f64e62 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.0.0" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 44d5b15cbe..1bff64386b 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.0.0" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index 68db6eefba..bf4ad323fa 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.0.0" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index 25f8e45d8f..ae90c16d2f 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.0.0" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 618b10df03..1f79600450 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.0.0" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 3ed3d3d90a..175a49c973 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.0.0" } } diff --git a/versions.tf b/versions.tf index 9746524790..00bbe68445 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v29.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.0.0" } } From 163de3917b3973cab9eeca83054e718c195bff14 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Fri, 2 Feb 2024 10:36:22 -0800 Subject: [PATCH 027/176] feat: add optional membership_location to fleet-membership (#1860) --- modules/fleet-membership/README.md | 1 + modules/fleet-membership/membership.tf | 3 ++- modules/fleet-membership/variables.tf | 9 ++++++++- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/modules/fleet-membership/README.md b/modules/fleet-membership/README.md index dd7e45cc1f..b0c4419136 100644 --- a/modules/fleet-membership/README.md +++ b/modules/fleet-membership/README.md @@ -29,6 +29,7 @@ To deploy this config: | enable\_fleet\_registration | Enables GKE Hub Registration when set to true | `bool` | `true` | no | | hub\_project\_id | The project in which the GKE Hub belongs. Defaults to GKE cluster project\_id. | `string` | `""` | no | | location | The location (zone or region) this cluster has been created in. | `string` | n/a | yes | +| membership\_location | Membership location for the cluster. Defaults to global. | `string` | `"global"` | no | | membership\_name | Membership name that uniquely represents the cluster being registered. Defaults to `$project_id-$location-$cluster_name`. | `string` | `""` | no | | project\_id | The project in which the GKE cluster belongs. | `string` | n/a | yes | diff --git a/modules/fleet-membership/membership.tf b/modules/fleet-membership/membership.tf index c5ef4cce39..796e3eb31f 100644 --- a/modules/fleet-membership/membership.tf +++ b/modules/fleet-membership/membership.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,6 +21,7 @@ resource "google_gke_hub_membership" "primary" { project = local.hub_project_id membership_id = local.gke_hub_membership_name + location = var.membership_location endpoint { gke_cluster { diff --git a/modules/fleet-membership/variables.tf b/modules/fleet-membership/variables.tf index eec5b4fd9b..df5c5462c9 100644 --- a/modules/fleet-membership/variables.tf +++ b/modules/fleet-membership/variables.tf @@ -1,5 +1,5 @@ /** - * Copyright 2018 Google LLC + * Copyright 2018-2024 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -46,3 +46,10 @@ variable "membership_name" { type = string default = "" } + +// Defaults to global for backward compatibility. +variable "membership_location" { + description = "Membership location for the cluster. Defaults to global." + type = string + default = "global" +} From c89322192ea0b2db818f650958aca6af1abbaf7e Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Fri, 2 Feb 2024 12:35:13 -0800 Subject: [PATCH 028/176] chore(CI): additional transient errors (#1862) --- test/integration/testutils/retry.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/integration/testutils/retry.go b/test/integration/testutils/retry.go index 502822c858..c9fa684beb 100644 --- a/test/integration/testutils/retry.go +++ b/test/integration/testutils/retry.go @@ -16,6 +16,9 @@ package testutils var ( RetryableTransientErrors = map[string]string{ + // Error 409: unable to queue the operation + ".*Error 409.*unable to queue the operation": "Unable to queue operation.", + // Error code 409 for concurrent policy changes. ".*Error 409.*There were concurrent policy changes.*": "Concurrent policy changes.", From b55de75a5934c8d18d9c38936be8a3a56f3888e1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 7 Feb 2024 20:33:26 -0800 Subject: [PATCH 029/176] chore(deps): Update Terraform terraform-google-modules/kubernetes-engine/google to v30 (#1872) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/acm-terraform-blog-part1/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part2/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part3/terraform/gke.tf | 4 ++-- examples/deploy_service/main.tf | 2 +- examples/disable_client_cert/main.tf | 2 +- examples/node_pool/main.tf | 2 +- examples/node_pool_update_variant/main.tf | 2 +- examples/node_pool_update_variant_beta/main.tf | 2 +- examples/node_pool_update_variant_public_beta/main.tf | 2 +- examples/private_zonal_with_networking/main.tf | 2 +- examples/regional_private_node_pool_oauth_scopes/main.tf | 2 +- examples/safer_cluster/main.tf | 2 +- examples/safer_cluster_iap_bastion/cluster.tf | 2 +- examples/shared_vpc/main.tf | 2 +- examples/simple_autopilot_private/main.tf | 2 +- examples/simple_autopilot_private_non_default_sa/main.tf | 2 +- examples/simple_autopilot_public/main.tf | 2 +- examples/simple_regional/main.tf | 2 +- examples/simple_regional_beta/main.tf | 2 +- examples/simple_regional_private/main.tf | 2 +- examples/simple_regional_private_beta/main.tf | 2 +- .../simple_regional_private_with_cluster_version/main.tf | 2 +- examples/simple_regional_with_gateway_api/main.tf | 2 +- examples/simple_regional_with_kubeconfig/main.tf | 4 ++-- examples/simple_regional_with_networking/main.tf | 2 +- examples/simple_windows_node_pool/main.tf | 2 +- examples/simple_zonal_private/main.tf | 2 +- examples/simple_zonal_with_acm/acm.tf | 2 +- examples/simple_zonal_with_acm/main.tf | 2 +- examples/simple_zonal_with_asm/main.tf | 4 ++-- examples/simple_zonal_with_hub/hub.tf | 2 +- examples/simple_zonal_with_hub/main.tf | 2 +- examples/simple_zonal_with_hub_kubeconfig/hub.tf | 2 +- examples/stub_domains/main.tf | 2 +- examples/stub_domains_private/main.tf | 2 +- examples/stub_domains_upstream_nameservers/main.tf | 2 +- examples/upstream_nameservers/main.tf | 2 +- examples/workload_identity/main.tf | 8 ++++---- examples/workload_metadata_config/main.tf | 2 +- 39 files changed, 45 insertions(+), 45 deletions(-) diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf index 93a50350ca..9c997717dc 100644 --- a/examples/acm-terraform-blog-part1/terraform/gke.tf +++ b/examples/acm-terraform-blog-part1/terraform/gke.tf @@ -31,7 +31,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part1" region = var.region diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf index 0b1d290ec5..2c0d637463 100644 --- a/examples/acm-terraform-blog-part2/terraform/gke.tf +++ b/examples/acm-terraform-blog-part2/terraform/gke.tf @@ -31,7 +31,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part2" region = var.region diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf index 1828c250f8..9f43da79bc 100644 --- a/examples/acm-terraform-blog-part3/terraform/gke.tf +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -33,7 +33,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part3" region = var.region @@ -48,7 +48,7 @@ module "gke" { module "wi" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 29.0" + version = "~> 30.0" gcp_sa_name = "cnrmsa" cluster_name = module.gke.name name = "cnrm-controller-manager" diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index eca6e989c3..a36e40b5fa 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf index b44178ab04..af1e3f141d 100644 --- a/examples/disable_client_cert/main.tf +++ b/examples/disable_client_cert/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 59eb35cd19..cea54d19b6 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf index 10489bc5a9..b18de30482 100644 --- a/examples/node_pool_update_variant/main.tf +++ b/examples/node_pool_update_variant/main.tf @@ -34,7 +34,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster-update-variant" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf index 438a0b0ec2..c78d2bd050 100644 --- a/examples/node_pool_update_variant_beta/main.tf +++ b/examples/node_pool_update_variant_beta/main.tf @@ -39,7 +39,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster-update-variant" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant_public_beta/main.tf b/examples/node_pool_update_variant_public_beta/main.tf index c096e1c28c..dcab030f8b 100644 --- a/examples/node_pool_update_variant_public_beta/main.tf +++ b/examples/node_pool_update_variant_public_beta/main.tf @@ -39,7 +39,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster-update-variant" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/private_zonal_with_networking/main.tf b/examples/private_zonal_with_networking/main.tf index 889582fb8e..1f7f4c2047 100644 --- a/examples/private_zonal_with_networking/main.tf +++ b/examples/private_zonal_with_networking/main.tf @@ -61,7 +61,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = var.cluster_name diff --git a/examples/regional_private_node_pool_oauth_scopes/main.tf b/examples/regional_private_node_pool_oauth_scopes/main.tf index 98c3c561dd..0bba21cdaa 100644 --- a/examples/regional_private_node_pool_oauth_scopes/main.tf +++ b/examples/regional_private_node_pool_oauth_scopes/main.tf @@ -16,7 +16,7 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "random-test-cluster" diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index 771f4970ff..ceea648aa5 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -52,7 +52,7 @@ resource "random_shuffle" "version" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster-${random_string.suffix.result}" diff --git a/examples/safer_cluster_iap_bastion/cluster.tf b/examples/safer_cluster_iap_bastion/cluster.tf index 2525476181..9debb69001 100644 --- a/examples/safer_cluster_iap_bastion/cluster.tf +++ b/examples/safer_cluster_iap_bastion/cluster.tf @@ -16,7 +16,7 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = module.enabled_google_apis.project_id name = var.cluster_name diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf index d95626f694..5ff24c3c02 100644 --- a/examples/shared_vpc/main.tf +++ b/examples/shared_vpc/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf index 33bc104262..ee628d8459 100644 --- a/examples/simple_autopilot_private/main.tf +++ b/examples/simple_autopilot_private/main.tf @@ -35,7 +35,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_autopilot_private_non_default_sa/main.tf b/examples/simple_autopilot_private_non_default_sa/main.tf index 0bb1fde3e6..1da730e987 100644 --- a/examples/simple_autopilot_private_non_default_sa/main.tf +++ b/examples/simple_autopilot_private_non_default_sa/main.tf @@ -35,7 +35,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index d791840c75..2fc462ca3a 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -34,7 +34,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-public-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index ad4122d5c2..710f98f326 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 667965d3d1..cd76c5dcc6 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf index d6a9b3f963..2b120d14d8 100644 --- a/examples/simple_regional_private/main.tf +++ b/examples/simple_regional_private/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index 861c4a08e0..43d2f7835f 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private_with_cluster_version/main.tf b/examples/simple_regional_private_with_cluster_version/main.tf index bf511e6c3a..6d95353710 100644 --- a/examples/simple_regional_private_with_cluster_version/main.tf +++ b/examples/simple_regional_private_with_cluster_version/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_with_gateway_api/main.tf b/examples/simple_regional_with_gateway_api/main.tf index 60405c2181..b96367d767 100644 --- a/examples/simple_regional_with_gateway_api/main.tf +++ b/examples/simple_regional_with_gateway_api/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf index 18a6e574c9..a2fcc3c72e 100644 --- a/examples/simple_regional_with_kubeconfig/main.tf +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" @@ -45,7 +45,7 @@ module "gke" { module "gke_auth" { source = "terraform-google-modules/kubernetes-engine/google//modules/auth" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_regional_with_networking/main.tf b/examples/simple_regional_with_networking/main.tf index 9a45243897..28363ea059 100644 --- a/examples/simple_regional_with_networking/main.tf +++ b/examples/simple_regional_with_networking/main.tf @@ -53,7 +53,7 @@ module "gcp-network" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = var.cluster_name diff --git a/examples/simple_windows_node_pool/main.tf b/examples/simple_windows_node_pool/main.tf index 3dcbac05c4..2ec1464bd3 100644 --- a/examples/simple_windows_node_pool/main.tf +++ b/examples/simple_windows_node_pool/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf index c892b0d0bf..a541829254 100644 --- a/examples/simple_zonal_private/main.tf +++ b/examples/simple_zonal_private/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index 3b19ad6b27..cee5eda4d2 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -16,7 +16,7 @@ module "acm" { source = "terraform-google-modules/kubernetes-engine/google//modules/acm" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_zonal_with_acm/main.tf b/examples/simple_zonal_with_acm/main.tf index 9f66f7bab1..de06aa5d46 100644 --- a/examples/simple_zonal_with_acm/main.tf +++ b/examples/simple_zonal_with_acm/main.tf @@ -32,7 +32,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index d60873aa49..4c6192e476 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -28,7 +28,7 @@ data "google_project" "project" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "test-prefix-cluster-test-suffix" @@ -57,7 +57,7 @@ module "gke" { module "asm" { source = "terraform-google-modules/kubernetes-engine/google//modules/asm" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id cluster_name = module.gke.name diff --git a/examples/simple_zonal_with_hub/hub.tf b/examples/simple_zonal_with_hub/hub.tf index c838b44cbf..36120501b3 100644 --- a/examples/simple_zonal_with_hub/hub.tf +++ b/examples/simple_zonal_with_hub/hub.tf @@ -16,7 +16,7 @@ module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_zonal_with_hub/main.tf b/examples/simple_zonal_with_hub/main.tf index 2fbbeddc78..4b4563d8d0 100644 --- a/examples/simple_zonal_with_hub/main.tf +++ b/examples/simple_zonal_with_hub/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_with_hub_kubeconfig/hub.tf b/examples/simple_zonal_with_hub_kubeconfig/hub.tf index 5e500327b7..19e243947a 100644 --- a/examples/simple_zonal_with_hub_kubeconfig/hub.tf +++ b/examples/simple_zonal_with_hub_kubeconfig/hub.tf @@ -16,7 +16,7 @@ module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/hub-legacy" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id location = "remote" diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf index 00a6c85eed..8607a6fc72 100644 --- a/examples/stub_domains/main.tf +++ b/examples/stub_domains/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf index 3c483acc13..5ebc7a057a 100644 --- a/examples/stub_domains_private/main.tf +++ b/examples/stub_domains_private/main.tf @@ -30,7 +30,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 29.0" + version = "~> 30.0" ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf index 75fabb9aaa..02639383dd 100644 --- a/examples/stub_domains_upstream_nameservers/main.tf +++ b/examples/stub_domains_upstream_nameservers/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf index 7eb438547c..7349ab5cdf 100644 --- a/examples/upstream_nameservers/main.tf +++ b/examples/upstream_nameservers/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index 84d05f073d..fe1b13bfcd 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" @@ -54,7 +54,7 @@ module "gke" { # example without existing KSA module "workload_identity" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "iden-${module.gke.name}" @@ -74,7 +74,7 @@ resource "kubernetes_service_account" "test" { module "workload_identity_existing_ksa" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "existing-${module.gke.name}" @@ -93,7 +93,7 @@ resource "google_service_account" "custom" { module "workload_identity_existing_gsa" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = google_service_account.custom.account_id diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index fce542bd95..856591c444 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 29.0" + version = "~> 30.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" From 4e148ed65022e7964f9400351a9bff60e2fadbf7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 8 Feb 2024 08:29:24 -0800 Subject: [PATCH 030/176] chore(deps): Update Terraform terraform-google-modules/kms/google to ~> 2.3.0 (#1871) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Andrew Peabody --- examples/safer_cluster_iap_bastion/kms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/safer_cluster_iap_bastion/kms.tf b/examples/safer_cluster_iap_bastion/kms.tf index 1ca442d9dc..668181500b 100644 --- a/examples/safer_cluster_iap_bastion/kms.tf +++ b/examples/safer_cluster_iap_bastion/kms.tf @@ -16,7 +16,7 @@ module "kms" { source = "terraform-google-modules/kms/google" - version = "~> 2.2.3" + version = "~> 2.3" project_id = var.project_id location = var.region keyring = "gke-keyring" From f498355fd7cc1cd334e52284f38b8fc30e4877c5 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 08:07:47 +0000 Subject: [PATCH 031/176] chore(deps): Update module github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test to v0.12.1 (#1879) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 7 ++++--- test/integration/go.sum | 14 ++++++++------ 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index ec5a0b2a8b..fdc5577793 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -5,7 +5,7 @@ go 1.21 toolchain go1.21.5 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.1 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.12.1 github.com/gruntwork-io/terratest v0.46.11 github.com/stretchr/testify v1.8.4 ) @@ -17,6 +17,7 @@ require ( cloud.google.com/go/iam v1.1.2 // indirect cloud.google.com/go/storage v1.33.0 // indirect github.com/agext/levenshtein v1.2.3 // indirect + github.com/alexflint/go-filemutex v1.3.0 // indirect github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/aws/aws-sdk-go v1.45.5 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect @@ -81,11 +82,11 @@ require ( github.com/zclconf/go-cty v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.17.0 // indirect - golang.org/x/mod v0.14.0 // indirect + golang.org/x/mod v0.15.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.15.0 // indirect + golang.org/x/sys v0.16.0 // indirect golang.org/x/term v0.15.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index e0fde47dff..f2743cd309 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,11 +187,13 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.1 h1:S4Y7o5RKRC9Bk71VszCx9NeheWjdSAn5ejPuD1W6lNE= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.11.1/go.mod h1:v4TFK9TmX4mYyXL3v9wFXVN3A5vrt2LaVDBX2/OVU7Y= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.12.1 h1:4K4HIuu95U6A56orD4LAX+yabfUmIRaoUV0JJWOZPjE= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.12.1/go.mod h1:iipeDC0VhxKtIVOZyz0ofiJ2x6sh9+VYEbG3JKsPqPw= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alexflint/go-filemutex v1.3.0 h1:LgE+nTUWnQCyRKbpoceKZsPQbs84LivvgwUymZXdOcM= +github.com/alexflint/go-filemutex v1.3.0/go.mod h1:U0+VA/i30mGBlLCrFPGtTe9y6wGQfNAWPBTekHQ+c8A= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= @@ -568,8 +570,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= -golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8= +golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -725,8 +727,8 @@ golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= From 176ad25ad04c4fa5153b9acaabfbaf456478600c Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 20 Feb 2024 14:11:08 -0800 Subject: [PATCH 032/176] chore(CI): bump machine type (#1882) --- examples/simple_zonal_with_asm/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index 4c6192e476..f9b368000a 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -50,7 +50,7 @@ module "gke" { autoscaling = false auto_upgrade = true node_count = 3 - machine_type = "e2-standard-4" + machine_type = "e2-standard-8" }, ] } From 22896b0835a4f68aed92c5330c1e9a65faa97a1c Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 20 Feb 2024 16:20:22 -0800 Subject: [PATCH 033/176] fix: handle missing fleet membership and extend asm timeout (#1880) --- modules/asm/scripts/create_cpr.sh | 2 +- modules/fleet-membership/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/asm/scripts/create_cpr.sh b/modules/asm/scripts/create_cpr.sh index d592e54538..9ceb332312 100755 --- a/modules/asm/scripts/create_cpr.sh +++ b/modules/asm/scripts/create_cpr.sh @@ -57,4 +57,4 @@ spec: channel: "${CHANNEL}" EOF -kubectl wait -n istio-system --for=condition=Reconciled controlplanerevision/"${REVISION_NAME}" --timeout 10m +kubectl wait -n istio-system --for=condition=Reconciled controlplanerevision/"${REVISION_NAME}" --timeout 20m diff --git a/modules/fleet-membership/main.tf b/modules/fleet-membership/main.tf index 92d5d83f7f..e57418caf0 100644 --- a/modules/fleet-membership/main.tf +++ b/modules/fleet-membership/main.tf @@ -18,7 +18,7 @@ locals { hub_project_id = var.hub_project_id == "" ? var.project_id : var.hub_project_id gke_hub_membership_name_complete = var.membership_name != "" ? var.membership_name : "${var.project_id}-${var.location}-${var.cluster_name}" gke_hub_membership_name = trimsuffix(substr(local.gke_hub_membership_name_complete, 0, 63), "-") - gke_hub_membership_location = regex(local.gke_hub_membership_location_re, data.google_container_cluster.primary.fleet[0].membership)[0] + gke_hub_membership_location = try(regex(local.gke_hub_membership_location_re, data.google_container_cluster.primary.fleet[0].membership)[0], null) gke_hub_membership_location_re = "//gkehub.googleapis.com/projects/[^/]*/locations/([^/]*)/memberships/[^/]*$" } From 628baf046f2d15717b0ea43c6ecc0bf028c7f1eb Mon Sep 17 00:00:00 2001 From: CFT Bot Date: Wed, 21 Feb 2024 17:26:11 -0800 Subject: [PATCH 034/176] chore: update CODEOWNERS --- CODEOWNERS | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CODEOWNERS b/CODEOWNERS index 6d0d18bb23..68a2db340e 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -2,3 +2,11 @@ # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/master/infra/terraform/test-org/org/locals.tf * @terraform-google-modules/cft-admins @ericyz + +# NOTE: GitHub CODEOWNERS locations: +# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection + +CODEOWNERS @terraform-google-modules/cft-admins +.github/CODEOWNERS @terraform-google-modules/cft-admins +docs/CODEOWNERS @terraform-google-modules/cft-admins + From 0a2d505140f140552c1414a1ba826f7a72cda051 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 22 Feb 2024 16:34:34 -0800 Subject: [PATCH 035/176] chore(CI): filter kubectl error msgs (#1887) --- .../deploy_service/deploy_service_test.go | 2 +- .../simple_zonal/simple_zonal_test.go | 5 +-- .../simple_zonal_with_asm_test.go | 5 +-- test/integration/testutils/json.go | 40 +++++++++++++++++++ 4 files changed, 45 insertions(+), 7 deletions(-) create mode 100644 test/integration/testutils/json.go diff --git a/test/integration/deploy_service/deploy_service_test.go b/test/integration/deploy_service/deploy_service_test.go index 793763d03b..c87470d44b 100755 --- a/test/integration/deploy_service/deploy_service_test.go +++ b/test/integration/deploy_service/deploy_service_test.go @@ -43,7 +43,7 @@ func TestDeployService(t *testing.T) { k8sOpts := k8s.KubectlOptions{} listServices, err := k8s.RunKubectlAndGetOutputE(t, &k8sOpts, "get", "svc", "terraform-example", "-o", "json") assert.NoError(err) - kubeService := utils.ParseJSONResult(t, listServices) + kubeService := testutils.ParseKubectlJSONResult(t, listServices) serviceIp := kubeService.Get("status.loadBalancer.ingress").Array()[0].Get("ip") serviceUrl := fmt.Sprintf("http://%s:8080", serviceIp) diff --git a/test/integration/simple_zonal/simple_zonal_test.go b/test/integration/simple_zonal/simple_zonal_test.go index 38b79b3672..cb5c796995 100644 --- a/test/integration/simple_zonal/simple_zonal_test.go +++ b/test/integration/simple_zonal/simple_zonal_test.go @@ -21,7 +21,6 @@ import ( "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/gruntwork-io/terratest/modules/k8s" "github.com/stretchr/testify/assert" "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" @@ -78,11 +77,11 @@ func TestSimpleZonal(t *testing.T) { k8sOpts := k8s.KubectlOptions{} configNameSpace, err := k8s.RunKubectlAndGetOutputE(t, &k8sOpts, "get", "ns", "config-management-system", "-o", "json") assert.NoError(err) - configkubeNS := utils.ParseJSONResult(t, configNameSpace) + configkubeNS := testutils.ParseKubectlJSONResult(t, configNameSpace) assert.Contains(configkubeNS.Get("metadata.name").String(), "config-management-system", "Namespace is Functional") gateKeeperNameSpace, err := k8s.RunKubectlAndGetOutputE(t, &k8sOpts, "get", "ns", "gatekeeper-system", "-o", "json") assert.NoError(err) - gateKeeperkubeNS := utils.ParseJSONResult(t, gateKeeperNameSpace) + gateKeeperkubeNS := testutils.ParseKubectlJSONResult(t, gateKeeperNameSpace) assert.Contains(gateKeeperkubeNS.Get("metadata.name").String(), "gatekeeper-system", "Namespace is Functional") }) diff --git a/test/integration/simple_zonal_with_asm/simple_zonal_with_asm_test.go b/test/integration/simple_zonal_with_asm/simple_zonal_with_asm_test.go index 7e10477ac1..0d8e363b7a 100644 --- a/test/integration/simple_zonal_with_asm/simple_zonal_with_asm_test.go +++ b/test/integration/simple_zonal_with_asm/simple_zonal_with_asm_test.go @@ -20,7 +20,6 @@ import ( "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" - "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" "github.com/gruntwork-io/terratest/modules/k8s" "github.com/stretchr/testify/assert" "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" @@ -50,11 +49,11 @@ func TestSimpleZonalWithASM(t *testing.T) { k8sOpts := k8s.KubectlOptions{} listNameSpace, err := k8s.RunKubectlAndGetOutputE(t, &k8sOpts, "get", "ns", "istio-system", "-o", "json") assert.NoError(err) - kubeNS := utils.ParseJSONResult(t, listNameSpace) + kubeNS := testutils.ParseKubectlJSONResult(t, listNameSpace) assert.Contains(kubeNS.Get("metadata.name").String(), "istio-system", "Namespace is Functional") listConfigMap, err := k8s.RunKubectlAndGetOutputE(t, &k8sOpts, "get", "configmap", "asm-options", "-n", "istio-system", "-o", "json") assert.NoError(err) - kubeCM := utils.ParseJSONResult(t, listConfigMap) + kubeCM := testutils.ParseKubectlJSONResult(t, listConfigMap) assert.Contains(kubeCM.Get("metadata.name").String(), "asm-options", "Configmap is Present") }) diff --git a/test/integration/testutils/json.go b/test/integration/testutils/json.go new file mode 100644 index 0000000000..675e513fe6 --- /dev/null +++ b/test/integration/testutils/json.go @@ -0,0 +1,40 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package testutils + +import ( + "bytes" + "testing" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/utils" + "github.com/tidwall/gjson" +) + +var ( + KubectlTransientErrors = []string{ + "E0222 .* the server is currently unable to handle the request", + } +) + +// Filter transient errors from kubectl output +func ParseKubectlJSONResult(t testing.TB, s string) gjson.Result { + bstring := []byte(s) + + for _, v := range KubectlTransientErrors { + bstring = bytes.Replace(bstring, []byte(v), []byte(""), -1) + } + + return utils.ParseJSONResult(t, string(bstring)) +} From 08fc3a68b16760d09a83ee59beb6adac597c1d45 Mon Sep 17 00:00:00 2001 From: CFT Bot Date: Fri, 23 Feb 2024 08:43:03 -0800 Subject: [PATCH 036/176] chore: update CODEOWNERS --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 68a2db340e..d075929488 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,7 +1,7 @@ # NOTE: This file is automatically generated from values at: # https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/master/infra/terraform/test-org/org/locals.tf -* @terraform-google-modules/cft-admins @ericyz +* @terraform-google-modules/cft-admins @ericyz @gtsorbo # NOTE: GitHub CODEOWNERS locations: # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-and-branch-protection From a6f12ff7eae271a14075b9a7fc53be659c8d54c8 Mon Sep 17 00:00:00 2001 From: CFT Bot Date: Fri, 23 Feb 2024 08:43:10 -0800 Subject: [PATCH 037/176] chore: update .github/workflows/lint.yaml --- .github/workflows/lint.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 2675f6e349..d355114669 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -18,6 +18,7 @@ name: 'lint' on: + workflow_dispatch: pull_request: branches: - master From 2a39b0b075d73acf9e809e5a74d7d8aa4cc7723d Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Fri, 23 Feb 2024 11:06:45 -0800 Subject: [PATCH 038/176] chore(CI): widen error code match (#1888) --- test/integration/testutils/json.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/testutils/json.go b/test/integration/testutils/json.go index 675e513fe6..3e455232df 100644 --- a/test/integration/testutils/json.go +++ b/test/integration/testutils/json.go @@ -24,7 +24,7 @@ import ( var ( KubectlTransientErrors = []string{ - "E0222 .* the server is currently unable to handle the request", + "E022[23] .* the server is currently unable to handle the request", } ) From 6b267bd91362cd78e06850a267a04c0fd2427b1c Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Mon, 26 Feb 2024 10:19:25 -0800 Subject: [PATCH 039/176] feat: add direct fleet registration option (#1878) --- README.md | 2 ++ autogen/main/cluster.tf.tmpl | 7 +++++++ autogen/main/main.tf.tmpl | 2 ++ autogen/main/outputs.tf.tmpl | 5 +++++ autogen/main/variables.tf.tmpl | 6 ++++++ cluster.tf | 7 +++++++ examples/simple_regional/main.tf | 1 + examples/simple_zonal_with_hub/README.md | 1 + examples/simple_zonal_with_hub/outputs.tf | 5 +++++ main.tf | 2 ++ modules/beta-autopilot-private-cluster/README.md | 2 ++ modules/beta-autopilot-private-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-private-cluster/main.tf | 2 ++ modules/beta-autopilot-private-cluster/outputs.tf | 5 +++++ modules/beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/README.md | 2 ++ modules/beta-autopilot-public-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-public-cluster/main.tf | 2 ++ modules/beta-autopilot-public-cluster/outputs.tf | 5 +++++ modules/beta-autopilot-public-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/README.md | 2 ++ modules/beta-private-cluster-update-variant/cluster.tf | 7 +++++++ modules/beta-private-cluster-update-variant/main.tf | 2 ++ modules/beta-private-cluster-update-variant/outputs.tf | 5 +++++ modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 2 ++ modules/beta-private-cluster/cluster.tf | 7 +++++++ modules/beta-private-cluster/main.tf | 2 ++ modules/beta-private-cluster/outputs.tf | 5 +++++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 2 ++ modules/beta-public-cluster-update-variant/cluster.tf | 7 +++++++ modules/beta-public-cluster-update-variant/main.tf | 2 ++ modules/beta-public-cluster-update-variant/outputs.tf | 5 +++++ modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster.tf | 7 +++++++ modules/beta-public-cluster/main.tf | 2 ++ modules/beta-public-cluster/outputs.tf | 5 +++++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 7 +++++++ modules/private-cluster-update-variant/main.tf | 2 ++ modules/private-cluster-update-variant/outputs.tf | 5 +++++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 7 +++++++ modules/private-cluster/main.tf | 2 ++ modules/private-cluster/outputs.tf | 5 +++++ modules/private-cluster/variables.tf | 6 ++++++ outputs.tf | 5 +++++ variables.tf | 6 ++++++ 52 files changed, 225 insertions(+) diff --git a/README.md b/README.md index 581cf77bc3..23a04c47f5 100644 --- a/README.md +++ b/README.md @@ -167,6 +167,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -239,6 +240,7 @@ Then perform the following commands on the root folder: | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index bec9779ea5..1228e29a95 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -347,6 +347,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 2b75d8e5ca..49b847fcba 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -60,6 +60,8 @@ locals { windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) {% endif %} + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index eb84418487..afedce7f55 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -234,3 +234,8 @@ output "identity_service_enabled" { value = local.cluster_pod_security_policy_enabled } {% endif %} + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 682ea65300..e625e3d4ce 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -857,3 +857,9 @@ variable "allow_net_admin" { default = null } {% endif %} + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/cluster.tf b/cluster.tf index be4e3cbc3f..2236446061 100644 --- a/cluster.tf +++ b/cluster.tf @@ -231,6 +231,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index 710f98f326..11a34fa0c6 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -43,5 +43,6 @@ module "gke" { enable_cost_allocation = true enable_binary_authorization = var.enable_binary_authorization gcs_fuse_csi_driver = true + fleet_project = var.project_id deletion_protection = false } diff --git a/examples/simple_zonal_with_hub/README.md b/examples/simple_zonal_with_hub/README.md index ce0a513ac0..e167ac323f 100644 --- a/examples/simple_zonal_with_hub/README.md +++ b/examples/simple_zonal_with_hub/README.md @@ -23,6 +23,7 @@ It incorporates the standard cluster module, the [registration module](../../mod | ca\_certificate | n/a | | client\_token | n/a | | cluster\_name | Cluster name | +| hub\_location | The location of the hub membership. | | ip\_range\_pods | The secondary IP range used for pods | | ip\_range\_services | The secondary IP range used for services | | kubernetes\_endpoint | n/a | diff --git a/examples/simple_zonal_with_hub/outputs.tf b/examples/simple_zonal_with_hub/outputs.tf index d953d1b3db..d824225879 100644 --- a/examples/simple_zonal_with_hub/outputs.tf +++ b/examples/simple_zonal_with_hub/outputs.tf @@ -79,3 +79,8 @@ output "master_kubernetes_version" { description = "The master Kubernetes version" value = module.gke.master_version } + +output "hub_location" { + description = "The location of the hub membership." + value = module.hub.location +} diff --git a/main.tf b/main.tf index 89889acbf1..4025b6063c 100644 --- a/main.tf +++ b/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 1fd8c3deeb..ff40b31c79 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -98,6 +98,7 @@ Then perform the following commands on the root folder: | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | @@ -153,6 +154,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 00c767d99a..ae074625a1 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -147,6 +147,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index a7e90a1f5f..f0d22b5840 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -49,6 +49,8 @@ locals { master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version master_version = var.regional ? local.master_version_regional : local.master_version_zonal + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index 8ba200ea1c..f2888c0aa1 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -188,3 +188,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 2a24cc62dd..35325d6774 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -460,3 +460,9 @@ variable "allow_net_admin" { type = bool default = null } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 56a0389895..198fde422e 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -89,6 +89,7 @@ Then perform the following commands on the root folder: | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | @@ -142,6 +143,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index bb7f73ae6b..39b4c57bbe 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -147,6 +147,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 0199ec231b..24bcb36d3d 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -49,6 +49,8 @@ locals { master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version master_version = var.regional ? local.master_version_regional : local.master_version_zonal + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index e60b61f903..9b26f835f8 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -178,3 +178,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index caf41cda82..0d3c5cdd5c 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -430,3 +430,9 @@ variable "allow_net_admin" { type = bool default = null } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 3bae57b7d9..3e31d9d529 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -211,6 +211,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -293,6 +294,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 9aaf838470..4057938a0a 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index b7f8f664ed..f7ef1e33d2 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index 64465ccde9..2d8e768f7c 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -214,3 +214,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 753d7b93bb..eeefad4291 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -811,3 +811,9 @@ variable "enable_gcfs" { description = "Enable image streaming on cluster level." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 090a04a96e..b9379d4554 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -189,6 +189,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -271,6 +272,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index cc2ccb3999..c702c838e7 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index b7f8f664ed..f7ef1e33d2 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index 64465ccde9..2d8e768f7c 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -214,3 +214,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 753d7b93bb..eeefad4291 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -811,3 +811,9 @@ variable "enable_gcfs" { description = "Enable image streaming on cluster level." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 4811bc831d..4b30d2352a 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -202,6 +202,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -282,6 +283,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index fcc48cf172..12d39c2ed7 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index ee6ec17917..d92b11fadd 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index 5d199a4ed4..e388fb4406 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -204,3 +204,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 5863324c52..ff2f84c094 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -781,3 +781,9 @@ variable "enable_gcfs" { description = "Enable image streaming on cluster level." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 9376103d03..8c4288e7f0 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -180,6 +180,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -260,6 +261,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index dddf6c018e..779c0e19c8 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index ee6ec17917..d92b11fadd 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 5d199a4ed4..e388fb4406 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -204,3 +204,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 5863324c52..ff2f84c094 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -781,3 +781,9 @@ variable "enable_gcfs" { description = "Enable image streaming on cluster level." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 9407ab5fb6..c8c38ed6ec 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -198,6 +198,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -272,6 +273,7 @@ Then perform the following commands on the root folder: | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 91f632c958..c468560690 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -231,6 +231,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 98283ce979..f2a6e28ea8 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 5b6a461d7a..e1e27f7bba 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -184,3 +184,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = local.cluster_peering_name } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 3d493dc4a7..6c7e643132 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -721,3 +721,9 @@ variable "config_connector" { description = "Whether ConfigConnector is enabled for this cluster." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 54e5080862..8a8a961ad2 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -176,6 +176,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -250,6 +251,7 @@ Then perform the following commands on the root folder: | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 7bacc938d8..7bb8f67db2 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -231,6 +231,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 98283ce979..f2a6e28ea8 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 5b6a461d7a..e1e27f7bba 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -184,3 +184,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = local.cluster_peering_name } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 3d493dc4a7..6c7e643132 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -721,3 +721,9 @@ variable "config_connector" { description = "Whether ConfigConnector is enabled for this cluster." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/outputs.tf b/outputs.tf index 232d0b1f29..6ed32741f2 100644 --- a/outputs.tf +++ b/outputs.tf @@ -174,3 +174,8 @@ output "mesh_certificates_config" { ] } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/variables.tf b/variables.tf index 0b47543630..ddfbb6d741 100644 --- a/variables.tf +++ b/variables.tf @@ -691,3 +691,9 @@ variable "config_connector" { description = "Whether ConfigConnector is enabled for this cluster." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} From 79a8d68cd2f321f3e94ccc45af142f24d6f65397 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 16:15:47 -0800 Subject: [PATCH 040/176] chore(master): release 30.1.0 (#1865) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 13 +++++++++++++ autogen/main/versions.tf.tmpl | 4 ++-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- .../beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- .../beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 22 files changed, 37 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 935ede58f0..c2679604a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [30.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.0.0...v30.1.0) (2024-02-26) + + +### Features + +* add direct fleet registration option ([#1878](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1878)) ([6b267bd](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/6b267bd91362cd78e06850a267a04c0fd2427b1c)) +* add optional membership_location to fleet-membership ([#1860](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1860)) ([163de39](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/163de3917b3973cab9eeca83054e718c195bff14)) + + +### Bug Fixes + +* handle missing fleet membership and extend asm timeout ([#1880](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1880)) ([22896b0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/22896b0835a4f68aed92c5330c1e9a65faa97a1c)) + ## [30.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v29.0.0...v30.0.0) (2024-01-31) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 3b93e48cc9..707a3b2747 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 8dd35a33f1..542b84b2b6 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index c24898975d..557f677e42 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.1.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.1.0" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 933f50a41c..161403d4f9 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.1.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.1.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 1c8f405ba7..87862337c5 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.1.0" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 4ff8f3fb3c..d80b7f0fce 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.1.0" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 1e674be455..ad536dbc26 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.1.0" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index b432332bd7..7fc2de48e4 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.1.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index ad4034c518..ded29b9a0e 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.1.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 0e8e0b4f07..2a8c09d960 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.1.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 40150b132d..eaea9cbf80 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.1.0" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index de201913b2..fea953ed24 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.1.0" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 2fccb43e5b..4962a916f8 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.1.0" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index 72acc25d2c..a497d17c02 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.1.0" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 5cb3f64e62..c953d4c17a 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.1.0" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 1bff64386b..0cc68f07f8 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.1.0" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index bf4ad323fa..e7f7ab6a9c 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.1.0" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index ae90c16d2f..648847290e 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.1.0" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 1f79600450..2f0d9ef972 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.1.0" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 175a49c973..34aa4cb45c 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.1.0" } } diff --git a/versions.tf b/versions.tf index 00bbe68445..65c47efec4 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.1.0" } } From 59d36b9c2ce27e2830f174afe8dd42416b664833 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 7 Mar 2024 16:02:35 -0800 Subject: [PATCH 041/176] feat: add cross project fleet service agent (#1896) --- autogen/main/cluster.tf.tmpl | 4 ++++ autogen/main/sa.tf.tmpl | 16 ++++++++++++++++ autogen/main/variables.tf.tmpl | 8 ++++++++ modules/beta-autopilot-private-cluster/README.md | 1 + .../beta-autopilot-private-cluster/cluster.tf | 2 ++ modules/beta-autopilot-private-cluster/sa.tf | 14 ++++++++++++++ .../beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 2 ++ modules/beta-autopilot-public-cluster/sa.tf | 14 ++++++++++++++ .../beta-autopilot-public-cluster/variables.tf | 6 ++++++ .../README.md | 1 + .../cluster.tf | 2 ++ .../beta-private-cluster-update-variant/sa.tf | 14 ++++++++++++++ .../variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 2 ++ modules/beta-private-cluster/sa.tf | 14 ++++++++++++++ modules/beta-private-cluster/variables.tf | 6 ++++++ .../beta-public-cluster-update-variant/README.md | 1 + .../cluster.tf | 2 ++ modules/beta-public-cluster-update-variant/sa.tf | 14 ++++++++++++++ .../variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 2 ++ modules/beta-public-cluster/sa.tf | 14 ++++++++++++++ modules/beta-public-cluster/variables.tf | 6 ++++++ 27 files changed, 166 insertions(+) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 1228e29a95..b1c1ec3860 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -584,6 +584,10 @@ resource "google_container_cluster" "primary" { } } {% endif %} + {% if beta_cluster %} + + depends_on = [google_project_iam_member.service_agent] + {% endif %} } {% if autopilot_cluster != true %} /****************************************** diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index 1ab198a8b5..a775fbe6af 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -65,3 +65,19 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } +{% if beta_cluster %} + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} +{% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index e625e3d4ce..71c3214e3e 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -863,3 +863,11 @@ variable "fleet_project" { type = string default = null } +{% if beta_cluster %} + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} +{% endif %} diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index ff40b31c79..4d2b5d81c4 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -99,6 +99,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index ae074625a1..b0af2e3623 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -268,4 +268,6 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + depends_on = [google_project_iam_member.service_agent] } diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-autopilot-private-cluster/sa.tf +++ b/modules/beta-autopilot-private-cluster/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 35325d6774..b1987188b4 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -466,3 +466,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 198fde422e..81f6883bbd 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -90,6 +90,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 39b4c57bbe..43878c77b2 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -249,4 +249,6 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + depends_on = [google_project_iam_member.service_agent] } diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-autopilot-public-cluster/sa.tf +++ b/modules/beta-autopilot-public-cluster/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 0d3c5cdd5c..29a3db949b 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -436,3 +436,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 3e31d9d529..b8660aa0d4 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -212,6 +212,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 4057938a0a..07e0ee937b 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -500,6 +500,8 @@ resource "google_container_cluster" "primary" { } } } + + depends_on = [google_project_iam_member.service_agent] } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index eeefad4291..558d1b9118 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -817,3 +817,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index b9379d4554..6edc2525f4 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -190,6 +190,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index c702c838e7..12807cbdc7 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -500,6 +500,8 @@ resource "google_container_cluster" "primary" { } } } + + depends_on = [google_project_iam_member.service_agent] } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index eeefad4291..558d1b9118 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -817,3 +817,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 4b30d2352a..61d34f1e25 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -203,6 +203,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 12d39c2ed7..bfbf11d527 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -481,6 +481,8 @@ resource "google_container_cluster" "primary" { } } } + + depends_on = [google_project_iam_member.service_agent] } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index ff2f84c094..40023d59b2 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -787,3 +787,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 8c4288e7f0..1019f74e73 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -181,6 +181,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 779c0e19c8..da18df1fc0 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -481,6 +481,8 @@ resource "google_container_cluster" "primary" { } } } + + depends_on = [google_project_iam_member.service_agent] } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index ff2f84c094..40023d59b2 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -787,3 +787,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} From af354afdf13b336014cefbfe8f848e52c17d4415 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 10:28:24 -0800 Subject: [PATCH 042/176] chore(master): release 30.2.0 (#1897) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ autogen/main/versions.tf.tmpl | 4 ++-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 22 files changed, 31 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2679604a6..48369da056 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [30.2.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.1.0...v30.2.0) (2024-03-08) + + +### Features + +* add cross project fleet service agent ([#1896](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1896)) ([59d36b9](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/59d36b9c2ce27e2830f174afe8dd42416b664833)) + ## [30.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.0.0...v30.1.0) (2024-02-26) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 707a3b2747..c0668b2330 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.2.0" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.2.0" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 542b84b2b6..3135a334e1 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.2.0" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 557f677e42..fa8aea6590 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.2.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.2.0" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 161403d4f9..c97e274253 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.2.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.2.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 87862337c5..ae15435ef5 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.2.0" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index d80b7f0fce..41dd788f36 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.2.0" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index ad536dbc26..a9fd481366 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.2.0" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 7fc2de48e4..420dfc7b60 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.2.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index ded29b9a0e..25e552d1d0 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.2.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 2a8c09d960..8af82e5096 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.2.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index eaea9cbf80..ea131cbe79 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.2.0" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index fea953ed24..6bc50b416d 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.2.0" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 4962a916f8..4529032fc3 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.2.0" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index a497d17c02..a771cb95e3 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.2.0" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index c953d4c17a..b90321600d 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.2.0" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 0cc68f07f8..db427f19ea 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.2.0" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index e7f7ab6a9c..5a1a57f882 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.2.0" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index 648847290e..70b588b4de 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.2.0" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 2f0d9ef972..00f96eee6f 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.2.0" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 34aa4cb45c..48076ba01f 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.2.0" } } diff --git a/versions.tf b/versions.tf index 65c47efec4..202e0d1965 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.2.0" } } From af43bddeaa5902681c0012b7ea724937b161fad6 Mon Sep 17 00:00:00 2001 From: Amina Mansour Date: Thu, 14 Mar 2024 17:11:24 -0700 Subject: [PATCH 043/176] fix: make master_ipv4_cidr_block optional for autopilot (#1902) --- autogen/main/variables.tf.tmpl | 6 +++++- examples/simple_autopilot_private/main.tf | 1 - examples/simple_autopilot_private_non_default_sa/main.tf | 1 - modules/beta-autopilot-private-cluster/README.md | 2 +- modules/beta-autopilot-private-cluster/variables.tf | 4 ++-- modules/beta-private-cluster-update-variant/README.md | 2 +- modules/beta-private-cluster-update-variant/variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 2 +- modules/private-cluster-update-variant/README.md | 2 +- modules/private-cluster-update-variant/variables.tf | 2 +- modules/private-cluster/README.md | 2 +- modules/private-cluster/variables.tf | 2 +- 13 files changed, 16 insertions(+), 14 deletions(-) diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 71c3214e3e..009c181324 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -441,8 +441,12 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + {% if autopilot_cluster == true%} + default = null + {% else %} default = "10.0.0.0/28" + {% endif %} } variable "master_global_access_enabled" { diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf index ee628d8459..125ba24706 100644 --- a/examples/simple_autopilot_private/main.tf +++ b/examples/simple_autopilot_private/main.tf @@ -49,7 +49,6 @@ module "gke" { enable_vertical_pod_autoscaling = true enable_private_endpoint = true enable_private_nodes = true - master_ipv4_cidr_block = "172.16.0.0/28" network_tags = [local.cluster_type] deletion_protection = false diff --git a/examples/simple_autopilot_private_non_default_sa/main.tf b/examples/simple_autopilot_private_non_default_sa/main.tf index 1da730e987..b9ff6e92a5 100644 --- a/examples/simple_autopilot_private_non_default_sa/main.tf +++ b/examples/simple_autopilot_private_non_default_sa/main.tf @@ -49,7 +49,6 @@ module "gke" { enable_vertical_pod_autoscaling = true enable_private_endpoint = true enable_private_nodes = true - master_ipv4_cidr_block = "172.16.0.0/28" deletion_protection = false master_authorized_networks = [ diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 4d2b5d81c4..e7fc994480 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -117,7 +117,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `null` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index b1987188b4..faa9d3d1f7 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -283,8 +283,8 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" - default = "10.0.0.0/28" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + default = null } variable "master_global_access_enabled" { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index b8660aa0d4..9fc4f48564 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -239,7 +239,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 558d1b9118..d149edca13 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -423,7 +423,7 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 6edc2525f4..df855450e7 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -217,7 +217,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 558d1b9118..d149edca13 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -423,7 +423,7 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index c8c38ed6ec..ddd8cc56e6 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -222,7 +222,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 6c7e643132..e0884739d7 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -417,7 +417,7 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 8a8a961ad2..91d314167f 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -200,7 +200,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 6c7e643132..e0884739d7 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -417,7 +417,7 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } From a0591e9f101ca864366cb7f44dc145a2d306affb Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 23:02:27 +0000 Subject: [PATCH 044/176] chore(deps): Update go modules and/or dev-tools (#1889) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 10 +++++----- test/integration/go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index fdc5577793..342f622d96 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -5,9 +5,10 @@ go 1.21 toolchain go1.21.5 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.12.1 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.1 github.com/gruntwork-io/terratest v0.46.11 - github.com/stretchr/testify v1.8.4 + github.com/stretchr/testify v1.9.0 + github.com/tidwall/gjson v1.17.1 ) require ( @@ -71,7 +72,6 @@ require ( github.com/pquerna/otp v1.4.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/tidwall/gjson v1.17.0 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/tidwall/sjson v1.2.5 // indirect @@ -82,7 +82,7 @@ require ( github.com/zclconf/go-cty v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.17.0 // indirect - golang.org/x/mod v0.15.0 // indirect + golang.org/x/mod v0.16.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.4.0 // indirect @@ -97,7 +97,7 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/grpc v1.58.3 // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index f2743cd309..0549f453d9 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.12.1 h1:4K4HIuu95U6A56orD4LAX+yabfUmIRaoUV0JJWOZPjE= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.12.1/go.mod h1:iipeDC0VhxKtIVOZyz0ofiJ2x6sh9+VYEbG3JKsPqPw= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.1 h1:8eKlk/DQeXPb6ITTLLWk/LdmyC9FRNMQF2ZR0sKaGEA= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.1/go.mod h1:jIatwk/2sLSDtnMaExpzZpQVuBbEhx+NeiP1obo/IlY= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -487,11 +487,11 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= -github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM= -github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U= +github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= @@ -570,8 +570,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8= -golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1036,8 +1036,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= From 19e9c0d944ed3395d8832d348758df11b93123ef Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 22 Mar 2024 00:05:22 +0000 Subject: [PATCH 045/176] chore(deps): Update nginx Docker tag to v1.25.4 (#1877) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/deploy_service/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index a36e40b5fa..e80252d2a9 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -55,7 +55,7 @@ resource "kubernetes_pod" "nginx-example" { spec { container { - image = "nginx:1.25.3" + image = "nginx:1.25.4" name = "nginx-example" } } From 15b472fafc6b63afb0b52acec56cea8fd5c25cdf Mon Sep 17 00:00:00 2001 From: Mikael Bergemalm Date: Tue, 2 Apr 2024 00:09:58 +0200 Subject: [PATCH 046/176] feat(safer-clusters): add components selection for monitoring (#1851) --- README.md | 2 +- autogen/main/variables.tf.tmpl | 2 +- autogen/safer-cluster/main.tf.tmpl | 1 + autogen/safer-cluster/variables.tf.tmpl | 6 ++++++ modules/beta-private-cluster-update-variant/README.md | 2 +- modules/beta-private-cluster-update-variant/variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 2 +- modules/beta-public-cluster-update-variant/README.md | 2 +- modules/beta-public-cluster-update-variant/variables.tf | 2 +- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/variables.tf | 2 +- modules/private-cluster-update-variant/README.md | 2 +- modules/private-cluster-update-variant/variables.tf | 2 +- modules/private-cluster/README.md | 2 +- modules/private-cluster/variables.tf | 2 +- modules/safer-cluster-update-variant/README.md | 1 + modules/safer-cluster-update-variant/main.tf | 1 + modules/safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/README.md | 1 + modules/safer-cluster/main.tf | 1 + modules/safer-cluster/variables.tf | 6 ++++++ variables.tf | 2 +- 23 files changed, 38 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 23a04c47f5..3a32d1bf16 100644 --- a/README.md +++ b/README.md @@ -192,7 +192,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 009c181324..d51049dda8 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -762,7 +762,7 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 3146875d47..5a156c7ccc 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -108,6 +108,7 @@ module "gke" { monitoring_service = var.monitoring_service monitoring_enable_managed_prometheus = var.monitoring_enable_managed_prometheus + monitoring_enabled_components = var.monitoring_enabled_components // We never use the default service account for the cluster. The default // project/editor permissions can create problems if nodes were to be ever diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 0f21e99a4e..2eae51d4bd 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -280,6 +280,12 @@ variable "monitoring_enable_managed_prometheus" { default = false } +variable "monitoring_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + default = [] +} + variable "grant_registry_access" { type = bool description = "Grants created cluster-specific service account storage.objectViewer role." diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 9fc4f48564..59928f5727 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -242,7 +242,7 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index d149edca13..da27ee2987 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -724,7 +724,7 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index df855450e7..eb8cd242d5 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -220,7 +220,7 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index d149edca13..da27ee2987 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -724,7 +724,7 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 61d34f1e25..441d037ea3 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -231,7 +231,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 40023d59b2..7b4e00fbd4 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -694,7 +694,7 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 1019f74e73..204655192c 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -209,7 +209,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 40023d59b2..7b4e00fbd4 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -694,7 +694,7 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index ddd8cc56e6..94d9e279e3 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -225,7 +225,7 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index e0884739d7..5ae12a9dea 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -700,7 +700,7 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 91d314167f..e50a5ee953 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -203,7 +203,7 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index e0884739d7..5ae12a9dea 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -700,7 +700,7 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 8aa383cec1..274199a59f 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -249,6 +249,7 @@ For simplicity, we suggest using `roles/container.admin` and | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | (Beta) Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster | `string` | n/a | yes | | network | The VPC network to host the cluster in | `string` | n/a | yes | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 3da128f44e..f79239f47d 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -104,6 +104,7 @@ module "gke" { monitoring_service = var.monitoring_service monitoring_enable_managed_prometheus = var.monitoring_enable_managed_prometheus + monitoring_enabled_components = var.monitoring_enabled_components // We never use the default service account for the cluster. The default // project/editor permissions can create problems if nodes were to be ever diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 2b51a97541..c98da16f81 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -280,6 +280,12 @@ variable "monitoring_enable_managed_prometheus" { default = false } +variable "monitoring_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + default = [] +} + variable "grant_registry_access" { type = bool description = "Grants created cluster-specific service account storage.objectViewer role." diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 8aa383cec1..274199a59f 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -249,6 +249,7 @@ For simplicity, we suggest using `roles/container.admin` and | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | (Beta) Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster | `string` | n/a | yes | | network | The VPC network to host the cluster in | `string` | n/a | yes | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 67a3a54ed4..ac8b6d9409 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -104,6 +104,7 @@ module "gke" { monitoring_service = var.monitoring_service monitoring_enable_managed_prometheus = var.monitoring_enable_managed_prometheus + monitoring_enabled_components = var.monitoring_enabled_components // We never use the default service account for the cluster. The default // project/editor permissions can create problems if nodes were to be ever diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 2b51a97541..c98da16f81 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -280,6 +280,12 @@ variable "monitoring_enable_managed_prometheus" { default = false } +variable "monitoring_enabled_components" { + type = list(string) + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + default = [] +} + variable "grant_registry_access" { type = bool description = "Grants created cluster-specific service account storage.objectViewer role." diff --git a/variables.tf b/variables.tf index ddfbb6d741..9e97443705 100644 --- a/variables.tf +++ b/variables.tf @@ -670,7 +670,7 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." default = [] } From 165446ca5bf1fb10f993df090ab5ac22f4ba7514 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 2 Apr 2024 22:10:22 +0000 Subject: [PATCH 047/176] chore(deps): Update go modules and/or dev-tools (#1914) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 4 ++-- test/integration/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 342f622d96..d5828f9c0a 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -5,8 +5,8 @@ go 1.21 toolchain go1.21.5 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.1 - github.com/gruntwork-io/terratest v0.46.11 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2 + github.com/gruntwork-io/terratest v0.46.13 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.1 ) diff --git a/test/integration/go.sum b/test/integration/go.sum index 0549f453d9..5bafcdb72a 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.1 h1:8eKlk/DQeXPb6ITTLLWk/LdmyC9FRNMQF2ZR0sKaGEA= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.1/go.mod h1:jIatwk/2sLSDtnMaExpzZpQVuBbEhx+NeiP1obo/IlY= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2 h1:DQS5D0xaV1SVFNoGvHdYB0wYeZ24D9hVeFiLG2+r06I= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2/go.mod h1:uomWciQn6oAotW86ck0b0ix+sUeZHSXyS+IYAVFTPj8= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -376,8 +376,8 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0= github.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk= -github.com/gruntwork-io/terratest v0.46.11 h1:1Z9G18I2FNuH87Ro0YtjW4NH9ky4GDpfzE7+ivkPeB8= -github.com/gruntwork-io/terratest v0.46.11/go.mod h1:DVZG/s7eP1u3KOQJJfE6n7FDriMWpDvnj85XIlZMEM8= +github.com/gruntwork-io/terratest v0.46.13 h1:FDaEoZ7DtkomV8pcwLdBV/VsytdjnPRqJkIriYEYwjs= +github.com/gruntwork-io/terratest v0.46.13/go.mod h1:8sxu3Qup8TxtbzOHzq0MUrQffJj/G61/OwlsReaCwpo= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= From f864e8add729b799529f5ede187347ed5cebd5f9 Mon Sep 17 00:00:00 2001 From: Awais Malik Date: Wed, 3 Apr 2024 11:35:38 -0700 Subject: [PATCH 048/176] feat: network tags for autoprovisioned node pools (#1920) --- README.md | 1 + autogen/main/cluster.tf.tmpl | 11 +++++++++++ autogen/main/variables.tf.tmpl | 5 ++--- cluster.tf | 9 +++++++++ modules/beta-autopilot-private-cluster/README.md | 2 +- modules/beta-autopilot-private-cluster/cluster.tf | 1 + modules/beta-autopilot-private-cluster/variables.tf | 3 ++- modules/beta-autopilot-public-cluster/README.md | 2 +- modules/beta-autopilot-public-cluster/cluster.tf | 1 + modules/beta-autopilot-public-cluster/variables.tf | 3 ++- modules/beta-private-cluster-update-variant/README.md | 1 + .../beta-private-cluster-update-variant/cluster.tf | 9 +++++++++ .../beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 9 +++++++++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 9 +++++++++ .../beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 9 +++++++++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 9 +++++++++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 9 +++++++++ modules/private-cluster/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 29 files changed, 133 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3a32d1bf16..c0bb7e6291 100644 --- a/README.md +++ b/README.md @@ -200,6 +200,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | +| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index b1c1ec3860..a8b1e47954 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -239,6 +239,17 @@ resource "google_container_cluster" "primary" { } {% endif %} +{% if autopilot_cluster != true %} + dynamic "node_pool_auto_config" { + for_each = var.cluster_autoscaling.enabled && length(var.network_tags) > 0 ? [1] : [] + content { + network_tags { + tags = var.network_tags + } + } + } +{% endif %} + master_auth { client_certificate_config { issue_client_certificate = var.issue_client_certificate diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d51049dda8..c8762a661d 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -306,13 +306,12 @@ variable "node_pools_oauth_scopes" { } {% endif %} -{% if autopilot_cluster %} variable "network_tags" { - description = "(Optional, Beta) - List of network tags applied to auto-provisioned node pools." + description = "(Optional) - List of network tags applied to auto-provisioned node pools." type = list(string) default = [] } -{% endif %} + variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" diff --git a/cluster.tf b/cluster.tf index 2236446061..c1cad5be79 100644 --- a/cluster.tf +++ b/cluster.tf @@ -160,6 +160,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "node_pool_auto_config" { + for_each = var.cluster_autoscaling.enabled && length(var.network_tags) > 0 ? [1] : [] + content { + network_tags { + tags = var.network_tags + } + } + } + master_auth { client_certificate_config { issue_client_certificate = var.issue_client_certificate diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index e7fc994480..7f894a0c94 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -121,7 +121,7 @@ Then perform the following commands on the root folder: | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| network\_tags | (Optional, Beta) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | +| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index b0af2e3623..397c7755b9 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -107,6 +107,7 @@ resource "google_container_cluster" "primary" { } } + master_auth { client_certificate_config { issue_client_certificate = var.issue_client_certificate diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index faa9d3d1f7..02d8e12e48 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -174,10 +174,11 @@ variable "enable_resource_consumption_export" { variable "network_tags" { - description = "(Optional, Beta) - List of network tags applied to auto-provisioned node pools." + description = "(Optional) - List of network tags applied to auto-provisioned node pools." type = list(string) default = [] } + variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 81f6883bbd..7ff4ee1cdb 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -110,7 +110,7 @@ Then perform the following commands on the root folder: | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | -| network\_tags | (Optional, Beta) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | +| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 43878c77b2..01ea54baf4 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -107,6 +107,7 @@ resource "google_container_cluster" "primary" { } } + master_auth { client_certificate_config { issue_client_certificate = var.issue_client_certificate diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 29a3db949b..fc10df626c 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -174,10 +174,11 @@ variable "enable_resource_consumption_export" { variable "network_tags" { - description = "(Optional, Beta) - List of network tags applied to auto-provisioned node pools." + description = "(Optional) - List of network tags applied to auto-provisioned node pools." type = list(string) default = [] } + variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 59928f5727..1315894262 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -250,6 +250,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | +| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 07e0ee937b..81b1d97937 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -185,6 +185,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "node_pool_auto_config" { + for_each = var.cluster_autoscaling.enabled && length(var.network_tags) > 0 ? [1] : [] + content { + network_tags { + tags = var.network_tags + } + } + } + master_auth { client_certificate_config { issue_client_certificate = var.issue_client_certificate diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index da27ee2987..bb0624e41e 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -300,6 +300,12 @@ variable "node_pools_oauth_scopes" { } } +variable "network_tags" { + description = "(Optional) - List of network tags applied to auto-provisioned node pools." + type = list(string) + default = [] +} + variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index eb8cd242d5..7bd4dde460 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -228,6 +228,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | +| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 12807cbdc7..8e67389f51 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -185,6 +185,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "node_pool_auto_config" { + for_each = var.cluster_autoscaling.enabled && length(var.network_tags) > 0 ? [1] : [] + content { + network_tags { + tags = var.network_tags + } + } + } + master_auth { client_certificate_config { issue_client_certificate = var.issue_client_certificate diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index da27ee2987..bb0624e41e 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -300,6 +300,12 @@ variable "node_pools_oauth_scopes" { } } +variable "network_tags" { + description = "(Optional) - List of network tags applied to auto-provisioned node pools." + type = list(string) + default = [] +} + variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 441d037ea3..3918b354a1 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -239,6 +239,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | +| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index bfbf11d527..bff413ee9f 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -185,6 +185,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "node_pool_auto_config" { + for_each = var.cluster_autoscaling.enabled && length(var.network_tags) > 0 ? [1] : [] + content { + network_tags { + tags = var.network_tags + } + } + } + master_auth { client_certificate_config { issue_client_certificate = var.issue_client_certificate diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 7b4e00fbd4..73cb2c1311 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -300,6 +300,12 @@ variable "node_pools_oauth_scopes" { } } +variable "network_tags" { + description = "(Optional) - List of network tags applied to auto-provisioned node pools." + type = list(string) + default = [] +} + variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 204655192c..37853e7e76 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -217,6 +217,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | +| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index da18df1fc0..96879d12d7 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -185,6 +185,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "node_pool_auto_config" { + for_each = var.cluster_autoscaling.enabled && length(var.network_tags) > 0 ? [1] : [] + content { + network_tags { + tags = var.network_tags + } + } + } + master_auth { client_certificate_config { issue_client_certificate = var.issue_client_certificate diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 7b4e00fbd4..73cb2c1311 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -300,6 +300,12 @@ variable "node_pools_oauth_scopes" { } } +variable "network_tags" { + description = "(Optional) - List of network tags applied to auto-provisioned node pools." + type = list(string) + default = [] +} + variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 94d9e279e3..399c510441 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -233,6 +233,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | +| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index c468560690..f4bb50769b 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -160,6 +160,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "node_pool_auto_config" { + for_each = var.cluster_autoscaling.enabled && length(var.network_tags) > 0 ? [1] : [] + content { + network_tags { + tags = var.network_tags + } + } + } + master_auth { client_certificate_config { issue_client_certificate = var.issue_client_certificate diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 5ae12a9dea..4fb1fcc7c1 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -300,6 +300,12 @@ variable "node_pools_oauth_scopes" { } } +variable "network_tags" { + description = "(Optional) - List of network tags applied to auto-provisioned node pools." + type = list(string) + default = [] +} + variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index e50a5ee953..0d9db112d0 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -211,6 +211,7 @@ Then perform the following commands on the root folder: | network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | +| network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 7bb8f67db2..3b95e41d60 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -160,6 +160,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "node_pool_auto_config" { + for_each = var.cluster_autoscaling.enabled && length(var.network_tags) > 0 ? [1] : [] + content { + network_tags { + tags = var.network_tags + } + } + } + master_auth { client_certificate_config { issue_client_certificate = var.issue_client_certificate diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 5ae12a9dea..4fb1fcc7c1 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -300,6 +300,12 @@ variable "node_pools_oauth_scopes" { } } +variable "network_tags" { + description = "(Optional) - List of network tags applied to auto-provisioned node pools." + type = list(string) + default = [] +} + variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" diff --git a/variables.tf b/variables.tf index 9e97443705..a671e9b417 100644 --- a/variables.tf +++ b/variables.tf @@ -300,6 +300,12 @@ variable "node_pools_oauth_scopes" { } } +variable "network_tags" { + description = "(Optional) - List of network tags applied to auto-provisioned node pools." + type = list(string) + default = [] +} + variable "stub_domains" { type = map(list(string)) description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" From e711adbdfd01116c8590370bdc438980daa81eb7 Mon Sep 17 00:00:00 2001 From: Naveen Mandadhi Date: Thu, 4 Apr 2024 15:12:04 -0500 Subject: [PATCH 049/176] chore: add island-cluster example (#1918) Co-authored-by: Bharath KKB --- .../island_cluster_with_vm_router/README.md | 38 +++ .../island_cluster_with_vm_router/main.tf | 226 ++++++++++++++++++ .../island_cluster_with_vm_router/outputs.tf | 19 ++ .../island_cluster_with_vm_router/router.tf | 51 ++++ .../terraform.tfvars | 29 +++ .../island_cluster_with_vm_router/vars.tf | 64 +++++ .../island_cluster_with_vm_router/versions.tf | 28 +++ 7 files changed, 455 insertions(+) create mode 100644 examples/island_cluster_with_vm_router/README.md create mode 100644 examples/island_cluster_with_vm_router/main.tf create mode 100644 examples/island_cluster_with_vm_router/outputs.tf create mode 100644 examples/island_cluster_with_vm_router/router.tf create mode 100644 examples/island_cluster_with_vm_router/terraform.tfvars create mode 100644 examples/island_cluster_with_vm_router/vars.tf create mode 100644 examples/island_cluster_with_vm_router/versions.tf diff --git a/examples/island_cluster_with_vm_router/README.md b/examples/island_cluster_with_vm_router/README.md new file mode 100644 index 0000000000..e36d8ed115 --- /dev/null +++ b/examples/island_cluster_with_vm_router/README.md @@ -0,0 +1,38 @@ +# GKE island cluster using VM as router + +This example provisions a cluster in an island VPC allowing reuse of the IP address space for multiple clusters in the same project. + +1. An appliance(VM as router) with multiple NICs is used to establish connectivity between the island VPC and the existing network. +1. Outbound connections will go through the router. +1. For inbound connections, use Private Service Connect. + +## Deploy + +1. Update `project_id`, `cluster_name` and `primary_subnet` values in `terraform.tfvars`, and update other variables as needed. +1. Run `terraform apply`. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| cluster\_name | n/a | `string` | n/a | yes | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | n/a | yes | +| node\_locations | n/a | `list(string)` | n/a | yes | +| primary\_net\_cidrs | n/a | `list(string)` | n/a | yes | +| primary\_subnet | n/a | `string` | n/a | yes | +| project\_id | n/a | `string` | n/a | yes | +| proxy\_subnet\_cidr | n/a | `string` | n/a | yes | +| psc\_subnet\_cidr | n/a | `string` | n/a | yes | +| region | n/a | `string` | n/a | yes | +| router\_machine\_type | n/a | `string` | n/a | yes | +| secondary\_ranges | n/a | `map(string)` | n/a | yes | +| subnet\_cidr | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| cluster\_id | n/a | + + diff --git a/examples/island_cluster_with_vm_router/main.tf b/examples/island_cluster_with_vm_router/main.tf new file mode 100644 index 0000000000..86ce138888 --- /dev/null +++ b/examples/island_cluster_with_vm_router/main.tf @@ -0,0 +1,226 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_id" "rand" { + byte_length = 4 +} + +resource "google_service_account" "gke-sa" { + account_id = "gke-sa-${random_id.rand.hex}" + project = var.project_id +} + +module "net" { + source = "terraform-google-modules/network/google" + version = "~> 9.0" + + network_name = "gke-net-${random_id.rand.hex}" + routing_mode = "GLOBAL" + project_id = var.project_id + delete_default_internet_gateway_routes = true + + subnets = [ + { + subnet_name = "${var.cluster_name}-${var.region}-snet" + subnet_ip = var.subnet_cidr + subnet_region = var.region + subnet_private_access = "true" + }, + { + subnet_name = "${var.cluster_name}-${var.region}-proxy-snet" + subnet_ip = var.proxy_subnet_cidr + subnet_region = var.region + purpose = "REGIONAL_MANAGED_PROXY" + role = "ACTIVE" + }, + { + subnet_name = "${var.cluster_name}-${var.region}-psc-snet" + subnet_ip = var.psc_subnet_cidr + subnet_region = var.region + subnet_private_access = "true" + purpose = "PRIVATE_SERVICE_CONNECT" + } + ] + + secondary_ranges = { + "${var.cluster_name}-${var.region}-snet" = [ + { + range_name = "${var.cluster_name}-${var.region}-snet-pods" + ip_cidr_range = var.secondary_ranges["pods"] + }, + { + range_name = "${var.cluster_name}-${var.region}-snet-services" + ip_cidr_range = var.secondary_ranges["services"] + }, + ] + } + + routes = flatten([ + [for k, v in var.primary_net_cidrs : + { + name = "${var.cluster_name}-egress-gke-${k}" + description = "egress through the router for range ${v}" + destination_range = v + tags = "gke-${random_id.rand.hex}" + next_hop_instance = google_compute_instance.vm.self_link + priority = 100 + } + ], + [ + { + name = "${var.cluster_name}-default-igw" + description = "internet through the router" + destination_range = "0.0.0.0/0" + tags = "gke-${random_id.rand.hex}" + next_hop_instance = google_compute_instance.vm.self_link + priority = 100 + } + ] + ]) + + firewall_rules = [ + { + name = "${var.cluster_name}-iap" + direction = "INGRESS" + allow = [ + { + protocol = "TCP" + ports = ["22"] + } + ] + ranges = ["35.235.240.0/20"] + }, + { + name = "${var.cluster_name}-tcp-primary" + direction = "INGRESS" + allow = [ + { + protocol = "TCP" + } + ] + ranges = [ + var.subnet_cidr, + var.secondary_ranges["pods"] + ] + }, + { + name = "${var.cluster_name}-allow-psc" + direction = "INGRESS" + allow = [ + { + protocol = "TCP" + } + ] + ranges = [var.psc_subnet_cidr] + target_service_accounts = [google_service_account.gke-sa.email] + }, + { + name = "${var.cluster_name}-allow-proxy" + direction = "INGRESS" + allow = [ + { + protocol = "TCP" + } + ] + ranges = [var.proxy_subnet_cidr] + target_service_accounts = [google_service_account.gke-sa.email] + }, + ] +} + +module "gke" { + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" + version = "~> 30.0" + + depends_on = [google_compute_instance.vm] + + name = var.cluster_name + project_id = var.project_id + region = var.region + release_channel = "RAPID" + zones = var.node_locations + network = module.net.network_name + subnetwork = "${var.cluster_name}-${var.region}-snet" + ip_range_pods = "${var.cluster_name}-${var.region}-snet-pods" + ip_range_services = "${var.cluster_name}-${var.region}-snet-services" + enable_private_endpoint = true + enable_private_nodes = true + datapath_provider = "ADVANCED_DATAPATH" + monitoring_enable_managed_prometheus = false + enable_shielded_nodes = true + master_global_access_enabled = false + master_ipv4_cidr_block = var.secondary_ranges["master_cidr"] + master_authorized_networks = var.master_authorized_networks + deletion_protection = false + remove_default_node_pool = true + disable_default_snat = true + gateway_api_channel = "CHANNEL_STANDARD" + + node_pools = [ + { + name = "default" + machine_type = "e2-highcpu-2" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = true + local_ssd_ephemeral_count = 0 + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = google_service_account.gke-sa.email + initial_node_count = 1 + enable_secure_boot = true + }, + ] + + node_pools_tags = { + all = ["gke-${random_id.rand.hex}"] + } + + node_pools_oauth_scopes = { + all = [ + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + ] + } + + timeouts = { + create = "15m" + update = "15m" + delete = "15m" + } +} + +resource "google_gke_hub_membership" "primary" { + provider = google-beta + + project = var.project_id + membership_id = "${var.project_id}-${module.gke.name}" + location = var.region + + endpoint { + gke_cluster { + resource_link = "//container.googleapis.com/${module.gke.cluster_id}" + } + } + authority { + issuer = "https://container.googleapis.com/v1/${module.gke.cluster_id}" + } +} diff --git a/examples/island_cluster_with_vm_router/outputs.tf b/examples/island_cluster_with_vm_router/outputs.tf new file mode 100644 index 0000000000..640692ed75 --- /dev/null +++ b/examples/island_cluster_with_vm_router/outputs.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "cluster_id" { + value = module.gke.cluster_id +} diff --git a/examples/island_cluster_with_vm_router/router.tf b/examples/island_cluster_with_vm_router/router.tf new file mode 100644 index 0000000000..aee86f74cf --- /dev/null +++ b/examples/island_cluster_with_vm_router/router.tf @@ -0,0 +1,51 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_compute_instance" "vm" { + project = var.project_id + zone = var.node_locations[0] + name = "${var.cluster_name}-router-${random_id.rand.hex}" + machine_type = var.router_machine_type + allow_stopping_for_update = true + boot_disk { + initialize_params { + image = "debian-cloud/debian-12" + } + } + can_ip_forward = true + shielded_instance_config { + enable_secure_boot = true + } + network_interface { + subnetwork = var.primary_subnet + } + network_interface { + subnetwork = module.net.subnets["${var.region}/${var.cluster_name}-${var.region}-snet"]["self_link"] + } + metadata_startup_script = <<-EOT + #!/bin/bash + set -ex + sudo apt-get update + echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf + sudo sysctl -p + sudo iptables -A FORWARD -i ens5 -o ens4 -j ACCEPT + sudo iptables -A FORWARD -i ens4 -o ens5 -m state --state ESTABLISHED,RELATED -j ACCEPT + GWY_URL="http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway" + GWY_IP=$(curl $${GWY_URL} -H "Metadata-Flavor: Google") + sudo ip route add ${var.secondary_ranges["pods"]} via $${GWY_IP} dev ens5 + sudo iptables -t nat -A POSTROUTING -o ens4 -s 0.0.0.0/0 -j MASQUERADE + EOT +} diff --git a/examples/island_cluster_with_vm_router/terraform.tfvars b/examples/island_cluster_with_vm_router/terraform.tfvars new file mode 100644 index 0000000000..3e9b74c54b --- /dev/null +++ b/examples/island_cluster_with_vm_router/terraform.tfvars @@ -0,0 +1,29 @@ +project_id = "" +region = "us-central1" +cluster_name = "gke-island-cluster-test" +node_locations = [ + "us-central1-a", + "us-central1-b", + "us-central1-f" +] +subnet_cidr = "100.64.0.0/20" +router_machine_type = "n2-highcpu-4" +primary_subnet = "projects//regions//subnetworks/" +secondary_ranges = { + pods = "100.64.64.0/18" + services = "100.64.128.0/20" + master_cidr = "100.64.144.0/28" +} +proxy_subnet_cidr = "100.64.168.0/24" +psc_subnet_cidr = "100.64.192.0/24" +master_authorized_networks = [ + { + cidr_block = "100.64.0.0/10" + display_name = "cluster net" + } +] +primary_net_cidrs = [ + "10.0.0.0/8", + "192.168.0.0/16", + "172.16.0.0/12" +] diff --git a/examples/island_cluster_with_vm_router/vars.tf b/examples/island_cluster_with_vm_router/vars.tf new file mode 100644 index 0000000000..37cf62d182 --- /dev/null +++ b/examples/island_cluster_with_vm_router/vars.tf @@ -0,0 +1,64 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + type = string +} + +variable "region" { + type = string +} + +variable "cluster_name" { + type = string +} + +variable "node_locations" { + type = list(string) +} + +variable "subnet_cidr" { + type = string +} + +variable "psc_subnet_cidr" { + type = string +} + +variable "proxy_subnet_cidr" { + type = string +} + +variable "secondary_ranges" { + type = map(string) +} + +variable "master_authorized_networks" { + type = list(object({ cidr_block = string, display_name = string })) + description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." +} + +variable "primary_subnet" { + type = string +} + +variable "primary_net_cidrs" { + type = list(string) +} + +variable "router_machine_type" { + type = string +} diff --git a/examples/island_cluster_with_vm_router/versions.tf b/examples/island_cluster_with_vm_router/versions.tf new file mode 100644 index 0000000000..7e297ed82e --- /dev/null +++ b/examples/island_cluster_with_vm_router/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.6" + + required_providers { + google = { + source = "hashicorp/google" + } + google-beta = { + source = "hashicorp/google-beta" + } + } +} From da0476af8c2911bbe6bbdea65af59421a4fcd61e Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 11 Apr 2024 10:31:44 -0700 Subject: [PATCH 050/176] feat: add enable_l4_ilb_subsetting for GA TPG (#1924) --- README.md | 1 + autogen/main/cluster.tf.tmpl | 2 +- autogen/main/variables.tf.tmpl | 12 ++++++------ cluster.tf | 2 ++ .../beta-private-cluster-update-variant/variables.tf | 12 ++++++------ modules/beta-private-cluster/variables.tf | 12 ++++++------ .../beta-public-cluster-update-variant/variables.tf | 12 ++++++------ modules/beta-public-cluster/variables.tf | 12 ++++++------ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 2 ++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 2 ++ modules/private-cluster/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 15 files changed, 58 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index c0bb7e6291..813dc26b28 100644 --- a/README.md +++ b/README.md @@ -158,6 +158,7 @@ Then perform the following commands on the root folder: | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index a8b1e47954..26dfa604f0 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -206,10 +206,10 @@ resource "google_container_cluster" "primary" { enabled = identity_service_config.value } } + {% endif %} enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting {% endif %} - {% endif %} {% if beta_cluster %} enable_fqdn_network_policy = var.enable_fqdn_network_policy {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index c8762a661d..663a10661b 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -782,6 +782,12 @@ variable "config_connector" { description = "Whether ConfigConnector is enabled for this cluster." default = false } + +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} {% endif %} {% if beta_cluster %} {% if autopilot_cluster != true %} @@ -822,12 +828,6 @@ variable "enable_pod_security_policy" { default = false } -variable "enable_l4_ilb_subsetting" { - type = bool - description = "Enable L4 ILB Subsetting on the cluster" - default = false -} - variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/cluster.tf b/cluster.tf index c1cad5be79..6c6f379c3b 100644 --- a/cluster.tf +++ b/cluster.tf @@ -147,6 +147,8 @@ resource "google_container_cluster" "primary" { enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu + + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index bb0624e41e..03742b1504 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -752,6 +752,12 @@ variable "config_connector" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "istio" { description = "(Beta) Enable Istio addon" type = bool @@ -788,12 +794,6 @@ variable "enable_pod_security_policy" { default = false } -variable "enable_l4_ilb_subsetting" { - type = bool - description = "Enable L4 ILB Subsetting on the cluster" - default = false -} - variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index bb0624e41e..03742b1504 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -752,6 +752,12 @@ variable "config_connector" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "istio" { description = "(Beta) Enable Istio addon" type = bool @@ -788,12 +794,6 @@ variable "enable_pod_security_policy" { default = false } -variable "enable_l4_ilb_subsetting" { - type = bool - description = "Enable L4 ILB Subsetting on the cluster" - default = false -} - variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 73cb2c1311..2490cfd338 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -722,6 +722,12 @@ variable "config_connector" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "istio" { description = "(Beta) Enable Istio addon" type = bool @@ -758,12 +764,6 @@ variable "enable_pod_security_policy" { default = false } -variable "enable_l4_ilb_subsetting" { - type = bool - description = "Enable L4 ILB Subsetting on the cluster" - default = false -} - variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 73cb2c1311..2490cfd338 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -722,6 +722,12 @@ variable "config_connector" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "istio" { description = "(Beta) Enable Istio addon" type = bool @@ -758,12 +764,6 @@ variable "enable_pod_security_policy" { default = false } -variable "enable_l4_ilb_subsetting" { - type = bool - description = "Enable L4 ILB Subsetting on the cluster" - default = false -} - variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 399c510441..d980cb858f 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -187,6 +187,7 @@ Then perform the following commands on the root folder: | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index f4bb50769b..e8625279b2 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -147,6 +147,8 @@ resource "google_container_cluster" "primary" { enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu + + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 4fb1fcc7c1..e7e2e0e5d0 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -728,6 +728,12 @@ variable "config_connector" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 0d9db112d0..9fb785d5b9 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -165,6 +165,7 @@ Then perform the following commands on the root folder: | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 3b95e41d60..67ee8f1e4a 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -147,6 +147,8 @@ resource "google_container_cluster" "primary" { enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu + + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 4fb1fcc7c1..e7e2e0e5d0 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -728,6 +728,12 @@ variable "config_connector" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/variables.tf b/variables.tf index a671e9b417..1989020509 100644 --- a/variables.tf +++ b/variables.tf @@ -698,6 +698,12 @@ variable "config_connector" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string From f7c2ed9102eca18b0d2233784616c60f81180d72 Mon Sep 17 00:00:00 2001 From: florianMalbranque <82934052+florianMalbranque@users.noreply.github.com> Date: Fri, 12 Apr 2024 20:16:05 +0200 Subject: [PATCH 051/176] feat: adds local_nvme_ssd_block_config to beta-public-cluster (#1912) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Mateusz Jędrzejewski <33068017+matilote@users.noreply.github.com> Co-authored-by: Mateusz Jędrzejewski Co-authored-by: Amina Mansour --- README.md | 2 ++ autogen/main/README.md | 3 +-- autogen/main/cluster.tf.tmpl | 7 +++++++ cluster.tf | 14 ++++++++++++++ .../beta-private-cluster-update-variant/README.md | 1 + .../beta-private-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 14 ++++++++++++++ .../beta-public-cluster-update-variant/README.md | 1 + .../beta-public-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 14 ++++++++++++++ modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 14 ++++++++++++++ 16 files changed, 116 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 813dc26b28..a94a7c7e07 100644 --- a/README.md +++ b/README.md @@ -296,6 +296,8 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index 83227dc2f7..f26716b06e 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -211,9 +211,8 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | -{% if beta_cluster %} | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | -{% endif %} +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 26dfa604f0..f39637ce3c 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -849,6 +849,13 @@ resource "google_container_node_pool" "windows_pools" { } {% endif %} + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/cluster.tf b/cluster.tf index 6c6f379c3b..50a049496d 100644 --- a/cluster.tf +++ b/cluster.tf @@ -567,6 +567,13 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -776,6 +783,13 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 1315894262..cbf79f9060 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -361,6 +361,7 @@ The node_pools variable takes the following parameters: | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 81b1d97937..ef9ba2b92e 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -733,6 +733,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -968,6 +975,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 7bd4dde460..0293e59c66 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -339,6 +339,7 @@ The node_pools variable takes the following parameters: | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 8e67389f51..7610189c68 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -658,6 +658,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -892,6 +899,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 3918b354a1..61707e4a3c 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -348,6 +348,7 @@ The node_pools variable takes the following parameters: | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index bff413ee9f..363664a8a8 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -714,6 +714,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -949,6 +956,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 37853e7e76..939fd0f460 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -326,6 +326,7 @@ The node_pools variable takes the following parameters: | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 96879d12d7..3c4f6e7337 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -639,6 +639,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -873,6 +880,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index d980cb858f..603ec000e0 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -331,6 +331,8 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index e8625279b2..badf7356be 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -661,6 +661,13 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -871,6 +878,13 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 9fb785d5b9..650b1c4b73 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -309,6 +309,8 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 67ee8f1e4a..59f5ecaf73 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -586,6 +586,13 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -795,6 +802,13 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", From b924c547853685ed0e390c002ba30c22a62e647e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 08:57:04 -0700 Subject: [PATCH 052/176] chore(deps): Update go modules and/or dev-tools (#1927) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Makefile | 2 +- build/int.cloudbuild.yaml | 2 +- build/lint.cloudbuild.yaml | 2 +- test/integration/go.mod | 18 +++++++++--------- test/integration/go.sum | 16 ++++++++++++++++ 5 files changed, 28 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index f92db301e4..38290471f0 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.19 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.20 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd DOCKER_BIN ?= docker diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index dc1ebab01a..57991a870e 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -519,6 +519,6 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.19' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.20' options: machineType: 'N1_HIGHCPU_8' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index d2d4c0c066..5e1c102db3 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -22,7 +22,7 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.19' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.20' options: machineType: 'N1_HIGHCPU_8' env: diff --git a/test/integration/go.mod b/test/integration/go.mod index d5828f9c0a..9e9b127341 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -2,10 +2,10 @@ module github.com/terraform-google-modules/terraform-google-kubernetes-engine/te go 1.21 -toolchain go1.21.5 +toolchain go1.21.9 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0 github.com/gruntwork-io/terratest v0.46.13 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.1 @@ -24,7 +24,7 @@ require ( github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/boombuler/barcode v1.0.1 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/go-errors/errors v1.5.0 // indirect github.com/go-logr/logr v1.2.4 // indirect @@ -36,7 +36,7 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/gnostic-models v0.6.8 // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/s2a-go v0.1.7 // indirect github.com/google/uuid v1.3.1 // indirect @@ -68,7 +68,7 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/pquerna/otp v1.4.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect @@ -82,11 +82,11 @@ require ( github.com/zclconf/go-cty v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.17.0 // indirect - golang.org/x/mod v0.16.0 // indirect + golang.org/x/mod v0.17.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.16.0 // indirect + golang.org/x/sys v0.17.0 // indirect golang.org/x/term v0.15.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect @@ -105,10 +105,10 @@ require ( k8s.io/apimachinery v0.28.4 // indirect k8s.io/client-go v0.28.4 // indirect k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect + sigs.k8s.io/kustomize/kyaml v0.17.0 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/test/integration/go.sum b/test/integration/go.sum index 5bafcdb72a..a67a364a98 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -189,6 +189,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2 h1:DQS5D0xaV1SVFNoGvHdYB0wYeZ24D9hVeFiLG2+r06I= github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2/go.mod h1:uomWciQn6oAotW86ck0b0ix+sUeZHSXyS+IYAVFTPj8= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0 h1:db17HvmQPwTAq7/ex/w2DiNMA4oGUmTiHvScfPW/cRI= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0/go.mod h1:JSsaDg/h4yaiNNTNnrCjyL6/czHb/Oz/z+dzWVqJYBE= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -230,6 +232,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -323,6 +327,8 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -462,6 +468,8 @@ github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+q github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg= github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= @@ -572,6 +580,8 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -729,6 +739,8 @@ golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1071,6 +1083,8 @@ k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f h1:eeEUOoGYWhOz7EyXqhlR2zHKNw2mNJ9vzJmub6YN6kk= k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= @@ -1080,6 +1094,8 @@ sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMm sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0= sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4= +sigs.k8s.io/kustomize/kyaml v0.17.0 h1:G2bWs03V9Ur2PinHLzTUJ8Ded+30SzXZKiO92SRDs3c= +sigs.k8s.io/kustomize/kyaml v0.17.0/go.mod h1:6lxkYF1Cv9Ic8g/N7I86cvxNc5iinUo/P2vKsHNmpyE= sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= From 5282770021200713bb774b629038e8efbcb673da Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 11:22:46 -0700 Subject: [PATCH 053/176] chore(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 in /test/integration (#1929) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- test/integration/go.mod | 8 ++++---- test/integration/go.sum | 32 ++++++++++---------------------- 2 files changed, 14 insertions(+), 26 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 9e9b127341..76dea49091 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -81,13 +81,13 @@ require ( github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect github.com/zclconf/go-cty v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/crypto v0.17.0 // indirect + golang.org/x/crypto v0.21.0 // indirect golang.org/x/mod v0.17.0 // indirect - golang.org/x/net v0.17.0 // indirect + golang.org/x/net v0.23.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.17.0 // indirect - golang.org/x/term v0.15.0 // indirect + golang.org/x/sys v0.18.0 // indirect + golang.org/x/term v0.18.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index a67a364a98..baac9ffa87 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,6 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2 h1:DQS5D0xaV1SVFNoGvHdYB0wYeZ24D9hVeFiLG2+r06I= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.2/go.mod h1:uomWciQn6oAotW86ck0b0ix+sUeZHSXyS+IYAVFTPj8= github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0 h1:db17HvmQPwTAq7/ex/w2DiNMA4oGUmTiHvScfPW/cRI= github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0/go.mod h1:JSsaDg/h4yaiNNTNnrCjyL6/czHb/Oz/z+dzWVqJYBE= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= @@ -230,7 +228,6 @@ github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHH github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -325,7 +322,6 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -466,7 +462,6 @@ github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLyw github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -475,8 +470,8 @@ github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= @@ -540,8 +535,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -578,8 +573,6 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= -golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -629,8 +622,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -737,15 +730,14 @@ golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= -golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1081,8 +1073,6 @@ k8s.io/client-go v0.28.4 h1:Np5ocjlZcTrkyRJ3+T3PkXDpe4UpatQxj85+xjaD2wY= k8s.io/client-go v0.28.4/go.mod h1:0VDZFpgoZfelyP5Wqu0/r/TRYcLYuJ2U1KEeoaPa1N4= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f h1:eeEUOoGYWhOz7EyXqhlR2zHKNw2mNJ9vzJmub6YN6kk= -k8s.io/kube-openapi v0.0.0-20230905202853-d090da108d2f/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= @@ -1092,8 +1082,6 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0= -sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4= sigs.k8s.io/kustomize/kyaml v0.17.0 h1:G2bWs03V9Ur2PinHLzTUJ8Ded+30SzXZKiO92SRDs3c= sigs.k8s.io/kustomize/kyaml v0.17.0/go.mod h1:6lxkYF1Cv9Ic8g/N7I86cvxNc5iinUo/P2vKsHNmpyE= sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= From 3de626886e5a23a49b4bfb9af92f0ed15eeae2ff Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 21:46:42 +0000 Subject: [PATCH 054/176] chore(deps): Update nginx Docker tag to v1.25.5 (#1928) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/deploy_service/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index e80252d2a9..4fc7b9ece3 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -55,7 +55,7 @@ resource "kubernetes_pod" "nginx-example" { spec { container { - image = "nginx:1.25.4" + image = "nginx:1.25.5" name = "nginx-example" } } From fce642f8f550d8e2f4e6b1210e8a96d6184f264d Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Wed, 24 Apr 2024 09:38:14 -0700 Subject: [PATCH 055/176] docs: correct local_ssd_ephemeral_count visibility (#1926) --- README.md | 1 - autogen/main/README.md | 2 ++ modules/private-cluster-update-variant/README.md | 1 - modules/private-cluster/README.md | 1 - 4 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a94a7c7e07..21f945a86a 100644 --- a/README.md +++ b/README.md @@ -296,7 +296,6 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | -| local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index f26716b06e..00bf54668e 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -211,7 +211,9 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +{% if beta_cluster %} | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +{% endif %} | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 603ec000e0..2771ea8bf9 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -331,7 +331,6 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | -| local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 650b1c4b73..d27738eb3f 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -309,7 +309,6 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | -| local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | From 813d8507fecf1b3badbb90906dc957a35cc259a5 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 24 Apr 2024 17:45:31 +0000 Subject: [PATCH 056/176] chore(deps): Update nginx Docker tag to v1.26.0 (#1931) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/deploy_service/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index 4fc7b9ece3..e825609a1f 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -55,7 +55,7 @@ resource "kubernetes_pod" "nginx-example" { spec { container { - image = "nginx:1.25.5" + image = "nginx:1.26.0" name = "nginx-example" } } From 87efb91b1305315ec8004444fcb5534533119cf4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 9 May 2024 11:46:26 -0700 Subject: [PATCH 057/176] chore(deps): Update go modules (#1933) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 10 +++++----- test/integration/go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 76dea49091..6f7ec7f963 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -5,8 +5,8 @@ go 1.21 toolchain go1.21.9 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0 - github.com/gruntwork-io/terratest v0.46.13 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.1 + github.com/gruntwork-io/terratest v0.46.14 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.1 ) @@ -45,14 +45,14 @@ require ( github.com/gruntwork-io/go-commons v0.17.1 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-getter v1.7.2 // indirect + github.com/hashicorp/go-getter v1.7.4 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-safetemp v1.0.0 // indirect github.com/hashicorp/go-version v1.6.0 // indirect github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f // indirect github.com/hashicorp/hcl/v2 v2.18.0 // indirect github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72 // indirect - github.com/hashicorp/terraform-json v0.17.1 // indirect + github.com/hashicorp/terraform-json v0.21.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/jinzhu/copier v0.4.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect @@ -79,7 +79,7 @@ require ( github.com/ulikunitz/xz v0.5.11 // indirect github.com/urfave/cli/v2 v2.25.7 // indirect github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect - github.com/zclconf/go-cty v1.14.0 // indirect + github.com/zclconf/go-cty v1.14.1 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.21.0 // indirect golang.org/x/mod v0.17.0 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index baac9ffa87..bbeaa17bce 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0 h1:db17HvmQPwTAq7/ex/w2DiNMA4oGUmTiHvScfPW/cRI= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.0/go.mod h1:JSsaDg/h4yaiNNTNnrCjyL6/czHb/Oz/z+dzWVqJYBE= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.1 h1:xfCNVLZQAclUxmhICDwaOUJUw4OioNc1wIEfjtSgfCg= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.1/go.mod h1:AEQP8/V/hIp+SllHtmBV7ftuoQQ82eC032UdsnL3tnY= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -378,15 +378,15 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0= github.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk= -github.com/gruntwork-io/terratest v0.46.13 h1:FDaEoZ7DtkomV8pcwLdBV/VsytdjnPRqJkIriYEYwjs= -github.com/gruntwork-io/terratest v0.46.13/go.mod h1:8sxu3Qup8TxtbzOHzq0MUrQffJj/G61/OwlsReaCwpo= +github.com/gruntwork-io/terratest v0.46.14 h1:nVT2JpOPLr7KbwOSNDP0GJffljH+Yu5833cwLorxRjs= +github.com/gruntwork-io/terratest v0.46.14/go.mod h1:L/IHbj195wnjfIFpZYWUhjwA3jm4O6ehO//xz7NxN8o= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-getter v1.7.2 h1:uJDtyXwEfalmp1PqdxuhZqrNkUyClZAhVeZYTArbqkg= -github.com/hashicorp/go-getter v1.7.2/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= +github.com/hashicorp/go-getter v1.7.4 h1:3yQjWuxICvSpYwqSayAdKRFcvBl1y/vogCxczWSmix0= +github.com/hashicorp/go-getter v1.7.4/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= @@ -401,8 +401,8 @@ github.com/hashicorp/hcl/v2 v2.18.0 h1:wYnG7Lt31t2zYkcquwgKo6MWXzRUDIeIVU5naZwHL github.com/hashicorp/hcl/v2 v2.18.0/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE= github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72 h1:nZ5gGjbe5o7XUu1d7j+Y5Ztcxlp+yaumTKH9i0D3wlg= github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72/go.mod h1:l8HcFPm9cQh6Q0KSWoYPiePqMvRFenybP1CH2MjKdlg= -github.com/hashicorp/terraform-json v0.17.1 h1:eMfvh/uWggKmY7Pmb3T85u86E2EQg6EQHgyRwf3RkyA= -github.com/hashicorp/terraform-json v0.17.1/go.mod h1:Huy6zt6euxaY9knPAFKjUITn8QxUFIe9VuSzb4zn/0o= +github.com/hashicorp/terraform-json v0.21.0 h1:9NQxbLNqPbEMze+S6+YluEdXgJmhQykRyRNd+zTI05U= +github.com/hashicorp/terraform-json v0.21.0/go.mod h1:qdeBs11ovMzo5puhrRibdD6d2Dq6TyE/28JiU4tIQxk= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= @@ -517,8 +517,8 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -github.com/zclconf/go-cty v1.14.0 h1:/Xrd39K7DXbHzlisFP9c4pHao4yyf+/Ug9LEz+Y/yhc= -github.com/zclconf/go-cty v1.14.0/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= +github.com/zclconf/go-cty v1.14.1 h1:t9fyA35fwjjUMcmL5hLER+e/rEPqrbCK1/OSE4SI9KA= +github.com/zclconf/go-cty v1.14.1/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= From 50c1a420179df3a7c596c93f8ecc05a207276aa1 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Thu, 9 May 2024 19:54:16 +0000 Subject: [PATCH 058/176] chore(master): release 30.3.0 (#1903) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 15 +++++++++++++++ autogen/main/versions.tf.tmpl | 4 ++-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- .../beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- .../private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 22 files changed, 39 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 48369da056..6fabdb7048 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [30.3.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.2.0...v30.3.0) (2024-05-09) + + +### Features + +* add enable_l4_ilb_subsetting for GA TPG ([#1924](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1924)) ([da0476a](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/da0476af8c2911bbe6bbdea65af59421a4fcd61e)) +* adds local_nvme_ssd_block_config to beta-public-cluster ([#1912](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1912)) ([f7c2ed9](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/f7c2ed9102eca18b0d2233784616c60f81180d72)) +* network tags for autoprovisioned node pools ([#1920](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1920)) ([f864e8a](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/f864e8add729b799529f5ede187347ed5cebd5f9)) +* **safer-clusters:** add components selection for monitoring ([#1851](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1851)) ([15b472f](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/15b472fafc6b63afb0b52acec56cea8fd5c25cdf)) + + +### Bug Fixes + +* make master_ipv4_cidr_block optional for autopilot ([#1902](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1902)) ([af43bdd](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/af43bddeaa5902681c0012b7ea724937b161fad6)) + ## [30.2.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.1.0...v30.2.0) (2024-03-08) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index c0668b2330..4dbcebecae 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.3.0" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.3.0" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 3135a334e1..8ed8e64ad2 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.3.0" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index fa8aea6590..317e6a95f0 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.3.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.3.0" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index c97e274253..3684c208b8 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.3.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.3.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index ae15435ef5..4ae2f18f01 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.3.0" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 41dd788f36..1d0a0e5984 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.3.0" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index a9fd481366..073f851245 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.3.0" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 420dfc7b60..b5a118d0d6 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.3.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 25e552d1d0..2232e58ef1 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.3.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 8af82e5096..bbfa6c9a90 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.3.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index ea131cbe79..c5f1cb6548 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.3.0" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 6bc50b416d..07d6cbd21d 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.3.0" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 4529032fc3..f2babc249d 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.3.0" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index a771cb95e3..e9aeeabc2d 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.3.0" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index b90321600d..0a54060183 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.3.0" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index db427f19ea..4e00391ac0 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.3.0" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index 5a1a57f882..10e1886831 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.3.0" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index 70b588b4de..da63e74966 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.3.0" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 00f96eee6f..fa6afb62ca 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.3.0" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 48076ba01f..facf78942e 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.3.0" } } diff --git a/versions.tf b/versions.tf index 202e0d1965..0495aabdf5 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.2.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.3.0" } } From d01e5bce35c73dba751fcb76f26b1a8f268f0506 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 16:15:48 -0700 Subject: [PATCH 059/176] fix(deps)!: Update Terraform terraform-google-modules/project-factory/google to v15 (#1936) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/acm-terraform-blog-part1/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part2/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part3/terraform/gke.tf | 2 +- examples/safer_cluster_iap_bastion/apis.tf | 2 +- modules/binary-authorization/main.tf | 2 +- modules/services/main.tf | 2 +- test/setup/main.tf | 6 +++--- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf index 9c997717dc..45a627c467 100644 --- a/examples/acm-terraform-blog-part1/terraform/gke.tf +++ b/examples/acm-terraform-blog-part1/terraform/gke.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 14.0" + version = "~> 15.0" project_id = var.project disable_services_on_destroy = false diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf index 2c0d637463..816e2bde95 100644 --- a/examples/acm-terraform-blog-part2/terraform/gke.tf +++ b/examples/acm-terraform-blog-part2/terraform/gke.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 14.0" + version = "~> 15.0" project_id = var.project disable_services_on_destroy = false diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf index 9f43da79bc..6694582d56 100644 --- a/examples/acm-terraform-blog-part3/terraform/gke.tf +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 14.0" + version = "~> 15.0" project_id = var.project disable_services_on_destroy = false diff --git a/examples/safer_cluster_iap_bastion/apis.tf b/examples/safer_cluster_iap_bastion/apis.tf index 8665a9b3d1..f72733494f 100644 --- a/examples/safer_cluster_iap_bastion/apis.tf +++ b/examples/safer_cluster_iap_bastion/apis.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 14.0" + version = "~> 15.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/modules/binary-authorization/main.tf b/modules/binary-authorization/main.tf index 81cbb620c2..8e09bb13eb 100644 --- a/modules/binary-authorization/main.tf +++ b/modules/binary-authorization/main.tf @@ -25,7 +25,7 @@ locals { module "project-services" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 14.0" + version = "~> 15.0" project_id = var.project_id activate_apis = local.required_enabled_apis diff --git a/modules/services/main.tf b/modules/services/main.tf index 74dbc89e18..9ef548c06a 100644 --- a/modules/services/main.tf +++ b/modules/services/main.tf @@ -16,7 +16,7 @@ module "services" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 14.0" + version = "~> 15.0" project_id = var.project_id enable_apis = var.enable_apis diff --git a/test/setup/main.tf b/test/setup/main.tf index 2e6f551f91..f0b3e278a6 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -45,7 +45,7 @@ locals { module "gke-project-1" { source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + version = "~> 15.0" name = "ci-gke-${random_id.random_project_id_suffix.hex}" random_project_id = true @@ -69,7 +69,7 @@ module "gke-project-1" { module "gke-project-2" { source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + version = "~> 15.0" name = "ci-gke-${random_id.random_project_id_suffix.hex}" random_project_id = true @@ -91,7 +91,7 @@ module "gke-project-2" { # apis as documented https://cloud.google.com/service-mesh/docs/scripted-install/reference#setting_up_your_project module "gke-project-asm" { source = "terraform-google-modules/project-factory/google" - version = "~> 14.0" + version = "~> 15.0" name = "ci-gke-asm-${random_id.random_project_id_suffix.hex}" random_project_id = true From dbd90e3e556d74881fb3132457a9159d7fb81e6b Mon Sep 17 00:00:00 2001 From: florianMalbranque <82934052+florianMalbranque@users.noreply.github.com> Date: Tue, 14 May 2024 19:45:57 +0200 Subject: [PATCH 060/176] fix: local nvme ssd count (#1937) --- autogen/main/cluster.tf.tmpl | 2 +- cluster.tf | 4 ++-- modules/beta-private-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/beta-public-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-public-cluster/cluster.tf | 4 ++-- modules/private-cluster-update-variant/cluster.tf | 4 ++-- modules/private-cluster/cluster.tf | 4 ++-- 8 files changed, 15 insertions(+), 15 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index f39637ce3c..e09755281c 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -850,7 +850,7 @@ resource "google_container_node_pool" "windows_pools" { {% endif %} dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/cluster.tf b/cluster.tf index 50a049496d..e945124d1a 100644 --- a/cluster.tf +++ b/cluster.tf @@ -568,7 +568,7 @@ resource "google_container_node_pool" "pools" { dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -784,7 +784,7 @@ resource "google_container_node_pool" "windows_pools" { dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index ef9ba2b92e..d2adf527b0 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -734,7 +734,7 @@ resource "google_container_node_pool" "pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -976,7 +976,7 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 7610189c68..22ca1b7823 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -659,7 +659,7 @@ resource "google_container_node_pool" "pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -900,7 +900,7 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 363664a8a8..2d7b25218e 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -715,7 +715,7 @@ resource "google_container_node_pool" "pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -957,7 +957,7 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 3c4f6e7337..b634e2a418 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -640,7 +640,7 @@ resource "google_container_node_pool" "pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -881,7 +881,7 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index badf7356be..51447d8df2 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -662,7 +662,7 @@ resource "google_container_node_pool" "pools" { dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -879,7 +879,7 @@ resource "google_container_node_pool" "windows_pools" { dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 59f5ecaf73..ff09024061 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -587,7 +587,7 @@ resource "google_container_node_pool" "pools" { dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -803,7 +803,7 @@ resource "google_container_node_pool" "windows_pools" { dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } From 748e1ed279230377adc50fa48b6dc26faaa563c4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 15 May 2024 15:07:33 -0700 Subject: [PATCH 061/176] chore(deps): Update dependency go to v1.21.10 (#1940) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 6f7ec7f963..10cccf883e 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -2,7 +2,7 @@ module github.com/terraform-google-modules/terraform-google-kubernetes-engine/te go 1.21 -toolchain go1.21.9 +toolchain go1.21.10 require ( github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.1 From acbb453cc7128ab9784486b1cc1238b0e7616f34 Mon Sep 17 00:00:00 2001 From: pwschuurman Date: Thu, 16 May 2024 11:30:23 -0700 Subject: [PATCH 062/176] feat(TPG>=5.25.0)!: Add support for StatefulHA Addon (#1948) --- README.md | 1 + autogen/main/cluster.tf.tmpl | 8 ++++++++ autogen/main/main.tf.tmpl | 1 + autogen/main/variables.tf.tmpl | 6 ++++++ autogen/main/versions.tf.tmpl | 4 ++-- cluster.tf | 8 ++++++++ examples/simple_regional/main.tf | 1 + main.tf | 1 + modules/beta-autopilot-private-cluster/versions.tf | 4 ++-- modules/beta-autopilot-public-cluster/versions.tf | 4 ++-- modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 8 ++++++++ modules/beta-private-cluster-update-variant/main.tf | 1 + modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/versions.tf | 4 ++-- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 8 ++++++++ modules/beta-private-cluster/main.tf | 1 + modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster/versions.tf | 4 ++-- modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 8 ++++++++ modules/beta-public-cluster-update-variant/main.tf | 1 + modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/versions.tf | 4 ++-- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 8 ++++++++ modules/beta-public-cluster/main.tf | 1 + modules/beta-public-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster/versions.tf | 4 ++-- modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 8 ++++++++ modules/private-cluster-update-variant/main.tf | 1 + modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 8 ++++++++ modules/private-cluster/main.tf | 1 + modules/private-cluster/variables.tf | 6 ++++++ .../simple_regional/testdata/TestSimpleRegional.json | 3 +++ variables.tf | 6 ++++++ 40 files changed, 145 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 21f945a86a..3ac5b03b75 100644 --- a/README.md +++ b/README.md @@ -228,6 +228,7 @@ Then perform the following commands on the root folder: | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index e09755281c..c6028215d8 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -309,6 +309,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "stateful_ha_config" { + for_each = local.stateful_ha_config + + content { + enabled = stateful_ha_config.value.enabled + } + } + config_connector_config { enabled = var.config_connector } diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 49b847fcba..11b15736b7 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -109,6 +109,7 @@ locals { logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] {% endif %} {% if beta_cluster and autopilot_cluster != true %} cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 663a10661b..e807f87373 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -725,6 +725,12 @@ variable "gcs_fuse_csi_driver" { default = false } +variable "stateful_ha" { + type = bool + description = "Whether the Stateful HA Addon is enabled for this cluster." + default = false +} + {% endif %} variable "timeouts" { type = map(string) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 4dbcebecae..31c1e0d04a 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/cluster.tf b/cluster.tf index e945124d1a..c67758d5ef 100644 --- a/cluster.tf +++ b/cluster.tf @@ -229,6 +229,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "stateful_ha_config" { + for_each = local.stateful_ha_config + + content { + enabled = stateful_ha_config.value.enabled + } + } + config_connector_config { enabled = var.config_connector } diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index 11a34fa0c6..5fc839611d 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -45,4 +45,5 @@ module "gke" { gcs_fuse_csi_driver = true fleet_project = var.project_id deletion_protection = false + stateful_ha = true } diff --git a/main.tf b/main.tf index 4025b6063c..2536671a13 100644 --- a/main.tf +++ b/main.tf @@ -94,6 +94,7 @@ locals { logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 1d0a0e5984..7580b366e9 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 073f851245..5cf26c9d4e 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index cbf79f9060..095c7c9ba2 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -278,6 +278,7 @@ Then perform the following commands on the root folder: | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index d2adf527b0..fc9b5085b9 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -252,6 +252,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "stateful_ha_config" { + for_each = local.stateful_ha_config + + content { + enabled = stateful_ha_config.value.enabled + } + } + config_connector_config { enabled = var.config_connector } diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index f7ef1e33d2..3389a4a7a1 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -94,6 +94,7 @@ locals { logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type } : {} diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 03742b1504..270105e6bd 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -696,6 +696,12 @@ variable "gcs_fuse_csi_driver" { default = false } +variable "stateful_ha" { + type = bool + description = "Whether the Stateful HA Addon is enabled for this cluster." + default = false +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index b5a118d0d6..3d48de936d 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 0293e59c66..4808bf3f4c 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -256,6 +256,7 @@ Then perform the following commands on the root folder: | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 22ca1b7823..46bbae50c9 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -252,6 +252,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "stateful_ha_config" { + for_each = local.stateful_ha_config + + content { + enabled = stateful_ha_config.value.enabled + } + } + config_connector_config { enabled = var.config_connector } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index f7ef1e33d2..3389a4a7a1 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -94,6 +94,7 @@ locals { logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type } : {} diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 03742b1504..270105e6bd 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -696,6 +696,12 @@ variable "gcs_fuse_csi_driver" { default = false } +variable "stateful_ha" { + type = bool + description = "Whether the Stateful HA Addon is enabled for this cluster." + default = false +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 2232e58ef1..1b0043e5ec 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 61707e4a3c..ad82e7ee66 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -267,6 +267,7 @@ Then perform the following commands on the root folder: | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 2d7b25218e..2845da3817 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -252,6 +252,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "stateful_ha_config" { + for_each = local.stateful_ha_config + + content { + enabled = stateful_ha_config.value.enabled + } + } + config_connector_config { enabled = var.config_connector } diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index d92b11fadd..a14251068c 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -94,6 +94,7 @@ locals { logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type } : {} diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 2490cfd338..17508a59bf 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -666,6 +666,12 @@ variable "gcs_fuse_csi_driver" { default = false } +variable "stateful_ha" { + type = bool + description = "Whether the Stateful HA Addon is enabled for this cluster." + default = false +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index bbfa6c9a90..1c2823a6b6 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 939fd0f460..adca29f57b 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -245,6 +245,7 @@ Then perform the following commands on the root folder: | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index b634e2a418..233e597658 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -252,6 +252,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "stateful_ha_config" { + for_each = local.stateful_ha_config + + content { + enabled = stateful_ha_config.value.enabled + } + } + config_connector_config { enabled = var.config_connector } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index d92b11fadd..a14251068c 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -94,6 +94,7 @@ locals { logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type } : {} diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 2490cfd338..17508a59bf 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -666,6 +666,12 @@ variable "gcs_fuse_csi_driver" { default = false } +variable "stateful_ha" { + type = bool + description = "Whether the Stateful HA Addon is enabled for this cluster." + default = false +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index c5f1cb6548..02d99f1f80 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.9.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 2771ea8bf9..d1b4b25caa 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -261,6 +261,7 @@ Then perform the following commands on the root folder: | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 51447d8df2..a1b98e44a9 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -229,6 +229,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "stateful_ha_config" { + for_each = local.stateful_ha_config + + content { + enabled = stateful_ha_config.value.enabled + } + } + config_connector_config { enabled = var.config_connector } diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index f2a6e28ea8..fb7f0edf1c 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -94,6 +94,7 @@ locals { logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index e7e2e0e5d0..408517098c 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -672,6 +672,12 @@ variable "gcs_fuse_csi_driver" { default = false } +variable "stateful_ha" { + type = bool + description = "Whether the Stateful HA Addon is enabled for this cluster." + default = false +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index d27738eb3f..1500378df1 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -239,6 +239,7 @@ Then perform the following commands on the root folder: | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index ff09024061..9dcb9055e8 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -229,6 +229,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "stateful_ha_config" { + for_each = local.stateful_ha_config + + content { + enabled = stateful_ha_config.value.enabled + } + } + config_connector_config { enabled = var.config_connector } diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index f2a6e28ea8..fb7f0edf1c 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -94,6 +94,7 @@ locals { logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index e7e2e0e5d0..408517098c 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -672,6 +672,12 @@ variable "gcs_fuse_csi_driver" { default = false } +variable "stateful_ha" { + type = bool + description = "Whether the Stateful HA Addon is enabled for this cluster." + default = false +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/test/integration/simple_regional/testdata/TestSimpleRegional.json b/test/integration/simple_regional/testdata/TestSimpleRegional.json index 1c22283ddb..85c8e55db7 100644 --- a/test/integration/simple_regional/testdata/TestSimpleRegional.json +++ b/test/integration/simple_regional/testdata/TestSimpleRegional.json @@ -17,6 +17,9 @@ }, "networkPolicyConfig": { "disabled": true + }, + "statefulHaConfig": { + "enabled": true } }, "autopilot": {}, diff --git a/variables.tf b/variables.tf index 1989020509..17bc3245f8 100644 --- a/variables.tf +++ b/variables.tf @@ -642,6 +642,12 @@ variable "gcs_fuse_csi_driver" { default = false } +variable "stateful_ha" { + type = bool + description = "Whether the Stateful HA Addon is enabled for this cluster." + default = false +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." From c48c8abe22b78e40b6f56d2940403d8b6e586367 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 16 May 2024 13:08:18 -0700 Subject: [PATCH 063/176] feat: add security posture VULNERABILITY_ENTERPRISE (#1947) --- README.md | 2 +- autogen/main/variables.tf.tmpl | 2 +- autogen/safer-cluster/variables.tf.tmpl | 2 +- modules/beta-autopilot-private-cluster/README.md | 2 +- modules/beta-autopilot-private-cluster/variables.tf | 2 +- modules/beta-autopilot-public-cluster/README.md | 2 +- modules/beta-autopilot-public-cluster/variables.tf | 2 +- modules/beta-private-cluster-update-variant/README.md | 2 +- modules/beta-private-cluster-update-variant/variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 2 +- modules/beta-public-cluster-update-variant/README.md | 2 +- modules/beta-public-cluster-update-variant/variables.tf | 2 +- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/variables.tf | 2 +- modules/private-cluster-update-variant/README.md | 2 +- modules/private-cluster-update-variant/variables.tf | 2 +- modules/private-cluster/README.md | 2 +- modules/private-cluster/variables.tf | 2 +- modules/safer-cluster-update-variant/README.md | 2 +- modules/safer-cluster-update-variant/variables.tf | 2 +- modules/safer-cluster/README.md | 2 +- modules/safer-cluster/variables.tf | 2 +- variables.tf | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 3ac5b03b75..86efa9a4c5 100644 --- a/README.md +++ b/README.md @@ -221,7 +221,7 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index e807f87373..09c7071657 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -580,7 +580,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 2eae51d4bd..88da0f4adc 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -476,7 +476,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`" type = string default = null } diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 7f894a0c94..e2940e7437 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -131,7 +131,7 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 02d8e12e48..7e7238e904 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -406,7 +406,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 7ff4ee1cdb..d0fc6d3958 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -120,7 +120,7 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index fc10df626c..0ecca7a1a3 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -376,7 +376,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 095c7c9ba2..556d7c4d64 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -271,7 +271,7 @@ Then perform the following commands on the root folder: | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 270105e6bd..5279082444 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -556,7 +556,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 4808bf3f4c..b7048076af 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -249,7 +249,7 @@ Then perform the following commands on the root folder: | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 270105e6bd..5279082444 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -556,7 +556,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index ad82e7ee66..aa9f18bdc7 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -260,7 +260,7 @@ Then perform the following commands on the root folder: | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 17508a59bf..f440b77f0f 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -526,7 +526,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index adca29f57b..baaf2a4faa 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -238,7 +238,7 @@ Then perform the following commands on the root folder: | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 17508a59bf..f440b77f0f 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -526,7 +526,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index d1b4b25caa..7df07c0c68 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -254,7 +254,7 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 408517098c..687f54ed89 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -532,7 +532,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 1500378df1..07e9e994ca 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -232,7 +232,7 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 408517098c..687f54ed89 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -532,7 +532,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 274199a59f..ee2e8bee69 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -270,7 +270,7 @@ For simplicity, we suggest using `roles/container.admin` and | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. | `string` | `null` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE` | `string` | `null` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index c98da16f81..d6e72d35c4 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -476,7 +476,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`" type = string default = null } diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 274199a59f..ee2e8bee69 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -270,7 +270,7 @@ For simplicity, we suggest using `roles/container.admin` and | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | | security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. | `string` | `null` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE` | `string` | `null` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index c98da16f81..d6e72d35c4 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -476,7 +476,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`" type = string default = null } diff --git a/variables.tf b/variables.tf index 17bc3245f8..0e05d74597 100644 --- a/variables.tf +++ b/variables.tf @@ -502,7 +502,7 @@ variable "security_posture_mode" { } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } From 3d5cc9fc4fd817c35e089222a043e02358d64c1d Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Fri, 17 May 2024 18:25:40 +0300 Subject: [PATCH 064/176] feat: add missing dns_cache output in non beta (#1864) Signed-off-by: drfaust92 --- README.md | 2 ++ autogen/main/README.md | 2 +- autogen/main/main.tf.tmpl | 2 +- autogen/main/outputs.tf.tmpl | 10 +++++----- main.tf | 1 + modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/main.tf | 2 +- modules/beta-autopilot-private-cluster/outputs.tf | 10 +++++----- modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/main.tf | 2 +- modules/beta-autopilot-public-cluster/outputs.tf | 10 +++++----- modules/beta-private-cluster-update-variant/main.tf | 2 +- modules/beta-private-cluster-update-variant/outputs.tf | 10 +++++----- modules/beta-private-cluster/main.tf | 2 +- modules/beta-private-cluster/outputs.tf | 10 +++++----- modules/beta-public-cluster-update-variant/main.tf | 2 +- modules/beta-public-cluster-update-variant/outputs.tf | 10 +++++----- modules/beta-public-cluster/main.tf | 2 +- modules/beta-public-cluster/outputs.tf | 10 +++++----- modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/main.tf | 1 + modules/private-cluster-update-variant/outputs.tf | 5 +++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/main.tf | 1 + modules/private-cluster/outputs.tf | 5 +++++ outputs.tf | 5 +++++ 26 files changed, 69 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 86efa9a4c5..31583b5734 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,7 @@ module "gke" { network_policy = false horizontal_pod_autoscaling = true filestore_csi_driver = false + dns_cache = false node_pools = [ { @@ -242,6 +243,7 @@ Then perform the following commands on the root folder: |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | +| dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | diff --git a/autogen/main/README.md b/autogen/main/README.md index 00bf54668e..d32baae8ab 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -90,8 +90,8 @@ module "gke" { {% if beta_cluster and autopilot_cluster != true %} istio = true cloudrun = true - dns_cache = false {% endif %} + dns_cache = false {% if autopilot_cluster != true %} node_pools = [ diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 11b15736b7..d13c8cd614 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -232,7 +232,6 @@ locals { {% if beta_cluster %} # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled - cluster_dns_cache_enabled = var.dns_cache {% if autopilot_cluster != true %} cluster_telemetry_type_is_set = var.cluster_telemetry_type != null {% endif %} @@ -242,6 +241,7 @@ locals { # /BETA features {% endif %} + cluster_dns_cache_enabled = var.dns_cache cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index afedce7f55..3d5be22ea9 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -198,6 +198,11 @@ output "peering_name" { value = local.cluster_peering_name } {% endif %} + +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} {% if beta_cluster %} output "cloudrun_enabled" { @@ -214,11 +219,6 @@ output "istio_enabled" { value = local.cluster_istio_enabled } -output "dns_cache_enabled" { - description = "Whether DNS Cache enabled" - value = local.cluster_dns_cache_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/main.tf b/main.tf index 2536671a13..f41e968be5 100644 --- a/main.tf +++ b/main.tf @@ -171,6 +171,7 @@ locals { }] : [] + cluster_dns_cache_enabled = var.dns_cache cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index e2940e7437..ea31d44ae2 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -54,6 +54,7 @@ module "gke" { enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" + dns_cache = false } ``` diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index f0d22b5840..3354fc71a1 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -127,12 +127,12 @@ locals { # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_dns_cache_enabled = var.dns_cache cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled # /BETA features + cluster_dns_cache_enabled = var.dns_cache cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index f2888c0aa1..beb7a8c030 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -159,6 +159,11 @@ output "peering_name" { value = local.cluster_peering_name } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = false @@ -169,11 +174,6 @@ output "istio_enabled" { value = local.cluster_istio_enabled } -output "dns_cache_enabled" { - description = "Whether DNS Cache enabled" - value = local.cluster_dns_cache_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index d0fc6d3958..0e3c169dff 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -48,6 +48,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" horizontal_pod_autoscaling = true filestore_csi_driver = false + dns_cache = false } ``` diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 24bcb36d3d..9df7f76c14 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -126,12 +126,12 @@ locals { # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_dns_cache_enabled = var.dns_cache cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled # /BETA features + cluster_dns_cache_enabled = var.dns_cache cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 9b26f835f8..17e634faf2 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -149,6 +149,11 @@ output "tpu_ipv4_cidr_block" { +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = false @@ -159,11 +164,6 @@ output "istio_enabled" { value = local.cluster_istio_enabled } -output "dns_cache_enabled" { - description = "Whether DNS Cache enabled" - value = local.cluster_dns_cache_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 3389a4a7a1..24204e08be 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -191,13 +191,13 @@ locals { # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled # /BETA features + cluster_dns_cache_enabled = var.dns_cache cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index 2d8e768f7c..3209aca8ae 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -185,6 +185,11 @@ output "peering_name" { value = local.cluster_peering_name } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled @@ -195,11 +200,6 @@ output "istio_enabled" { value = local.cluster_istio_enabled } -output "dns_cache_enabled" { - description = "Whether DNS Cache enabled" - value = local.cluster_dns_cache_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 3389a4a7a1..24204e08be 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -191,13 +191,13 @@ locals { # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled # /BETA features + cluster_dns_cache_enabled = var.dns_cache cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index 2d8e768f7c..3209aca8ae 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -185,6 +185,11 @@ output "peering_name" { value = local.cluster_peering_name } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled @@ -195,11 +200,6 @@ output "istio_enabled" { value = local.cluster_istio_enabled } -output "dns_cache_enabled" { - description = "Whether DNS Cache enabled" - value = local.cluster_dns_cache_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index a14251068c..fcad187b5d 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -190,13 +190,13 @@ locals { # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled # /BETA features + cluster_dns_cache_enabled = var.dns_cache cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index e388fb4406..29df3aad34 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -175,6 +175,11 @@ output "mesh_certificates_config" { } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled @@ -185,11 +190,6 @@ output "istio_enabled" { value = local.cluster_istio_enabled } -output "dns_cache_enabled" { - description = "Whether DNS Cache enabled" - value = local.cluster_dns_cache_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index a14251068c..fcad187b5d 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -190,13 +190,13 @@ locals { # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled - cluster_dns_cache_enabled = var.dns_cache cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled # /BETA features + cluster_dns_cache_enabled = var.dns_cache cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index e388fb4406..29df3aad34 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -175,6 +175,11 @@ output "mesh_certificates_config" { } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled @@ -185,11 +190,6 @@ output "istio_enabled" { value = local.cluster_istio_enabled } -output "dns_cache_enabled" { - description = "Whether DNS Cache enabled" - value = local.cluster_dns_cache_enabled -} - output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 7df07c0c68..30dc76161d 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -78,6 +78,7 @@ module "gke" { enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" + dns_cache = false node_pools = [ { @@ -275,6 +276,7 @@ Then perform the following commands on the root folder: |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | +| dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index fb7f0edf1c..7c7de2529f 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -172,6 +172,7 @@ locals { }] : [] + cluster_dns_cache_enabled = var.dns_cache cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index e1e27f7bba..8f35e71fe0 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -185,6 +185,11 @@ output "peering_name" { value = local.cluster_peering_name } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 07e9e994ca..7ee544dee6 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -56,6 +56,7 @@ module "gke" { enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" + dns_cache = false node_pools = [ { @@ -253,6 +254,7 @@ Then perform the following commands on the root folder: |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | +| dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | | fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index fb7f0edf1c..7c7de2529f 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -172,6 +172,7 @@ locals { }] : [] + cluster_dns_cache_enabled = var.dns_cache cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index e1e27f7bba..8f35e71fe0 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -185,6 +185,11 @@ output "peering_name" { value = local.cluster_peering_name } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/outputs.tf b/outputs.tf index 6ed32741f2..7aa1c3be10 100644 --- a/outputs.tf +++ b/outputs.tf @@ -175,6 +175,11 @@ output "mesh_certificates_config" { } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership From 11bae6791b07efcce29a0227e0b8b4d6c7070971 Mon Sep 17 00:00:00 2001 From: Yury Akudovich Date: Fri, 17 May 2024 18:58:37 +0200 Subject: [PATCH 065/176] feat: Add secondary_boot_disks to node_pool configuration. (#1946) --- README.md | 1 + autogen/main/README.md | 1 + autogen/main/cluster.tf.tmpl | 9 +++++++++ cluster.tf | 18 ++++++++++++++++++ .../README.md | 1 + .../cluster.tf | 18 ++++++++++++++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 18 ++++++++++++++++++ .../README.md | 1 + .../cluster.tf | 18 ++++++++++++++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 18 ++++++++++++++++++ .../private-cluster-update-variant/README.md | 1 + .../private-cluster-update-variant/cluster.tf | 18 ++++++++++++++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 18 ++++++++++++++++++ 16 files changed, 143 insertions(+) diff --git a/README.md b/README.md index 31583b5734..24d24fc815 100644 --- a/README.md +++ b/README.md @@ -325,6 +325,7 @@ The node_pools variable takes the following parameters: | value | The value for the taint | | Required | | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | +| secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/autogen/main/README.md b/autogen/main/README.md index d32baae8ab..15dddf735b 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -250,6 +250,7 @@ The node_pools variable takes the following parameters: | value | The value for the taint | | Required | | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | +| secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index c6028215d8..aeaa4266d6 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -864,6 +864,15 @@ resource "google_container_node_pool" "windows_pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", diff --git a/cluster.tf b/cluster.tf index c67758d5ef..228a1d6410 100644 --- a/cluster.tf +++ b/cluster.tf @@ -582,6 +582,15 @@ resource "google_container_node_pool" "pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", @@ -798,6 +807,15 @@ resource "google_container_node_pool" "windows_pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 556d7c4d64..5f25cf8111 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -391,6 +391,7 @@ The node_pools variable takes the following parameters: | value | The value for the taint | | Required | | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | +| secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index fc9b5085b9..0f0be23263 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -748,6 +748,15 @@ resource "google_container_node_pool" "pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", @@ -990,6 +999,15 @@ resource "google_container_node_pool" "windows_pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index b7048076af..6cbf218102 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -369,6 +369,7 @@ The node_pools variable takes the following parameters: | value | The value for the taint | | Required | | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | +| secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 46bbae50c9..4c7d34592e 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -673,6 +673,15 @@ resource "google_container_node_pool" "pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", @@ -914,6 +923,15 @@ resource "google_container_node_pool" "windows_pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index aa9f18bdc7..4b26ef1b36 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -379,6 +379,7 @@ The node_pools variable takes the following parameters: | value | The value for the taint | | Required | | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | +| secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 2845da3817..22a144fdd5 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -729,6 +729,15 @@ resource "google_container_node_pool" "pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", @@ -971,6 +980,15 @@ resource "google_container_node_pool" "windows_pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index baaf2a4faa..d7cfb53aec 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -357,6 +357,7 @@ The node_pools variable takes the following parameters: | value | The value for the taint | | Required | | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | +| secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 233e597658..6944647cff 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -654,6 +654,15 @@ resource "google_container_node_pool" "pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", @@ -895,6 +904,15 @@ resource "google_container_node_pool" "windows_pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 30dc76161d..2d885826ca 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -360,6 +360,7 @@ The node_pools variable takes the following parameters: | value | The value for the taint | | Required | | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | +| secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index a1b98e44a9..8a1c33ab9b 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -676,6 +676,15 @@ resource "google_container_node_pool" "pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", @@ -893,6 +902,15 @@ resource "google_container_node_pool" "windows_pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 7ee544dee6..68daa22417 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -338,6 +338,7 @@ The node_pools variable takes the following parameters: | value | The value for the taint | | Required | | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | +| secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 9dcb9055e8..37e445697c 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -601,6 +601,15 @@ resource "google_container_node_pool" "pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", @@ -817,6 +826,15 @@ resource "google_container_node_pool" "windows_pools" { } } + # Supports a single secondary boot disk because `map(any)` must have the same values type. + dynamic "secondary_boot_disks" { + for_each = lookup(each.value, "secondary_boot_disk", "") != "" ? [each.value.secondary_boot_disk] : [] + content { + disk_image = secondary_boot_disks.value + mode = "CONTAINER_IMAGE_CACHE" + } + } + service_account = lookup( each.value, "service_account", From c87bb41a4d13a06e8e4b7687e15bed63595ad50b Mon Sep 17 00:00:00 2001 From: Eric Ho Date: Sat, 18 May 2024 05:32:26 +0800 Subject: [PATCH 066/176] feat: Add upgrade_settings for NAP created node pools (#1908) --- README.md | 2 +- autogen/main/cluster.tf.tmpl | 19 ++++++++++++ autogen/main/variables.tf.tmpl | 29 ++++++++++++------- cluster.tf | 19 ++++++++++++ .../README.md | 2 +- .../cluster.tf | 19 ++++++++++++ .../variables.tf | 29 ++++++++++++------- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/cluster.tf | 19 ++++++++++++ modules/beta-private-cluster/variables.tf | 29 ++++++++++++------- .../README.md | 2 +- .../cluster.tf | 19 ++++++++++++ .../variables.tf | 29 ++++++++++++------- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/cluster.tf | 19 ++++++++++++ modules/beta-public-cluster/variables.tf | 29 ++++++++++++------- .../private-cluster-update-variant/README.md | 2 +- .../private-cluster-update-variant/cluster.tf | 19 ++++++++++++ .../variables.tf | 29 ++++++++++++------- modules/private-cluster/README.md | 2 +- modules/private-cluster/cluster.tf | 19 ++++++++++++ modules/private-cluster/variables.tf | 29 ++++++++++++------- variables.tf | 29 ++++++++++++------- 23 files changed, 303 insertions(+), 95 deletions(-) diff --git a/README.md b/README.md index 24d24fc815..f9f0f4ac21 100644 --- a/README.md +++ b/README.md @@ -138,7 +138,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    disk_size           = optional(number)
    disk_type           = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index aeaa4266d6..d870a46cdf 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -147,6 +147,25 @@ resource "google_container_cluster" "primary" { disk_size = lookup(var.cluster_autoscaling, "disk_size", 100) disk_type = lookup(var.cluster_autoscaling, "disk_type", "pd-standard") + upgrade_settings { + strategy = lookup(var.cluster_autoscaling, "strategy", "SURGE") + max_surge = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_surge", 0) : null + max_unavailable = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_unavailable", 0) : null + + dynamic "blue_green_settings" { + for_each = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "BLUE_GREEN" ? [1] : [] + content { + node_pool_soak_duration = lookup(var.cluster_autoscaling, "node_pool_soak_duration", null) + + standard_rollout_policy { + batch_soak_duration = lookup(var.cluster_autoscaling, "batch_soak_duration", null) + batch_percentage = lookup(var.cluster_autoscaling, "batch_percentage", null) + batch_node_count = lookup(var.cluster_autoscaling, "batch_node_count", null) + } + } + } + } + {% if beta_cluster %} min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 09c7071657..8cb575bed8 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -244,17 +244,24 @@ variable "enable_resource_consumption_export" { {% if autopilot_cluster != true %} variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) }) default = { enabled = false diff --git a/cluster.tf b/cluster.tf index 228a1d6410..140d7d754c 100644 --- a/cluster.tf +++ b/cluster.tf @@ -120,6 +120,25 @@ resource "google_container_cluster" "primary" { disk_size = lookup(var.cluster_autoscaling, "disk_size", 100) disk_type = lookup(var.cluster_autoscaling, "disk_type", "pd-standard") + upgrade_settings { + strategy = lookup(var.cluster_autoscaling, "strategy", "SURGE") + max_surge = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_surge", 0) : null + max_unavailable = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_unavailable", 0) : null + + dynamic "blue_green_settings" { + for_each = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "BLUE_GREEN" ? [1] : [] + content { + node_pool_soak_duration = lookup(var.cluster_autoscaling, "node_pool_soak_duration", null) + + standard_rollout_policy { + batch_soak_duration = lookup(var.cluster_autoscaling, "batch_soak_duration", null) + batch_percentage = lookup(var.cluster_autoscaling, "batch_percentage", null) + batch_node_count = lookup(var.cluster_autoscaling, "batch_node_count", null) + } + } + } + } + } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 5f25cf8111..6252b260a7 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -171,7 +171,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    disk_size           = optional(number)
    disk_type           = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 0f0be23263..15a7c2d9a4 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -126,6 +126,25 @@ resource "google_container_cluster" "primary" { disk_size = lookup(var.cluster_autoscaling, "disk_size", 100) disk_type = lookup(var.cluster_autoscaling, "disk_type", "pd-standard") + upgrade_settings { + strategy = lookup(var.cluster_autoscaling, "strategy", "SURGE") + max_surge = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_surge", 0) : null + max_unavailable = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_unavailable", 0) : null + + dynamic "blue_green_settings" { + for_each = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "BLUE_GREEN" ? [1] : [] + content { + node_pool_soak_duration = lookup(var.cluster_autoscaling, "node_pool_soak_duration", null) + + standard_rollout_policy { + batch_soak_duration = lookup(var.cluster_autoscaling, "batch_soak_duration", null) + batch_percentage = lookup(var.cluster_autoscaling, "batch_percentage", null) + batch_node_count = lookup(var.cluster_autoscaling, "batch_node_count", null) + } + } + } + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") } } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 5279082444..9e25085fd9 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -239,17 +239,24 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) }) default = { enabled = false diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 6cbf218102..fc937d8ea9 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -149,7 +149,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    disk_size           = optional(number)
    disk_type           = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4c7d34592e..5a2caa5d04 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -126,6 +126,25 @@ resource "google_container_cluster" "primary" { disk_size = lookup(var.cluster_autoscaling, "disk_size", 100) disk_type = lookup(var.cluster_autoscaling, "disk_type", "pd-standard") + upgrade_settings { + strategy = lookup(var.cluster_autoscaling, "strategy", "SURGE") + max_surge = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_surge", 0) : null + max_unavailable = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_unavailable", 0) : null + + dynamic "blue_green_settings" { + for_each = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "BLUE_GREEN" ? [1] : [] + content { + node_pool_soak_duration = lookup(var.cluster_autoscaling, "node_pool_soak_duration", null) + + standard_rollout_policy { + batch_soak_duration = lookup(var.cluster_autoscaling, "batch_soak_duration", null) + batch_percentage = lookup(var.cluster_autoscaling, "batch_percentage", null) + batch_node_count = lookup(var.cluster_autoscaling, "batch_node_count", null) + } + } + } + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") } } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 5279082444..9e25085fd9 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -239,17 +239,24 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) }) default = { enabled = false diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 4b26ef1b36..5d3e3a1d3f 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -165,7 +165,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    disk_size           = optional(number)
    disk_type           = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 22a144fdd5..68c40f0103 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -126,6 +126,25 @@ resource "google_container_cluster" "primary" { disk_size = lookup(var.cluster_autoscaling, "disk_size", 100) disk_type = lookup(var.cluster_autoscaling, "disk_type", "pd-standard") + upgrade_settings { + strategy = lookup(var.cluster_autoscaling, "strategy", "SURGE") + max_surge = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_surge", 0) : null + max_unavailable = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_unavailable", 0) : null + + dynamic "blue_green_settings" { + for_each = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "BLUE_GREEN" ? [1] : [] + content { + node_pool_soak_duration = lookup(var.cluster_autoscaling, "node_pool_soak_duration", null) + + standard_rollout_policy { + batch_soak_duration = lookup(var.cluster_autoscaling, "batch_soak_duration", null) + batch_percentage = lookup(var.cluster_autoscaling, "batch_percentage", null) + batch_node_count = lookup(var.cluster_autoscaling, "batch_node_count", null) + } + } + } + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") } } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index f440b77f0f..66f68f5c9a 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -239,17 +239,24 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) }) default = { enabled = false diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index d7cfb53aec..da6310fb62 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -143,7 +143,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    disk_size           = optional(number)
    disk_type           = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 6944647cff..431bf9b02c 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -126,6 +126,25 @@ resource "google_container_cluster" "primary" { disk_size = lookup(var.cluster_autoscaling, "disk_size", 100) disk_type = lookup(var.cluster_autoscaling, "disk_type", "pd-standard") + upgrade_settings { + strategy = lookup(var.cluster_autoscaling, "strategy", "SURGE") + max_surge = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_surge", 0) : null + max_unavailable = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_unavailable", 0) : null + + dynamic "blue_green_settings" { + for_each = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "BLUE_GREEN" ? [1] : [] + content { + node_pool_soak_duration = lookup(var.cluster_autoscaling, "node_pool_soak_duration", null) + + standard_rollout_policy { + batch_soak_duration = lookup(var.cluster_autoscaling, "batch_soak_duration", null) + batch_percentage = lookup(var.cluster_autoscaling, "batch_percentage", null) + batch_node_count = lookup(var.cluster_autoscaling, "batch_node_count", null) + } + } + } + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") } } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index f440b77f0f..66f68f5c9a 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -239,17 +239,24 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) }) default = { enabled = false diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 2d885826ca..3584eb155f 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -166,7 +166,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    disk_size           = optional(number)
    disk_type           = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 8a1c33ab9b..44c2e22604 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -120,6 +120,25 @@ resource "google_container_cluster" "primary" { disk_size = lookup(var.cluster_autoscaling, "disk_size", 100) disk_type = lookup(var.cluster_autoscaling, "disk_type", "pd-standard") + upgrade_settings { + strategy = lookup(var.cluster_autoscaling, "strategy", "SURGE") + max_surge = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_surge", 0) : null + max_unavailable = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_unavailable", 0) : null + + dynamic "blue_green_settings" { + for_each = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "BLUE_GREEN" ? [1] : [] + content { + node_pool_soak_duration = lookup(var.cluster_autoscaling, "node_pool_soak_duration", null) + + standard_rollout_policy { + batch_soak_duration = lookup(var.cluster_autoscaling, "batch_soak_duration", null) + batch_percentage = lookup(var.cluster_autoscaling, "batch_percentage", null) + batch_node_count = lookup(var.cluster_autoscaling, "batch_node_count", null) + } + } + } + } + } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 687f54ed89..787352a83e 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -239,17 +239,24 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) }) default = { enabled = false diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 68daa22417..daec89ea7a 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -144,7 +144,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled             = bool
    autoscaling_profile = string
    min_cpu_cores       = number
    max_cpu_cores       = number
    min_memory_gb       = number
    max_memory_gb       = number
    gpu_resources       = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair         = bool
    auto_upgrade        = bool
    disk_size           = optional(number)
    disk_type           = optional(string)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 37e445697c..f8bf294875 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -120,6 +120,25 @@ resource "google_container_cluster" "primary" { disk_size = lookup(var.cluster_autoscaling, "disk_size", 100) disk_type = lookup(var.cluster_autoscaling, "disk_type", "pd-standard") + upgrade_settings { + strategy = lookup(var.cluster_autoscaling, "strategy", "SURGE") + max_surge = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_surge", 0) : null + max_unavailable = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "SURGE" ? lookup(var.cluster_autoscaling, "max_unavailable", 0) : null + + dynamic "blue_green_settings" { + for_each = lookup(var.cluster_autoscaling, "strategy", "SURGE") == "BLUE_GREEN" ? [1] : [] + content { + node_pool_soak_duration = lookup(var.cluster_autoscaling, "node_pool_soak_duration", null) + + standard_rollout_policy { + batch_soak_duration = lookup(var.cluster_autoscaling, "batch_soak_duration", null) + batch_percentage = lookup(var.cluster_autoscaling, "batch_percentage", null) + batch_node_count = lookup(var.cluster_autoscaling, "batch_node_count", null) + } + } + } + } + } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 687f54ed89..787352a83e 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -239,17 +239,24 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) }) default = { enabled = false diff --git a/variables.tf b/variables.tf index 0e05d74597..dc2352b24a 100644 --- a/variables.tf +++ b/variables.tf @@ -239,17 +239,24 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) }) default = { enabled = false From 22721644102a8b6b875439c80a6571266e6bf723 Mon Sep 17 00:00:00 2001 From: Endre Czirbesz Date: Mon, 20 May 2024 22:45:30 +0100 Subject: [PATCH 067/176] feat: Add option image_type in cluster_autoscaling block (#1905) --- README.md | 2 +- autogen/main/cluster.tf.tmpl | 2 ++ autogen/main/variables.tf.tmpl | 2 ++ cluster.tf | 2 ++ modules/beta-private-cluster-update-variant/README.md | 2 +- modules/beta-private-cluster-update-variant/cluster.tf | 2 ++ modules/beta-private-cluster-update-variant/variables.tf | 2 ++ modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/cluster.tf | 2 ++ modules/beta-private-cluster/variables.tf | 2 ++ modules/beta-public-cluster-update-variant/README.md | 2 +- modules/beta-public-cluster-update-variant/cluster.tf | 2 ++ modules/beta-public-cluster-update-variant/variables.tf | 2 ++ modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/cluster.tf | 2 ++ modules/beta-public-cluster/variables.tf | 2 ++ modules/private-cluster-update-variant/README.md | 2 +- modules/private-cluster-update-variant/cluster.tf | 2 ++ modules/private-cluster-update-variant/variables.tf | 2 ++ modules/private-cluster/README.md | 2 +- modules/private-cluster/cluster.tf | 2 ++ modules/private-cluster/variables.tf | 2 ++ variables.tf | 2 ++ 23 files changed, 39 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index f9f0f4ac21..8954edefbc 100644 --- a/README.md +++ b/README.md @@ -138,7 +138,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index d870a46cdf..4d05a76bec 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -169,6 +169,8 @@ resource "google_container_cluster" "primary" { {% if beta_cluster %} min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") {% endif %} + + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 8cb575bed8..84ef97a000 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -255,6 +255,7 @@ variable "cluster_autoscaling" { auto_upgrade = bool disk_size = optional(number) disk_type = optional(string) + image_type = optional(string) strategy = optional(string) max_surge = optional(number) max_unavailable = optional(number) @@ -275,6 +276,7 @@ variable "cluster_autoscaling" { auto_upgrade = true disk_size = 100 disk_type = "pd-standard" + image_type = "COS_CONTAINERD" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/cluster.tf b/cluster.tf index 140d7d754c..0d586b2259 100644 --- a/cluster.tf +++ b/cluster.tf @@ -139,6 +139,8 @@ resource "google_container_cluster" "primary" { } } + + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 6252b260a7..37613be7c1 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -171,7 +171,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 15a7c2d9a4..781eaf7c45 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -146,6 +146,8 @@ resource "google_container_cluster" "primary" { } min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 9e25085fd9..156a6f9983 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -250,6 +250,7 @@ variable "cluster_autoscaling" { auto_upgrade = bool disk_size = optional(number) disk_type = optional(string) + image_type = optional(string) strategy = optional(string) max_surge = optional(number) max_unavailable = optional(number) @@ -270,6 +271,7 @@ variable "cluster_autoscaling" { auto_upgrade = true disk_size = 100 disk_type = "pd-standard" + image_type = "COS_CONTAINERD" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index fc937d8ea9..275ea32a1b 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -149,7 +149,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 5a2caa5d04..d4bab69721 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -146,6 +146,8 @@ resource "google_container_cluster" "primary" { } min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 9e25085fd9..156a6f9983 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -250,6 +250,7 @@ variable "cluster_autoscaling" { auto_upgrade = bool disk_size = optional(number) disk_type = optional(string) + image_type = optional(string) strategy = optional(string) max_surge = optional(number) max_unavailable = optional(number) @@ -270,6 +271,7 @@ variable "cluster_autoscaling" { auto_upgrade = true disk_size = 100 disk_type = "pd-standard" + image_type = "COS_CONTAINERD" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 5d3e3a1d3f..7694591dc5 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -165,7 +165,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 68c40f0103..a303342f76 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -146,6 +146,8 @@ resource "google_container_cluster" "primary" { } min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 66f68f5c9a..6cadf89cfd 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -250,6 +250,7 @@ variable "cluster_autoscaling" { auto_upgrade = bool disk_size = optional(number) disk_type = optional(string) + image_type = optional(string) strategy = optional(string) max_surge = optional(number) max_unavailable = optional(number) @@ -270,6 +271,7 @@ variable "cluster_autoscaling" { auto_upgrade = true disk_size = 100 disk_type = "pd-standard" + image_type = "COS_CONTAINERD" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index da6310fb62..e0442f9063 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -143,7 +143,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 431bf9b02c..45f95e2002 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -146,6 +146,8 @@ resource "google_container_cluster" "primary" { } min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 66f68f5c9a..6cadf89cfd 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -250,6 +250,7 @@ variable "cluster_autoscaling" { auto_upgrade = bool disk_size = optional(number) disk_type = optional(string) + image_type = optional(string) strategy = optional(string) max_surge = optional(number) max_unavailable = optional(number) @@ -270,6 +271,7 @@ variable "cluster_autoscaling" { auto_upgrade = true disk_size = 100 disk_type = "pd-standard" + image_type = "COS_CONTAINERD" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 3584eb155f..aa00ef6489 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -166,7 +166,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 44c2e22604..a025a5e19e 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -139,6 +139,8 @@ resource "google_container_cluster" "primary" { } } + + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 787352a83e..ba16201dd5 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -250,6 +250,7 @@ variable "cluster_autoscaling" { auto_upgrade = bool disk_size = optional(number) disk_type = optional(string) + image_type = optional(string) strategy = optional(string) max_surge = optional(number) max_unavailable = optional(number) @@ -270,6 +271,7 @@ variable "cluster_autoscaling" { auto_upgrade = true disk_size = 100 disk_type = "pd-standard" + image_type = "COS_CONTAINERD" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index daec89ea7a..5fd6912b2b 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -144,7 +144,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index f8bf294875..043393d771 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -139,6 +139,8 @@ resource "google_container_cluster" "primary" { } } + + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } } autoscaling_profile = var.cluster_autoscaling.autoscaling_profile != null ? var.cluster_autoscaling.autoscaling_profile : "BALANCED" diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 787352a83e..ba16201dd5 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -250,6 +250,7 @@ variable "cluster_autoscaling" { auto_upgrade = bool disk_size = optional(number) disk_type = optional(string) + image_type = optional(string) strategy = optional(string) max_surge = optional(number) max_unavailable = optional(number) @@ -270,6 +271,7 @@ variable "cluster_autoscaling" { auto_upgrade = true disk_size = 100 disk_type = "pd-standard" + image_type = "COS_CONTAINERD" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/variables.tf b/variables.tf index dc2352b24a..8c965b8ec8 100644 --- a/variables.tf +++ b/variables.tf @@ -250,6 +250,7 @@ variable "cluster_autoscaling" { auto_upgrade = bool disk_size = optional(number) disk_type = optional(string) + image_type = optional(string) strategy = optional(string) max_surge = optional(number) max_unavailable = optional(number) @@ -270,6 +271,7 @@ variable "cluster_autoscaling" { auto_upgrade = true disk_size = 100 disk_type = "pd-standard" + image_type = "COS_CONTAINERD" } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } From 12cf40fcfeb341220f639138483897a47c76c6f9 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Wed, 22 May 2024 18:34:45 +0300 Subject: [PATCH 068/176] fix: add gpu_driver_version to recreate list + docs (#1913) --- README.md | 1 + autogen/main/README.md | 1 + autogen/main/cluster.tf.tmpl | 1 + modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 1 + modules/beta-private-cluster/README.md | 1 + modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 1 + modules/beta-public-cluster/README.md | 1 + modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 1 + modules/private-cluster/README.md | 1 + 12 files changed, 12 insertions(+) diff --git a/README.md b/README.md index 8954edefbc..d69dc70424 100644 --- a/README.md +++ b/README.md @@ -293,6 +293,7 @@ The node_pools variable takes the following parameters: | enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | +| gpu_driver_version | Mode for how the GPU driver is installed | null | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index 15dddf735b..8c11bfdd64 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -205,6 +205,7 @@ The node_pools variable takes the following parameters: | enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | +| gpu_driver_version | Mode for how the GPU driver is installed | null | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 4d05a76bec..c6b22ee2e6 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -642,6 +642,7 @@ locals { "accelerator_count", "accelerator_type", "gpu_partition_size", + "gpu_driver_version", "enable_secure_boot", "enable_integrity_monitoring", "local_ssd_count", diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 37613be7c1..37a67f70f1 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -355,6 +355,7 @@ The node_pools variable takes the following parameters: | enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | +| gpu_driver_version | Mode for how the GPU driver is installed | null | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 781eaf7c45..af4d9c144b 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -551,6 +551,7 @@ locals { "accelerator_count", "accelerator_type", "gpu_partition_size", + "gpu_driver_version", "enable_secure_boot", "enable_integrity_monitoring", "local_ssd_count", diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 275ea32a1b..016e845ed2 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -333,6 +333,7 @@ The node_pools variable takes the following parameters: | enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | +| gpu_driver_version | Mode for how the GPU driver is installed | null | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 7694591dc5..29d3eaa032 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -342,6 +342,7 @@ The node_pools variable takes the following parameters: | enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | +| gpu_driver_version | Mode for how the GPU driver is installed | null | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index a303342f76..ee27b582cc 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -532,6 +532,7 @@ locals { "accelerator_count", "accelerator_type", "gpu_partition_size", + "gpu_driver_version", "enable_secure_boot", "enable_integrity_monitoring", "local_ssd_count", diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index e0442f9063..dc139e92eb 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -320,6 +320,7 @@ The node_pools variable takes the following parameters: | enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | +| gpu_driver_version | Mode for how the GPU driver is installed | null | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index aa00ef6489..13a344d0fe 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -328,6 +328,7 @@ The node_pools variable takes the following parameters: | enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | +| gpu_driver_version | Mode for how the GPU driver is installed | null | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index a025a5e19e..fc44245ed4 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -485,6 +485,7 @@ locals { "accelerator_count", "accelerator_type", "gpu_partition_size", + "gpu_driver_version", "enable_secure_boot", "enable_integrity_monitoring", "local_ssd_count", diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 5fd6912b2b..9671440668 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -306,6 +306,7 @@ The node_pools variable takes the following parameters: | enable_gvnic | gVNIC (GVE) is an alternative to the virtIO-based ethernet driver. Needs a Container-Optimized OS node image. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | +| gpu_driver_version | Mode for how the GPU driver is installed | null | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | From d87cbeec2d5a1ad7780cd94c6d85d4d6167fa80b Mon Sep 17 00:00:00 2001 From: Patrick Black Date: Wed, 22 May 2024 10:42:38 -0500 Subject: [PATCH 069/176] docs: add multicluster configuration note (#1883) --- modules/workload-identity/README.md | 45 +++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/modules/workload-identity/README.md b/modules/workload-identity/README.md index 5024cc7d33..d11a8dbb71 100644 --- a/modules/workload-identity/README.md +++ b/modules/workload-identity/README.md @@ -94,6 +94,51 @@ module "my-app-workload-identity" { If annotation is disabled (via `annotate_k8s_sa = false`), the existing Kubernetes service account must already bear the `"iam.gke.io/gcp-service-account"` annotation. +## Using with multiple clusters + +This module accommodates configurations involving multiple clusters within the kubernetes provider. + +To begin, initialize the kubernetes provider for each cluster with a unique alias, as demonstrated below: + +Initialize your `kubernetes` provider with an alias like the following: + +```hcl +provider "kubernetes" { + alias = "alias-for-your-cluster" + host = "https://your-cluster-host-url.com" + token = "your-cluster-token" + cluster_ca_certificate = base64decode("Your-Cluster-Certificate") +} +``` + +Ensure each cluster configuration has a distinct alias. Repeat this step for every cluster you intend to manage. + +In your module configuration, include the providers attribute to assign the appropriate provider alias: + +```hcl +module "workload_identity_for_cluster" { + source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" + + providers = { + kubernetes = kubernetes.alias-for-your-cluster + } + + name = "service-account-name" + namespace = "desired-namespace" + // Other module configurations +} +``` + +This approach is required when managing multiple clusters. Omitting this step can lead to errors like the one shown below: + +```shell +Error: Get "http://localhost/api/v1/namespaces/default/serviceaccounts/your-service-account": dial tcp [::1]:80: connect: connection refused +│ +│ with module.your_workload_identity.kubernetes_service_account.main[0], +│ on .terraform/modules/your_workload_identity/modules/workload-identity/main.tf line 50, in resource "kubernetes_service_account" "main": +│ 50: resource "kubernetes_service_account" "main" { +``` + ## Inputs From 04ebd0c7d3ad236abcfcd9a7b1c54d4c75b1ba28 Mon Sep 17 00:00:00 2001 From: Alexander Samusev <41779041+alvicsam@users.noreply.github.com> Date: Wed, 22 May 2024 18:55:01 +0200 Subject: [PATCH 070/176] feat: Add local_ssd_ephemeral_count to default configuration (#1944) --- README.md | 1 + autogen/main/README.md | 1 + autogen/main/cluster.tf.tmpl | 6 +++++ cluster.tf | 12 +++++++++ examples/node_pool/main.tf | 25 ++++++++++--------- .../README.md | 1 + .../cluster.tf | 12 +++++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 12 +++++++++ .../README.md | 1 + .../cluster.tf | 12 +++++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 12 +++++++++ .../private-cluster-update-variant/README.md | 1 + .../private-cluster-update-variant/cluster.tf | 12 +++++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 12 +++++++++ 17 files changed, 111 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index d69dc70424..9296f278c0 100644 --- a/README.md +++ b/README.md @@ -300,6 +300,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_storage_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index 8c11bfdd64..49827285e4 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -212,6 +212,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_storage_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | {% if beta_cluster %} | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | {% endif %} diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index c6b22ee2e6..96356c808a 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -870,6 +870,12 @@ resource "google_container_node_pool" "windows_pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } {% if beta_cluster %} dynamic "ephemeral_storage_config" { for_each = lookup(each.value, "local_ssd_ephemeral_count",0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] diff --git a/cluster.tf b/cluster.tf index 0d586b2259..d4c17bcecf 100644 --- a/cluster.tf +++ b/cluster.tf @@ -595,6 +595,12 @@ resource "google_container_node_pool" "pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "local_nvme_ssd_block_config" { for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] @@ -820,6 +826,12 @@ resource "google_container_node_pool" "windows_pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "local_nvme_ssd_block_config" { for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index cea54d19b6..e00e9c5136 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -66,18 +66,19 @@ module "gke" { service_account = var.compute_engine_service_account }, { - name = "pool-03" - machine_type = "n1-standard-2" - node_locations = "${var.region}-b,${var.region}-c" - autoscaling = false - node_count = 2 - disk_type = "pd-standard" - auto_upgrade = true - service_account = var.compute_engine_service_account - pod_range = "test" - sandbox_enabled = true - cpu_manager_policy = "static" - cpu_cfs_quota = true + name = "pool-03" + machine_type = "n1-standard-2" + node_locations = "${var.region}-b,${var.region}-c" + autoscaling = false + node_count = 2 + disk_type = "pd-standard" + auto_upgrade = true + service_account = var.compute_engine_service_account + pod_range = "test" + sandbox_enabled = true + cpu_manager_policy = "static" + cpu_cfs_quota = true + local_ssd_ephemeral_count = 2 }, ] diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 37a67f70f1..aa24ab95c8 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -362,6 +362,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_storage_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index af4d9c144b..fdb6f891d8 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -756,6 +756,12 @@ resource "google_container_node_pool" "pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "ephemeral_storage_config" { for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] content { @@ -1007,6 +1013,12 @@ resource "google_container_node_pool" "windows_pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "ephemeral_storage_config" { for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] content { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 016e845ed2..91b95efbb3 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -340,6 +340,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_storage_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index d4bab69721..742ecaef32 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -680,6 +680,12 @@ resource "google_container_node_pool" "pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "ephemeral_storage_config" { for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] content { @@ -930,6 +936,12 @@ resource "google_container_node_pool" "windows_pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "ephemeral_storage_config" { for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] content { diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 29d3eaa032..9ccec076a4 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -349,6 +349,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_storage_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index ee27b582cc..2d0f4ff8e7 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -737,6 +737,12 @@ resource "google_container_node_pool" "pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "ephemeral_storage_config" { for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] content { @@ -988,6 +994,12 @@ resource "google_container_node_pool" "windows_pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "ephemeral_storage_config" { for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] content { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index dc139e92eb..9f8037a19f 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -327,6 +327,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_storage_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 45f95e2002..fcbac0cac4 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -661,6 +661,12 @@ resource "google_container_node_pool" "pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "ephemeral_storage_config" { for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] content { @@ -911,6 +917,12 @@ resource "google_container_node_pool" "windows_pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "ephemeral_storage_config" { for_each = lookup(each.value, "local_ssd_ephemeral_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] content { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 13a344d0fe..267ab2b50e 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -335,6 +335,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_storage_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index fc44245ed4..d48a810a0c 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -690,6 +690,12 @@ resource "google_container_node_pool" "pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "local_nvme_ssd_block_config" { for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] @@ -916,6 +922,12 @@ resource "google_container_node_pool" "windows_pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "local_nvme_ssd_block_config" { for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 9671440668..dc1559b943 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -313,6 +313,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_storage_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 043393d771..335415508f 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -614,6 +614,12 @@ resource "google_container_node_pool" "pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "local_nvme_ssd_block_config" { for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] @@ -839,6 +845,12 @@ resource "google_container_node_pool" "windows_pools" { disk_size_gb = lookup(each.value, "disk_size_gb", 100) disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "ephemeral_storage_local_ssd_config" { + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + content { + local_ssd_count = ephemeral_storage_local_ssd_config.value + } + } dynamic "local_nvme_ssd_block_config" { for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] From e573cedee0a82517410f9d607ce69be7189124ca Mon Sep 17 00:00:00 2001 From: Alexander Samusev <41779041+alvicsam@users.noreply.github.com> Date: Wed, 22 May 2024 20:42:04 +0200 Subject: [PATCH 071/176] feat: Add threads_per_core setting for node config in node pools (#1942) --- README.md | 1 + autogen/main/README.md | 1 + autogen/main/cluster.tf.tmpl | 7 +++++++ cluster.tf | 14 ++++++++++++++ .../beta-private-cluster-update-variant/README.md | 1 + .../beta-private-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 14 ++++++++++++++ .../beta-public-cluster-update-variant/README.md | 1 + .../beta-public-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 14 ++++++++++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 14 ++++++++++++++ 16 files changed, 113 insertions(+) diff --git a/README.md b/README.md index 9296f278c0..c354cd843f 100644 --- a/README.md +++ b/README.md @@ -308,6 +308,7 @@ The node_pools variable takes the following parameters: | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | +| threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index 49827285e4..5801d04b4c 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -223,6 +223,7 @@ The node_pools variable takes the following parameters: | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | +| threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 96356c808a..49a2508cc3 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -930,6 +930,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config diff --git a/cluster.tf b/cluster.tf index d4c17bcecf..32f9f29d78 100644 --- a/cluster.tf +++ b/cluster.tf @@ -647,6 +647,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config @@ -878,6 +885,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index aa24ab95c8..883af3419e 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -371,6 +371,7 @@ The node_pools variable takes the following parameters: | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | +| threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index fdb6f891d8..9a0b421085 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -814,6 +814,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config @@ -1071,6 +1078,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 91b95efbb3..0f06cabef4 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -349,6 +349,7 @@ The node_pools variable takes the following parameters: | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | +| threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 742ecaef32..135659eb57 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -738,6 +738,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config @@ -994,6 +1001,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 9ccec076a4..12dacc2128 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -358,6 +358,7 @@ The node_pools variable takes the following parameters: | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | +| threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 2d0f4ff8e7..9f2e50b48d 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -795,6 +795,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config @@ -1052,6 +1059,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 9f8037a19f..5a5ce13dea 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -336,6 +336,7 @@ The node_pools variable takes the following parameters: | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | +| threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index fcbac0cac4..12db7772e0 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -719,6 +719,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config @@ -975,6 +982,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 267ab2b50e..b20d8da1af 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -343,6 +343,7 @@ The node_pools variable takes the following parameters: | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | +| threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index d48a810a0c..2dcbfe095e 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -742,6 +742,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config @@ -974,6 +981,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index dc1559b943..9d77ba0c24 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -321,6 +321,7 @@ The node_pools variable takes the following parameters: | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | +| threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 335415508f..34f56ffacf 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -666,6 +666,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config @@ -897,6 +904,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "advanced_machine_features" { + for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + content { + threads_per_core = lookup(each.value, "threads_per_core", 0) + } + } + dynamic "workload_metadata_config" { for_each = local.cluster_node_metadata_config From 26eb7c09f6ebb7873719c68caa2fafb92be061ce Mon Sep 17 00:00:00 2001 From: Alexander Samusev <41779041+alvicsam@users.noreply.github.com> Date: Thu, 23 May 2024 18:39:47 +0200 Subject: [PATCH 072/176] fix: dynamic block ephemeral_storage_local_ssd_config (#1951) --- autogen/main/cluster.tf.tmpl | 2 +- cluster.tf | 4 ++-- modules/beta-private-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/beta-public-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-public-cluster/cluster.tf | 4 ++-- modules/private-cluster-update-variant/cluster.tf | 4 ++-- modules/private-cluster/cluster.tf | 4 ++-- 8 files changed, 15 insertions(+), 15 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 49a2508cc3..d0c7b37162 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -871,7 +871,7 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } diff --git a/cluster.tf b/cluster.tf index 32f9f29d78..233c4c4751 100644 --- a/cluster.tf +++ b/cluster.tf @@ -596,7 +596,7 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } @@ -834,7 +834,7 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 9a0b421085..f39cc552e7 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -757,7 +757,7 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } @@ -1021,7 +1021,7 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 135659eb57..cce6101889 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -681,7 +681,7 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } @@ -944,7 +944,7 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 9f2e50b48d..edfd3e161f 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -738,7 +738,7 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } @@ -1002,7 +1002,7 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 12db7772e0..dfecb9e86d 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -662,7 +662,7 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } @@ -925,7 +925,7 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 2dcbfe095e..29d37b6635 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -691,7 +691,7 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } @@ -930,7 +930,7 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 34f56ffacf..14da218587 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -615,7 +615,7 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } @@ -853,7 +853,7 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") dynamic "ephemeral_storage_local_ssd_config" { - for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_count] : [] + for_each = lookup(each.value, "local_ssd_ephemeral_storage_count", 0) > 0 ? [each.value.local_ssd_ephemeral_storage_count] : [] content { local_ssd_count = ephemeral_storage_local_ssd_config.value } From c51c446b7642a940dd3ae90dab9741d110838f41 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 23 May 2024 13:51:56 -0700 Subject: [PATCH 073/176] chore(deps): Update cft/developer-tools Docker tag to v1.21 (#1953) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Makefile | 2 +- build/int.cloudbuild.yaml | 2 +- build/lint.cloudbuild.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 38290471f0..942ff8cb78 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.20 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.21 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd DOCKER_BIN ?= docker diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 57991a870e..8dc74732aa 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -519,6 +519,6 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.20' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.21' options: machineType: 'N1_HIGHCPU_8' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index 5e1c102db3..8a067a2f7f 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -22,7 +22,7 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.20' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.21' options: machineType: 'N1_HIGHCPU_8' env: From b57387cc771f90425e5b001fce2b9963dba1b791 Mon Sep 17 00:00:00 2001 From: Jim Gustavsson <40056436+jimgus@users.noreply.github.com> Date: Fri, 24 May 2024 19:34:51 +0200 Subject: [PATCH 074/176] feat: add support for gpu_sharing_config on nodepool (#1874) --- README.md | 41 ++++++++++-------- autogen/main/README.md | 43 +++++++++++-------- autogen/main/cluster.tf.tmpl | 10 +++++ cluster.tf | 16 +++++++ .../README.md | 43 +++++++++++-------- .../cluster.tf | 18 ++++++++ modules/beta-private-cluster/README.md | 43 +++++++++++-------- modules/beta-private-cluster/cluster.tf | 16 +++++++ .../README.md | 43 +++++++++++-------- .../cluster.tf | 18 ++++++++ modules/beta-public-cluster/README.md | 43 +++++++++++-------- modules/beta-public-cluster/cluster.tf | 16 +++++++ .../private-cluster-update-variant/README.md | 41 ++++++++++-------- .../private-cluster-update-variant/cluster.tf | 18 ++++++++ modules/private-cluster/README.md | 41 ++++++++++-------- modules/private-cluster/cluster.tf | 16 +++++++ 16 files changed, 317 insertions(+), 149 deletions(-) diff --git a/README.md b/README.md index c354cd843f..0a55b63fd0 100644 --- a/README.md +++ b/README.md @@ -54,24 +54,29 @@ module "gke" { node_pools = [ { - name = "default-node-pool" - machine_type = "e2-medium" - node_locations = "us-central1-b,us-central1-c" - min_count = 1 - max_count = 100 - local_ssd_count = 0 - spot = false - disk_size_gb = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" - enable_gcfs = false - enable_gvnic = false - logging_variant = "DEFAULT" - auto_repair = true - auto_upgrade = true - service_account = "project-service-account@.iam.gserviceaccount.com" - preemptible = false - initial_node_count = 80 + name = "default-node-pool" + machine_type = "e2-medium" + node_locations = "us-central1-b,us-central1-c" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = false + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_gcfs = false + enable_gvnic = false + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = "project-service-account@.iam.gserviceaccount.com" + preemptible = false + initial_node_count = 80 + accelerator_count = 1 + accelerator_type = "nvidia-l4" + gpu_driver_version = "LATEST" + gpu_sharing_strategy = "TIME_SHARING" + max_shared_clients_per_gpu = 2 }, ] diff --git a/autogen/main/README.md b/autogen/main/README.md index 5801d04b4c..5b266c5114 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -96,27 +96,32 @@ module "gke" { {% if autopilot_cluster != true %} node_pools = [ { - name = "default-node-pool" - machine_type = "e2-medium" - node_locations = "us-central1-b,us-central1-c" - min_count = 1 - max_count = 100 - local_ssd_count = 0 - spot = false + name = "default-node-pool" + machine_type = "e2-medium" + node_locations = "us-central1-b,us-central1-c" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = false {% if beta_cluster %} - local_ssd_ephemeral_count = 0 + local_ssd_ephemeral_count = 0 {% endif %} - disk_size_gb = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" - enable_gcfs = false - enable_gvnic = false - logging_variant = "DEFAULT" - auto_repair = true - auto_upgrade = true - service_account = "project-service-account@.iam.gserviceaccount.com" - preemptible = false - initial_node_count = 80 + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_gcfs = false + enable_gvnic = false + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = "project-service-account@.iam.gserviceaccount.com" + preemptible = false + initial_node_count = 80 + accelerator_count = 1 + accelerator_type = "nvidia-l4" + gpu_driver_version = "LATEST" + gpu_sharing_strategy = "TIME_SHARING" + max_shared_clients_per_gpu = 2 }, ] diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index d0c7b37162..e129fb4216 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -643,6 +643,8 @@ locals { "accelerator_type", "gpu_partition_size", "gpu_driver_version", + "gpu_sharing_strategy", + "max_shared_clients_per_gpu", "enable_secure_boot", "enable_integrity_monitoring", "local_ssd_count", @@ -927,6 +929,14 @@ resource "google_container_node_pool" "windows_pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } diff --git a/cluster.tf b/cluster.tf index 233c4c4751..eca430d3eb 100644 --- a/cluster.tf +++ b/cluster.tf @@ -644,6 +644,14 @@ resource "google_container_node_pool" "pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } @@ -882,6 +890,14 @@ resource "google_container_node_pool" "windows_pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 883af3419e..06c96966b2 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -84,25 +84,30 @@ module "gke" { node_pools = [ { - name = "default-node-pool" - machine_type = "e2-medium" - node_locations = "us-central1-b,us-central1-c" - min_count = 1 - max_count = 100 - local_ssd_count = 0 - spot = false - local_ssd_ephemeral_count = 0 - disk_size_gb = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" - enable_gcfs = false - enable_gvnic = false - logging_variant = "DEFAULT" - auto_repair = true - auto_upgrade = true - service_account = "project-service-account@.iam.gserviceaccount.com" - preemptible = false - initial_node_count = 80 + name = "default-node-pool" + machine_type = "e2-medium" + node_locations = "us-central1-b,us-central1-c" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = false + local_ssd_ephemeral_count = 0 + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_gcfs = false + enable_gvnic = false + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = "project-service-account@.iam.gserviceaccount.com" + preemptible = false + initial_node_count = 80 + accelerator_count = 1 + accelerator_type = "nvidia-l4" + gpu_driver_version = "LATEST" + gpu_sharing_strategy = "TIME_SHARING" + max_shared_clients_per_gpu = 2 }, ] diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index f39cc552e7..f5f5671548 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -552,6 +552,8 @@ locals { "accelerator_type", "gpu_partition_size", "gpu_driver_version", + "gpu_sharing_strategy", + "max_shared_clients_per_gpu", "enable_secure_boot", "enable_integrity_monitoring", "local_ssd_count", @@ -811,6 +813,14 @@ resource "google_container_node_pool" "pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } @@ -1075,6 +1085,14 @@ resource "google_container_node_pool" "windows_pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 0f06cabef4..59f885d674 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -62,25 +62,30 @@ module "gke" { node_pools = [ { - name = "default-node-pool" - machine_type = "e2-medium" - node_locations = "us-central1-b,us-central1-c" - min_count = 1 - max_count = 100 - local_ssd_count = 0 - spot = false - local_ssd_ephemeral_count = 0 - disk_size_gb = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" - enable_gcfs = false - enable_gvnic = false - logging_variant = "DEFAULT" - auto_repair = true - auto_upgrade = true - service_account = "project-service-account@.iam.gserviceaccount.com" - preemptible = false - initial_node_count = 80 + name = "default-node-pool" + machine_type = "e2-medium" + node_locations = "us-central1-b,us-central1-c" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = false + local_ssd_ephemeral_count = 0 + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_gcfs = false + enable_gvnic = false + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = "project-service-account@.iam.gserviceaccount.com" + preemptible = false + initial_node_count = 80 + accelerator_count = 1 + accelerator_type = "nvidia-l4" + gpu_driver_version = "LATEST" + gpu_sharing_strategy = "TIME_SHARING" + max_shared_clients_per_gpu = 2 }, ] diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index cce6101889..3e0125b9bf 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -735,6 +735,14 @@ resource "google_container_node_pool" "pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } @@ -998,6 +1006,14 @@ resource "google_container_node_pool" "windows_pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 12dacc2128..c2d1e840f0 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -78,25 +78,30 @@ module "gke" { node_pools = [ { - name = "default-node-pool" - machine_type = "e2-medium" - node_locations = "us-central1-b,us-central1-c" - min_count = 1 - max_count = 100 - local_ssd_count = 0 - spot = false - local_ssd_ephemeral_count = 0 - disk_size_gb = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" - enable_gcfs = false - enable_gvnic = false - logging_variant = "DEFAULT" - auto_repair = true - auto_upgrade = true - service_account = "project-service-account@.iam.gserviceaccount.com" - preemptible = false - initial_node_count = 80 + name = "default-node-pool" + machine_type = "e2-medium" + node_locations = "us-central1-b,us-central1-c" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = false + local_ssd_ephemeral_count = 0 + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_gcfs = false + enable_gvnic = false + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = "project-service-account@.iam.gserviceaccount.com" + preemptible = false + initial_node_count = 80 + accelerator_count = 1 + accelerator_type = "nvidia-l4" + gpu_driver_version = "LATEST" + gpu_sharing_strategy = "TIME_SHARING" + max_shared_clients_per_gpu = 2 }, ] diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index edfd3e161f..6041729f60 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -533,6 +533,8 @@ locals { "accelerator_type", "gpu_partition_size", "gpu_driver_version", + "gpu_sharing_strategy", + "max_shared_clients_per_gpu", "enable_secure_boot", "enable_integrity_monitoring", "local_ssd_count", @@ -792,6 +794,14 @@ resource "google_container_node_pool" "pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } @@ -1056,6 +1066,14 @@ resource "google_container_node_pool" "windows_pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 5a5ce13dea..bd00f7f7ac 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -56,25 +56,30 @@ module "gke" { node_pools = [ { - name = "default-node-pool" - machine_type = "e2-medium" - node_locations = "us-central1-b,us-central1-c" - min_count = 1 - max_count = 100 - local_ssd_count = 0 - spot = false - local_ssd_ephemeral_count = 0 - disk_size_gb = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" - enable_gcfs = false - enable_gvnic = false - logging_variant = "DEFAULT" - auto_repair = true - auto_upgrade = true - service_account = "project-service-account@.iam.gserviceaccount.com" - preemptible = false - initial_node_count = 80 + name = "default-node-pool" + machine_type = "e2-medium" + node_locations = "us-central1-b,us-central1-c" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = false + local_ssd_ephemeral_count = 0 + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_gcfs = false + enable_gvnic = false + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = "project-service-account@.iam.gserviceaccount.com" + preemptible = false + initial_node_count = 80 + accelerator_count = 1 + accelerator_type = "nvidia-l4" + gpu_driver_version = "LATEST" + gpu_sharing_strategy = "TIME_SHARING" + max_shared_clients_per_gpu = 2 }, ] diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index dfecb9e86d..065e41f742 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -716,6 +716,14 @@ resource "google_container_node_pool" "pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } @@ -979,6 +987,14 @@ resource "google_container_node_pool" "windows_pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index b20d8da1af..4d5eff5935 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -82,24 +82,29 @@ module "gke" { node_pools = [ { - name = "default-node-pool" - machine_type = "e2-medium" - node_locations = "us-central1-b,us-central1-c" - min_count = 1 - max_count = 100 - local_ssd_count = 0 - spot = false - disk_size_gb = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" - enable_gcfs = false - enable_gvnic = false - logging_variant = "DEFAULT" - auto_repair = true - auto_upgrade = true - service_account = "project-service-account@.iam.gserviceaccount.com" - preemptible = false - initial_node_count = 80 + name = "default-node-pool" + machine_type = "e2-medium" + node_locations = "us-central1-b,us-central1-c" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = false + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_gcfs = false + enable_gvnic = false + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = "project-service-account@.iam.gserviceaccount.com" + preemptible = false + initial_node_count = 80 + accelerator_count = 1 + accelerator_type = "nvidia-l4" + gpu_driver_version = "LATEST" + gpu_sharing_strategy = "TIME_SHARING" + max_shared_clients_per_gpu = 2 }, ] diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 29d37b6635..115b2f3ce8 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -486,6 +486,8 @@ locals { "accelerator_type", "gpu_partition_size", "gpu_driver_version", + "gpu_sharing_strategy", + "max_shared_clients_per_gpu", "enable_secure_boot", "enable_integrity_monitoring", "local_ssd_count", @@ -739,6 +741,14 @@ resource "google_container_node_pool" "pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } @@ -978,6 +988,14 @@ resource "google_container_node_pool" "windows_pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 9d77ba0c24..9794b316d7 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -60,24 +60,29 @@ module "gke" { node_pools = [ { - name = "default-node-pool" - machine_type = "e2-medium" - node_locations = "us-central1-b,us-central1-c" - min_count = 1 - max_count = 100 - local_ssd_count = 0 - spot = false - disk_size_gb = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" - enable_gcfs = false - enable_gvnic = false - logging_variant = "DEFAULT" - auto_repair = true - auto_upgrade = true - service_account = "project-service-account@.iam.gserviceaccount.com" - preemptible = false - initial_node_count = 80 + name = "default-node-pool" + machine_type = "e2-medium" + node_locations = "us-central1-b,us-central1-c" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = false + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_gcfs = false + enable_gvnic = false + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = "project-service-account@.iam.gserviceaccount.com" + preemptible = false + initial_node_count = 80 + accelerator_count = 1 + accelerator_type = "nvidia-l4" + gpu_driver_version = "LATEST" + gpu_sharing_strategy = "TIME_SHARING" + max_shared_clients_per_gpu = 2 }, ] diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 14da218587..0d5780b778 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -663,6 +663,14 @@ resource "google_container_node_pool" "pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } @@ -901,6 +909,14 @@ resource "google_container_node_pool" "windows_pools" { gpu_driver_version = lookup(each.value, "gpu_driver_version", "") } } + + dynamic "gpu_sharing_config" { + for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] + content { + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) + } + } } } From c87333bcaaf4e91f550816f48862e18657f5596e Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Fri, 24 May 2024 13:47:20 -0700 Subject: [PATCH 075/176] feat(TPG>=5.21)!: add queued_provisioning (#1950) --- README.md | 1 + autogen/main/README.md | 1 + autogen/main/cluster.tf.tmpl | 14 ++++++++++ autogen/main/versions.tf.tmpl | 2 +- cluster.tf | 26 ++++++++++++++++++ examples/node_pool/main.tf | 6 +++++ .../README.md | 1 + .../cluster.tf | 27 +++++++++++++++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 26 ++++++++++++++++++ .../README.md | 1 + .../cluster.tf | 27 +++++++++++++++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 26 ++++++++++++++++++ .../private-cluster-update-variant/README.md | 1 + .../private-cluster-update-variant/cluster.tf | 27 +++++++++++++++++++ .../versions.tf | 2 +- modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 26 ++++++++++++++++++ modules/private-cluster/versions.tf | 2 +- test/integration/node_pool/controls/gcloud.rb | 25 +++++++++++++++-- versions.tf | 2 +- 22 files changed, 240 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 0a55b63fd0..5c569a14e6 100644 --- a/README.md +++ b/README.md @@ -334,6 +334,7 @@ The node_pools variable takes the following parameters: | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | +| queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/autogen/main/README.md b/autogen/main/README.md index 5b266c5114..f47c6171d7 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -259,6 +259,7 @@ The node_pools variable takes the following parameters: | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | +| queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index e129fb4216..4e8fad174d 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -660,6 +660,7 @@ locals { "enable_gvnic", "enable_secure_boot", "boot_disk_kms_key", + "queued_provisioning", ] } @@ -813,6 +814,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -829,6 +837,12 @@ resource "google_container_node_pool" "windows_pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 31c1e0d04a..41ab9a47df 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -46,7 +46,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.21.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/cluster.tf b/cluster.tf index eca430d3eb..bc391b164d 100644 --- a/cluster.tf +++ b/cluster.tf @@ -536,6 +536,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -552,6 +559,12 @@ resource "google_container_node_pool" "pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, @@ -782,6 +795,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -798,6 +818,12 @@ resource "google_container_node_pool" "windows_pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index e00e9c5136..7626216fb7 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -80,6 +80,12 @@ module "gke" { cpu_cfs_quota = true local_ssd_ephemeral_count = 2 }, + { + name = "pool-04" + min_count = 0 + service_account = var.compute_engine_service_account + queued_provisioning = true + }, ] node_pools_metadata = { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 06c96966b2..a72d68ee42 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -400,6 +400,7 @@ The node_pools variable takes the following parameters: | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | +| queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index f5f5671548..093d8d651e 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -569,6 +569,7 @@ locals { "enable_gvnic", "enable_secure_boot", "boot_disk_kms_key", + "queued_provisioning", ] } @@ -699,6 +700,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -715,6 +723,12 @@ resource "google_container_node_pool" "pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, @@ -971,6 +985,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -987,6 +1008,12 @@ resource "google_container_node_pool" "windows_pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 59f885d674..8397c2efb5 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -378,6 +378,7 @@ The node_pools variable takes the following parameters: | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | +| queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 3e0125b9bf..185f113a13 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -621,6 +621,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -637,6 +644,12 @@ resource "google_container_node_pool" "pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, @@ -892,6 +905,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -908,6 +928,12 @@ resource "google_container_node_pool" "windows_pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index c2d1e840f0..e72edde309 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -388,6 +388,7 @@ The node_pools variable takes the following parameters: | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | +| queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 6041729f60..1a5b397c70 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -550,6 +550,7 @@ locals { "enable_gvnic", "enable_secure_boot", "boot_disk_kms_key", + "queued_provisioning", ] } @@ -680,6 +681,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -696,6 +704,12 @@ resource "google_container_node_pool" "pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, @@ -952,6 +966,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -968,6 +989,12 @@ resource "google_container_node_pool" "windows_pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index bd00f7f7ac..c31a9df9d9 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -366,6 +366,7 @@ The node_pools variable takes the following parameters: | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | +| queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 065e41f742..cef6c02d86 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -602,6 +602,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -618,6 +625,12 @@ resource "google_container_node_pool" "pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, @@ -873,6 +886,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -889,6 +909,12 @@ resource "google_container_node_pool" "windows_pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 4d5eff5935..65cdbab254 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -369,6 +369,7 @@ The node_pools variable takes the following parameters: | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | +| queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 115b2f3ce8..5289bd2255 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -503,6 +503,7 @@ locals { "enable_gvnic", "enable_secure_boot", "boot_disk_kms_key", + "queued_provisioning", ] } @@ -633,6 +634,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -649,6 +657,12 @@ resource "google_container_node_pool" "pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, @@ -880,6 +894,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -896,6 +917,12 @@ resource "google_container_node_pool" "windows_pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 0a54060183..0eba349492 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.21.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 9794b316d7..ecc4115243 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -347,6 +347,7 @@ The node_pools variable takes the following parameters: | version | The Kubernetes version for the nodes in this pool. Should only be set if auto_upgrade is false | " " | Optional | | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | +| queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 0d5780b778..18afb5e0c2 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -555,6 +555,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -571,6 +578,12 @@ resource "google_container_node_pool" "pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, @@ -801,6 +814,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "queued_provisioning" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + enabled = lookup(each.value, "queued_provisioning", null) + } + } + node_config { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") @@ -817,6 +837,12 @@ resource "google_container_node_pool" "windows_pools" { enabled = gvnic.value } } + dynamic "reservation_affinity" { + for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + content { + consume_reservation_type = "NO_RESERVATION" + } + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 4e00391ac0..473918056d 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.21.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/test/integration/node_pool/controls/gcloud.rb b/test/integration/node_pool/controls/gcloud.rb index 38ac3ef554..e3da9d06b2 100644 --- a/test/integration/node_pool/controls/gcloud.rb +++ b/test/integration/node_pool/controls/gcloud.rb @@ -62,8 +62,8 @@ describe "node pools" do let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" || p['name'] =~ %r{^nap-.*} } } - it "has 3" do - expect(node_pools.count).to eq 3 + it "has 4" do + expect(node_pools.count).to eq 4 end describe "pool-01" do @@ -493,6 +493,27 @@ ) end end + + describe "pool-04" do + it "exists" do + expect(data['nodePools']).to include( + including( + "name" => "pool-04", + ) + ) + end + + it "has queued_provisioning enabled" do + expect(data['nodePools']).not_to include( + including( + "name" => "pool-04", + "queued_provisioning" => including( + "enabled" => true, + ), + ) + ) + end + end end end diff --git a/versions.tf b/versions.tf index 0495aabdf5..2298d08be8 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.9.0, < 6" + version = ">= 5.21.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" From b12c2e73ad8f09092bd1566f26f10b988beb5286 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Fri, 24 May 2024 18:40:50 -0700 Subject: [PATCH 076/176] fix(TPG>=5.25.0)!: bump for #1948 (#1955) --- autogen/main/versions.tf.tmpl | 2 +- docs/upgrading_to_v31.0.md | 5 +++++ modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- versions.tf | 2 +- 5 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 docs/upgrading_to_v31.0.md diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 41ab9a47df..172f3e58cb 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -46,7 +46,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.21.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/docs/upgrading_to_v31.0.md b/docs/upgrading_to_v31.0.md new file mode 100644 index 0000000000..a3f5adc170 --- /dev/null +++ b/docs/upgrading_to_v31.0.md @@ -0,0 +1,5 @@ +# Upgrading to v31.0 +The v31.0 release of *kubernetes-engine* is a backwards incompatible release. + +### Google Cloud Platform Provider upgrade +The Terraform Kubernetes Engine Module now requires version 5.25 or higher of the Google Cloud Platform Providers. diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 0eba349492..2d797473e5 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.21.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 473918056d..3237af74ad 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.21.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/versions.tf b/versions.tf index 2298d08be8..833b85f2dc 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.21.0, < 6" + version = ">= 5.25.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" From 348b3f379c15cdab24d8b8acfb9a4101742ef691 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 09:11:18 -0700 Subject: [PATCH 077/176] chore(deps): Update module github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test to v0.15.0 (#1958) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 11 ++++++----- test/integration/go.sum | 26 ++++++++++++-------------- 2 files changed, 18 insertions(+), 19 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 10cccf883e..7595e5cd74 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -5,7 +5,7 @@ go 1.21 toolchain go1.21.10 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.1 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.0 github.com/gruntwork-io/terratest v0.46.14 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.1 @@ -50,9 +50,9 @@ require ( github.com/hashicorp/go-safetemp v1.0.0 // indirect github.com/hashicorp/go-version v1.6.0 // indirect github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f // indirect - github.com/hashicorp/hcl/v2 v2.18.0 // indirect - github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72 // indirect - github.com/hashicorp/terraform-json v0.21.0 // indirect + github.com/hashicorp/hcl/v2 v2.20.1 // indirect + github.com/hashicorp/terraform-config-inspect v0.0.0-20240509232506-4708120f8f30 // indirect + github.com/hashicorp/terraform-json v0.22.1 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/jinzhu/copier v0.4.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect @@ -79,7 +79,7 @@ require ( github.com/ulikunitz/xz v0.5.11 // indirect github.com/urfave/cli/v2 v2.25.7 // indirect github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect - github.com/zclconf/go-cty v1.14.1 // indirect + github.com/zclconf/go-cty v1.14.4 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.21.0 // indirect golang.org/x/mod v0.17.0 // indirect @@ -90,6 +90,7 @@ require ( golang.org/x/term v0.18.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect + golang.org/x/tools v0.13.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/api v0.138.0 // indirect google.golang.org/appengine v1.6.8 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index bbeaa17bce..0de31c0d0f 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.1 h1:xfCNVLZQAclUxmhICDwaOUJUw4OioNc1wIEfjtSgfCg= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.14.1/go.mod h1:AEQP8/V/hIp+SllHtmBV7ftuoQQ82eC032UdsnL3tnY= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.0 h1:zT+PND04OQ96kmnQorLFtuY4Ny3KZ4fqxdy9faxMS6A= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.0/go.mod h1:Srfs5phdVU1kwoRWedu4hngTkwN3OILEWgUgE+IVp6s= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -397,12 +397,12 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f h1:UdxlrJz4JOnY8W+DbLISwf2B8WXEolNRA8BGCwI9jws= github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f/go.mod h1:oZtUIOe8dh44I2q6ScRibXws4Ajl+d+nod3AaR9vL5w= -github.com/hashicorp/hcl/v2 v2.18.0 h1:wYnG7Lt31t2zYkcquwgKo6MWXzRUDIeIVU5naZwHLl8= -github.com/hashicorp/hcl/v2 v2.18.0/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE= -github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72 h1:nZ5gGjbe5o7XUu1d7j+Y5Ztcxlp+yaumTKH9i0D3wlg= -github.com/hashicorp/terraform-config-inspect v0.0.0-20231204233900-a34142ec2a72/go.mod h1:l8HcFPm9cQh6Q0KSWoYPiePqMvRFenybP1CH2MjKdlg= -github.com/hashicorp/terraform-json v0.21.0 h1:9NQxbLNqPbEMze+S6+YluEdXgJmhQykRyRNd+zTI05U= -github.com/hashicorp/terraform-json v0.21.0/go.mod h1:qdeBs11ovMzo5puhrRibdD6d2Dq6TyE/28JiU4tIQxk= +github.com/hashicorp/hcl/v2 v2.20.1 h1:M6hgdyz7HYt1UN9e61j+qKJBqR3orTWbI1HKBJEdxtc= +github.com/hashicorp/hcl/v2 v2.20.1/go.mod h1:TZDqQ4kNKCbh1iJp99FdPiUaVDDUPivbqxZulxDYqL4= +github.com/hashicorp/terraform-config-inspect v0.0.0-20240509232506-4708120f8f30 h1:0qwr2oZy9mIIJMWh7W9NTHLWGMbEF5KEQ+QqM9hym34= +github.com/hashicorp/terraform-config-inspect v0.0.0-20240509232506-4708120f8f30/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI= +github.com/hashicorp/terraform-json v0.22.1 h1:xft84GZR0QzjPVWs4lRUwvTcPnegqlyS7orfb5Ltvec= +github.com/hashicorp/terraform-json v0.22.1/go.mod h1:JbWSQCLFSXFFhg42T7l9iJwdGXBYV8fmmD6o/ML4p3A= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= @@ -432,8 +432,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= -github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -474,8 +472,6 @@ github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDN github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= -github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= @@ -517,8 +513,10 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= -github.com/zclconf/go-cty v1.14.1 h1:t9fyA35fwjjUMcmL5hLER+e/rEPqrbCK1/OSE4SI9KA= -github.com/zclconf/go-cty v1.14.1/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= +github.com/zclconf/go-cty v1.14.4 h1:uXXczd9QDGsgu0i/QFR/hzI5NYCHLf6NQw/atrbnhq8= +github.com/zclconf/go-cty v1.14.4/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= +github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b h1:FosyBZYxY34Wul7O/MSKey3txpPYyCqVO5ZyceuQJEI= +github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= From 3de63b3a5ce80c4bdcfa106b7254a64dc956d7bb Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Tue, 28 May 2024 23:44:58 +0300 Subject: [PATCH 078/176] fix(docs): remove beta from docs from non beta arguments (#1957) Co-authored-by: Andrew Peabody --- autogen/main/variables.tf.tmpl | 8 ++++---- modules/beta-autopilot-private-cluster/README.md | 8 ++++---- modules/beta-autopilot-private-cluster/variables.tf | 8 ++++---- modules/beta-private-cluster-update-variant/README.md | 8 ++++---- modules/beta-private-cluster-update-variant/variables.tf | 8 ++++---- modules/beta-private-cluster/README.md | 8 ++++---- modules/beta-private-cluster/variables.tf | 8 ++++---- modules/private-cluster-update-variant/README.md | 8 ++++---- modules/private-cluster-update-variant/variables.tf | 8 ++++---- modules/private-cluster/README.md | 8 ++++---- modules/private-cluster/variables.tf | 8 ++++---- 11 files changed, 44 insertions(+), 44 deletions(-) diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 84ef97a000..124ff5c863 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -431,25 +431,25 @@ variable "cluster_resource_labels" { variable "deploy_using_private_endpoint" { type = bool - description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." + description = "A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." default = false } variable "enable_private_endpoint" { type = bool - description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" + description = "Whether the master's internal IP address is used as the cluster endpoint" default = false } variable "enable_private_nodes" { type = bool - description = "(Beta) Whether nodes have internal IP addresses only" + description = "Whether nodes have internal IP addresses only" default = false } variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + description = "The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." {% if autopilot_cluster == true%} default = null {% else %} diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index ea31d44ae2..5628cde23f 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -84,7 +84,7 @@ Then perform the following commands on the root folder: | create\_service\_account | Defines if service account specified to run nodes should be created. | `bool` | `true` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | -| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | +| deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | @@ -92,8 +92,8 @@ Then perform the following commands on the root folder: | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | -| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no | @@ -118,7 +118,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `null` | no | +| master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `null` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 7e7238e904..9e5c223a81 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -266,25 +266,25 @@ variable "cluster_resource_labels" { variable "deploy_using_private_endpoint" { type = bool - description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." + description = "A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." default = false } variable "enable_private_endpoint" { type = bool - description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" + description = "Whether the master's internal IP address is used as the cluster endpoint" default = false } variable "enable_private_nodes" { type = bool - description = "(Beta) Whether nodes have internal IP addresses only" + description = "Whether nodes have internal IP addresses only" default = false } variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + description = "The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = null } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index a72d68ee42..45f5eb13d0 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -190,7 +190,7 @@ Then perform the following commands on the root folder: | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | -| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | +| deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | @@ -207,8 +207,8 @@ Then perform the following commands on the root folder: | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | -| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | @@ -244,7 +244,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 156a6f9983..da2a3d8b97 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -420,25 +420,25 @@ variable "cluster_resource_labels" { variable "deploy_using_private_endpoint" { type = bool - description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." + description = "A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." default = false } variable "enable_private_endpoint" { type = bool - description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" + description = "Whether the master's internal IP address is used as the cluster endpoint" default = false } variable "enable_private_nodes" { type = bool - description = "(Beta) Whether nodes have internal IP addresses only" + description = "Whether nodes have internal IP addresses only" default = false } variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + description = "The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 8397c2efb5..2915dd3238 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -168,7 +168,7 @@ Then perform the following commands on the root folder: | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | -| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | +| deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | @@ -185,8 +185,8 @@ Then perform the following commands on the root folder: | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | -| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | @@ -222,7 +222,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 156a6f9983..da2a3d8b97 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -420,25 +420,25 @@ variable "cluster_resource_labels" { variable "deploy_using_private_endpoint" { type = bool - description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." + description = "A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." default = false } variable "enable_private_endpoint" { type = bool - description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" + description = "Whether the master's internal IP address is used as the cluster endpoint" default = false } variable "enable_private_nodes" { type = bool - description = "(Beta) Whether nodes have internal IP addresses only" + description = "Whether nodes have internal IP addresses only" default = false } variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + description = "The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 65cdbab254..88a23661c9 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -184,7 +184,7 @@ Then perform the following commands on the root folder: | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | -| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | +| deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | @@ -196,8 +196,8 @@ Then perform the following commands on the root folder: | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | -| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | @@ -229,7 +229,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index ba16201dd5..c16ebc925e 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -414,25 +414,25 @@ variable "cluster_resource_labels" { variable "deploy_using_private_endpoint" { type = bool - description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." + description = "A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." default = false } variable "enable_private_endpoint" { type = bool - description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" + description = "Whether the master's internal IP address is used as the cluster endpoint" default = false } variable "enable_private_nodes" { type = bool - description = "(Beta) Whether nodes have internal IP addresses only" + description = "Whether nodes have internal IP addresses only" default = false } variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + description = "The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index ecc4115243..be4b37b691 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -162,7 +162,7 @@ Then perform the following commands on the root folder: | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | deletion\_protection | Whether or not to allow Terraform to destroy the cluster. | `bool` | `true` | no | -| deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | +| deploy\_using\_private\_endpoint | A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | @@ -174,8 +174,8 @@ Then perform the following commands on the root folder: | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | -| enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | @@ -207,7 +207,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index ba16201dd5..c16ebc925e 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -414,25 +414,25 @@ variable "cluster_resource_labels" { variable "deploy_using_private_endpoint" { type = bool - description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." + description = "A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." default = false } variable "enable_private_endpoint" { type = bool - description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" + description = "Whether the master's internal IP address is used as the cluster endpoint" default = false } variable "enable_private_nodes" { type = bool - description = "(Beta) Whether nodes have internal IP addresses only" + description = "Whether nodes have internal IP addresses only" default = false } variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + description = "The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } From 355f13eb4415321a94e071dcf8e3deed6e9dc7b0 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 14:59:01 -0700 Subject: [PATCH 079/176] chore(master): release 31.0.0 (#1939) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 33 +++++++++++++++++++ autogen/main/versions.tf.tmpl | 4 +-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 +-- modules/asm/versions.tf | 4 +-- modules/auth/versions.tf | 2 +- .../versions.tf | 2 +- .../beta-autopilot-public-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- .../versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- .../safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 22 files changed, 57 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6fabdb7048..906450b4e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,39 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [31.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.3.0...v31.0.0) (2024-05-28) + + +### âš  BREAKING CHANGES + +* **TPG>=5.25.0:** bump for #1948 ([#1955](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1955)) +* **TPG>=5.21:** add queued_provisioning ([#1950](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1950)) +* **TPG>=5.25.0:** Add support for StatefulHA Addon ([#1948](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1948)) +* **deps:** Update Terraform terraform-google-modules/project-factory/google to v15 ([#1936](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1936)) + +### Features + +* Add local_ssd_ephemeral_count to default configuration ([#1944](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1944)) ([04ebd0c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/04ebd0c7d3ad236abcfcd9a7b1c54d4c75b1ba28)) +* add missing dns_cache output in non beta ([#1864](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1864)) ([3d5cc9f](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/3d5cc9fc4fd817c35e089222a043e02358d64c1d)) +* Add option image_type in cluster_autoscaling block ([#1905](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1905)) ([2272164](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/22721644102a8b6b875439c80a6571266e6bf723)) +* Add secondary_boot_disks to node_pool configuration. ([#1946](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1946)) ([11bae67](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/11bae6791b07efcce29a0227e0b8b4d6c7070971)) +* add security posture VULNERABILITY_ENTERPRISE ([#1947](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1947)) ([c48c8ab](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/c48c8abe22b78e40b6f56d2940403d8b6e586367)) +* add support for gpu_sharing_config on nodepool ([#1874](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1874)) ([b57387c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/b57387cc771f90425e5b001fce2b9963dba1b791)) +* Add threads_per_core setting for node config in node pools ([#1942](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1942)) ([e573ced](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/e573cedee0a82517410f9d607ce69be7189124ca)) +* Add upgrade_settings for NAP created node pools ([#1908](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1908)) ([c87bb41](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/c87bb41a4d13a06e8e4b7687e15bed63595ad50b)) +* **TPG>=5.21:** add queued_provisioning ([#1950](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1950)) ([c87333b](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/c87333bcaaf4e91f550816f48862e18657f5596e)) +* **TPG>=5.25.0:** Add support for StatefulHA Addon ([#1948](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1948)) ([acbb453](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/acbb453cc7128ab9784486b1cc1238b0e7616f34)) + + +### Bug Fixes + +* add gpu_driver_version to recreate list + docs ([#1913](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1913)) ([12cf40f](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/12cf40fcfeb341220f639138483897a47c76c6f9)) +* **deps:** Update Terraform terraform-google-modules/project-factory/google to v15 ([#1936](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1936)) ([d01e5bc](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/d01e5bce35c73dba751fcb76f26b1a8f268f0506)) +* **docs:** remove beta from docs from non beta arguments ([#1957](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1957)) ([3de63b3](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/3de63b3a5ce80c4bdcfa106b7254a64dc956d7bb)) +* dynamic block ephemeral_storage_local_ssd_config ([#1951](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1951)) ([26eb7c0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/26eb7c09f6ebb7873719c68caa2fafb92be061ce)) +* local nvme ssd count ([#1937](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1937)) ([dbd90e3](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/dbd90e3e556d74881fb3132457a9159d7fb81e6b)) +* **TPG>=5.25.0:** bump for [#1948](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1948) ([#1955](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1955)) ([b12c2e7](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/b12c2e73ad8f09092bd1566f26f10b988beb5286)) + ## [30.3.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.2.0...v30.3.0) (2024-05-09) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 172f3e58cb..3e266f9fc4 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.0.0" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.0.0" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 8ed8e64ad2..3ad61d487a 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.0.0" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 317e6a95f0..a9babfe8f8 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v31.0.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v31.0.0" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 3684c208b8..d45b12a96f 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v31.0.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v31.0.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 4ae2f18f01..bc3a4c4d0c 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v31.0.0" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 7580b366e9..ef38f35edc 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v31.0.0" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 5cf26c9d4e..bc43de8446 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v31.0.0" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 3d48de936d..d9385ca73d 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v31.0.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 1b0043e5ec..7184582867 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v31.0.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 1c2823a6b6..afe9612323 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v31.0.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 02d99f1f80..4bacb721c0 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v31.0.0" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 07d6cbd21d..66482b1b99 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v31.0.0" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index f2babc249d..7b774dcdbe 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v31.0.0" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index e9aeeabc2d..678714ab54 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v31.0.0" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 2d797473e5..b20b93f068 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v31.0.0" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 3237af74ad..b349b6fc93 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v31.0.0" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index 10e1886831..f2270feaaa 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v31.0.0" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index da63e74966..fc44a1e96d 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v31.0.0" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index fa6afb62ca..8413aa45f8 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v31.0.0" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index facf78942e..29ead8fb56 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v31.0.0" } } diff --git a/versions.tf b/versions.tf index 833b85f2dc..efb1764683 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.3.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v31.0.0" } } From 7290ee00daafd09b8ba0f86b3a95aea1882f35c1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 23:05:40 +0000 Subject: [PATCH 080/176] chore(deps): Update go modules and/or dev-tools (#1960) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 4 ++-- test/integration/go.sum | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 7595e5cd74..66e00997e6 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -2,11 +2,11 @@ module github.com/terraform-google-modules/terraform-google-kubernetes-engine/te go 1.21 -toolchain go1.21.10 +toolchain go1.22.3 require ( github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.0 - github.com/gruntwork-io/terratest v0.46.14 + github.com/gruntwork-io/terratest v0.46.15 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.1 ) diff --git a/test/integration/go.sum b/test/integration/go.sum index 0de31c0d0f..ff32902444 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -378,8 +378,8 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0= github.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk= -github.com/gruntwork-io/terratest v0.46.14 h1:nVT2JpOPLr7KbwOSNDP0GJffljH+Yu5833cwLorxRjs= -github.com/gruntwork-io/terratest v0.46.14/go.mod h1:L/IHbj195wnjfIFpZYWUhjwA3jm4O6ehO//xz7NxN8o= +github.com/gruntwork-io/terratest v0.46.15 h1:qfqjTFveymaqe7aAWn3LjlK0SwVGpRfoOut5ggNyfQ8= +github.com/gruntwork-io/terratest v0.46.15/go.mod h1:9bd22zAojjBBiYdsp+AR1iyl2iB6bRUVm2Yf1AFhfrA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= From 4fab404c2f63abcd5070b922edd024e24d8294b9 Mon Sep 17 00:00:00 2001 From: Julliano Goncalves Date: Thu, 30 May 2024 12:22:06 -0300 Subject: [PATCH 081/176] feat: Adding extra permissions to the cluster's default service account (#1943) Signed-off-by: Julliano Goncalves --- autogen/main/sa.tf.tmpl | 14 ++++++++++++++ modules/beta-autopilot-private-cluster/sa.tf | 14 ++++++++++++++ modules/beta-autopilot-public-cluster/sa.tf | 14 ++++++++++++++ modules/beta-private-cluster-update-variant/sa.tf | 14 ++++++++++++++ modules/beta-private-cluster/sa.tf | 14 ++++++++++++++ modules/beta-public-cluster-update-variant/sa.tf | 14 ++++++++++++++ modules/beta-public-cluster/sa.tf | 14 ++++++++++++++ modules/private-cluster-update-variant/sa.tf | 14 ++++++++++++++ modules/private-cluster/sa.tf | 14 ++++++++++++++ sa.tf | 14 ++++++++++++++ 10 files changed, 140 insertions(+) diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index a775fbe6af..f38e3a8687 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun member = google_service_account.cluster_service_account[0].member } +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/stackdriver.resourceMetadata.writer" + member = google_service_account.cluster_service_account[0].member +} + resource "google_project_iam_member" "cluster_service_account-gcr" { for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf index 6c6e1f663b..fe36dadd32 100644 --- a/modules/beta-autopilot-private-cluster/sa.tf +++ b/modules/beta-autopilot-private-cluster/sa.tf @@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun member = google_service_account.cluster_service_account[0].member } +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/stackdriver.resourceMetadata.writer" + member = google_service_account.cluster_service_account[0].member +} + resource "google_project_iam_member" "cluster_service_account-gcr" { for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf index 6c6e1f663b..fe36dadd32 100644 --- a/modules/beta-autopilot-public-cluster/sa.tf +++ b/modules/beta-autopilot-public-cluster/sa.tf @@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun member = google_service_account.cluster_service_account[0].member } +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/stackdriver.resourceMetadata.writer" + member = google_service_account.cluster_service_account[0].member +} + resource "google_project_iam_member" "cluster_service_account-gcr" { for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index 6c6e1f663b..fe36dadd32 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun member = google_service_account.cluster_service_account[0].member } +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/stackdriver.resourceMetadata.writer" + member = google_service_account.cluster_service_account[0].member +} + resource "google_project_iam_member" "cluster_service_account-gcr" { for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 6c6e1f663b..fe36dadd32 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun member = google_service_account.cluster_service_account[0].member } +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/stackdriver.resourceMetadata.writer" + member = google_service_account.cluster_service_account[0].member +} + resource "google_project_iam_member" "cluster_service_account-gcr" { for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index 6c6e1f663b..fe36dadd32 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun member = google_service_account.cluster_service_account[0].member } +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/stackdriver.resourceMetadata.writer" + member = google_service_account.cluster_service_account[0].member +} + resource "google_project_iam_member" "cluster_service_account-gcr" { for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 6c6e1f663b..fe36dadd32 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun member = google_service_account.cluster_service_account[0].member } +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/stackdriver.resourceMetadata.writer" + member = google_service_account.cluster_service_account[0].member +} + resource "google_project_iam_member" "cluster_service_account-gcr" { for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf index 6f89899bee..da1930c7b3 100644 --- a/modules/private-cluster-update-variant/sa.tf +++ b/modules/private-cluster-update-variant/sa.tf @@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun member = google_service_account.cluster_service_account[0].member } +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/stackdriver.resourceMetadata.writer" + member = google_service_account.cluster_service_account[0].member +} + resource "google_project_iam_member" "cluster_service_account-gcr" { for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index 6f89899bee..da1930c7b3 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun member = google_service_account.cluster_service_account[0].member } +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/stackdriver.resourceMetadata.writer" + member = google_service_account.cluster_service_account[0].member +} + resource "google_project_iam_member" "cluster_service_account-gcr" { for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key diff --git a/sa.tf b/sa.tf index 6f89899bee..da1930c7b3 100644 --- a/sa.tf +++ b/sa.tf @@ -52,6 +52,20 @@ resource "google_project_iam_member" "cluster_service_account-nodeService_accoun member = google_service_account.cluster_service_account[0].member } +resource "google_project_iam_member" "cluster_service_account-metric_writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/monitoring.metricWriter" + member = google_service_account.cluster_service_account[0].member +} + +resource "google_project_iam_member" "cluster_service_account-resourceMetadata-writer" { + count = var.create_service_account ? 1 : 0 + project = google_service_account.cluster_service_account[0].project + role = "roles/stackdriver.resourceMetadata.writer" + member = google_service_account.cluster_service_account[0].member +} + resource "google_project_iam_member" "cluster_service_account-gcr" { for_each = var.create_service_account && var.grant_registry_access ? toset(local.registry_projects_list) : [] project = each.key From 0005ab9f9b9d23e4747dae9e369f69bbaab40b27 Mon Sep 17 00:00:00 2001 From: Michael Lin Date: Wed, 5 Jun 2024 16:46:11 -0700 Subject: [PATCH 082/176] fix: avoid `auto_provisioning_defaults` drift (#1806) --- README.md | 2 +- autogen/main/cluster.tf.tmpl | 5 ++ autogen/main/variables.tf.tmpl | 66 ++++++++++--------- cluster.tf | 5 ++ .../README.md | 2 +- .../cluster.tf | 5 ++ .../variables.tf | 66 ++++++++++--------- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/cluster.tf | 5 ++ modules/beta-private-cluster/variables.tf | 66 ++++++++++--------- .../README.md | 2 +- .../cluster.tf | 5 ++ .../variables.tf | 66 ++++++++++--------- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/cluster.tf | 5 ++ modules/beta-public-cluster/variables.tf | 66 ++++++++++--------- .../private-cluster-update-variant/README.md | 2 +- .../private-cluster-update-variant/cluster.tf | 5 ++ .../variables.tf | 66 ++++++++++--------- modules/private-cluster/README.md | 2 +- modules/private-cluster/cluster.tf | 5 ++ modules/private-cluster/variables.tf | 66 ++++++++++--------- variables.tf | 66 ++++++++++--------- 23 files changed, 327 insertions(+), 255 deletions(-) diff --git a/README.md b/README.md index 5c569a14e6..cd04741814 100644 --- a/README.md +++ b/README.md @@ -143,7 +143,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 4e8fad174d..859499c51a 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -166,6 +166,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + {% if beta_cluster %} min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 124ff5c863..375df975b5 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -244,39 +244,43 @@ variable "enable_resource_consumption_export" { {% if autopilot_cluster != true %} variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/cluster.tf b/cluster.tf index bc391b164d..7bb3a42d4e 100644 --- a/cluster.tf +++ b/cluster.tf @@ -139,6 +139,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 45f5eb13d0..df021bbc49 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -176,7 +176,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 093d8d651e..a5b96fd63c 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -145,6 +145,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index da2a3d8b97..f5bae458a5 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 2915dd3238..2fec641037 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -154,7 +154,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 185f113a13..4ec2614867 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -145,6 +145,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index da2a3d8b97..f5bae458a5 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index e72edde309..eb71fa8cf5 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -170,7 +170,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 1a5b397c70..8461ae63b7 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -145,6 +145,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 6cadf89cfd..0a3b46eefb 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index c31a9df9d9..5f1d6445f9 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -148,7 +148,7 @@ Then perform the following commands on the root folder: | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index cef6c02d86..0a92c4d317 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -145,6 +145,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 6cadf89cfd..0a3b46eefb 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 88a23661c9..ad4e7d90cf 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -171,7 +171,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 5289bd2255..a6bff1de29 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -139,6 +139,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index c16ebc925e..9f3c9f0952 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index be4b37b691..692d0a0e79 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -149,7 +149,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | -| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                 = bool
    autoscaling_profile     = string
    min_cpu_cores           = number
    max_cpu_cores           = number
    min_memory_gb           = number
    max_memory_gb           = number
    gpu_resources           = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair             = bool
    auto_upgrade            = bool
    disk_size               = optional(number)
    disk_type               = optional(string)
    image_type              = optional(string)
    strategy                = optional(string)
    max_surge               = optional(number)
    max_unavailable         = optional(number)
    node_pool_soak_duration = optional(string)
    batch_soak_duration     = optional(string)
    batch_percentage        = optional(number)
    batch_node_count        = optional(number)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | +| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | | cluster\_dns\_scope | The scope of access to cluster DNS records. DNS\_SCOPE\_UNSPECIFIED (default) or CLUSTER\_SCOPE or VPC\_SCOPE. | `string` | `"DNS_SCOPE_UNSPECIFIED"` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 18afb5e0c2..7f3f78766b 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -139,6 +139,11 @@ resource "google_container_cluster" "primary" { } } + shielded_instance_config { + enable_secure_boot = lookup(var.cluster_autoscaling, "enable_secure_boot", false) + enable_integrity_monitoring = lookup(var.cluster_autoscaling, "enable_integrity_monitoring", true) + } + image_type = lookup(var.cluster_autoscaling, "image_type", "COS_CONTAINERD") } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index c16ebc925e..9f3c9f0952 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } diff --git a/variables.tf b/variables.tf index 8c965b8ec8..bf850ccc99 100644 --- a/variables.tf +++ b/variables.tf @@ -239,39 +239,43 @@ variable "enable_resource_consumption_export" { variable "cluster_autoscaling" { type = object({ - enabled = bool - autoscaling_profile = string - min_cpu_cores = number - max_cpu_cores = number - min_memory_gb = number - max_memory_gb = number - gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) - auto_repair = bool - auto_upgrade = bool - disk_size = optional(number) - disk_type = optional(string) - image_type = optional(string) - strategy = optional(string) - max_surge = optional(number) - max_unavailable = optional(number) - node_pool_soak_duration = optional(string) - batch_soak_duration = optional(string) - batch_percentage = optional(number) - batch_node_count = optional(number) + enabled = bool + autoscaling_profile = string + min_cpu_cores = number + max_cpu_cores = number + min_memory_gb = number + max_memory_gb = number + gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number })) + auto_repair = bool + auto_upgrade = bool + disk_size = optional(number) + disk_type = optional(string) + image_type = optional(string) + strategy = optional(string) + max_surge = optional(number) + max_unavailable = optional(number) + node_pool_soak_duration = optional(string) + batch_soak_duration = optional(string) + batch_percentage = optional(number) + batch_node_count = optional(number) + enable_secure_boot = optional(bool, false) + enable_integrity_monitoring = optional(bool, true) }) default = { - enabled = false - autoscaling_profile = "BALANCED" - max_cpu_cores = 0 - min_cpu_cores = 0 - max_memory_gb = 0 - min_memory_gb = 0 - gpu_resources = [] - auto_repair = true - auto_upgrade = true - disk_size = 100 - disk_type = "pd-standard" - image_type = "COS_CONTAINERD" + enabled = false + autoscaling_profile = "BALANCED" + max_cpu_cores = 0 + min_cpu_cores = 0 + max_memory_gb = 0 + min_memory_gb = 0 + gpu_resources = [] + auto_repair = true + auto_upgrade = true + disk_size = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + enable_secure_boot = false + enable_integrity_monitoring = true } description = "Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling)" } From c2df48408500ae91435441a36c702333afe0809e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 02:50:47 +0000 Subject: [PATCH 083/176] chore(deps): Update Terraform terraform-google-modules/kubernetes-engine/google to v31 (#1966) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/acm-terraform-blog-part1/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part2/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part3/terraform/gke.tf | 4 ++-- examples/deploy_service/main.tf | 2 +- examples/disable_client_cert/main.tf | 2 +- examples/island_cluster_with_vm_router/main.tf | 2 +- examples/node_pool/main.tf | 2 +- examples/node_pool_update_variant/main.tf | 2 +- examples/node_pool_update_variant_beta/main.tf | 2 +- examples/node_pool_update_variant_public_beta/main.tf | 2 +- examples/private_zonal_with_networking/main.tf | 2 +- examples/regional_private_node_pool_oauth_scopes/main.tf | 2 +- examples/safer_cluster/main.tf | 2 +- examples/safer_cluster_iap_bastion/cluster.tf | 2 +- examples/shared_vpc/main.tf | 2 +- examples/simple_autopilot_private/main.tf | 2 +- examples/simple_autopilot_private_non_default_sa/main.tf | 2 +- examples/simple_autopilot_public/main.tf | 2 +- examples/simple_regional/main.tf | 2 +- examples/simple_regional_beta/main.tf | 2 +- examples/simple_regional_private/main.tf | 2 +- examples/simple_regional_private_beta/main.tf | 2 +- .../simple_regional_private_with_cluster_version/main.tf | 2 +- examples/simple_regional_with_gateway_api/main.tf | 2 +- examples/simple_regional_with_kubeconfig/main.tf | 4 ++-- examples/simple_regional_with_networking/main.tf | 2 +- examples/simple_windows_node_pool/main.tf | 2 +- examples/simple_zonal_private/main.tf | 2 +- examples/simple_zonal_with_acm/acm.tf | 2 +- examples/simple_zonal_with_acm/main.tf | 2 +- examples/simple_zonal_with_asm/main.tf | 4 ++-- examples/simple_zonal_with_hub/hub.tf | 2 +- examples/simple_zonal_with_hub/main.tf | 2 +- examples/simple_zonal_with_hub_kubeconfig/hub.tf | 2 +- examples/stub_domains/main.tf | 2 +- examples/stub_domains_private/main.tf | 2 +- examples/stub_domains_upstream_nameservers/main.tf | 2 +- examples/upstream_nameservers/main.tf | 2 +- examples/workload_identity/main.tf | 8 ++++---- examples/workload_metadata_config/main.tf | 2 +- 40 files changed, 46 insertions(+), 46 deletions(-) diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf index 45a627c467..7df2197cfe 100644 --- a/examples/acm-terraform-blog-part1/terraform/gke.tf +++ b/examples/acm-terraform-blog-part1/terraform/gke.tf @@ -31,7 +31,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part1" region = var.region diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf index 816e2bde95..527d2ef100 100644 --- a/examples/acm-terraform-blog-part2/terraform/gke.tf +++ b/examples/acm-terraform-blog-part2/terraform/gke.tf @@ -31,7 +31,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part2" region = var.region diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf index 6694582d56..ff4db070a5 100644 --- a/examples/acm-terraform-blog-part3/terraform/gke.tf +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -33,7 +33,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part3" region = var.region @@ -48,7 +48,7 @@ module "gke" { module "wi" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 30.0" + version = "~> 31.0" gcp_sa_name = "cnrmsa" cluster_name = module.gke.name name = "cnrm-controller-manager" diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index e825609a1f..a7151da4b2 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf index af1e3f141d..535d5200a1 100644 --- a/examples/disable_client_cert/main.tf +++ b/examples/disable_client_cert/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/island_cluster_with_vm_router/main.tf b/examples/island_cluster_with_vm_router/main.tf index 86ce138888..5984412ee5 100644 --- a/examples/island_cluster_with_vm_router/main.tf +++ b/examples/island_cluster_with_vm_router/main.tf @@ -143,7 +143,7 @@ module "net" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 30.0" + version = "~> 31.0" depends_on = [google_compute_instance.vm] diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 7626216fb7..634a3b2965 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf index b18de30482..b526e656bd 100644 --- a/examples/node_pool_update_variant/main.tf +++ b/examples/node_pool_update_variant/main.tf @@ -34,7 +34,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster-update-variant" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf index c78d2bd050..99e9134518 100644 --- a/examples/node_pool_update_variant_beta/main.tf +++ b/examples/node_pool_update_variant_beta/main.tf @@ -39,7 +39,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster-update-variant" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant_public_beta/main.tf b/examples/node_pool_update_variant_public_beta/main.tf index dcab030f8b..4821df4ac6 100644 --- a/examples/node_pool_update_variant_public_beta/main.tf +++ b/examples/node_pool_update_variant_public_beta/main.tf @@ -39,7 +39,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster-update-variant" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/private_zonal_with_networking/main.tf b/examples/private_zonal_with_networking/main.tf index 1f7f4c2047..692a7bd1fd 100644 --- a/examples/private_zonal_with_networking/main.tf +++ b/examples/private_zonal_with_networking/main.tf @@ -61,7 +61,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = var.cluster_name diff --git a/examples/regional_private_node_pool_oauth_scopes/main.tf b/examples/regional_private_node_pool_oauth_scopes/main.tf index 0bba21cdaa..bf46331191 100644 --- a/examples/regional_private_node_pool_oauth_scopes/main.tf +++ b/examples/regional_private_node_pool_oauth_scopes/main.tf @@ -16,7 +16,7 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "random-test-cluster" diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index ceea648aa5..5d6df90110 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -52,7 +52,7 @@ resource "random_shuffle" "version" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster-${random_string.suffix.result}" diff --git a/examples/safer_cluster_iap_bastion/cluster.tf b/examples/safer_cluster_iap_bastion/cluster.tf index 9debb69001..8fbaa05646 100644 --- a/examples/safer_cluster_iap_bastion/cluster.tf +++ b/examples/safer_cluster_iap_bastion/cluster.tf @@ -16,7 +16,7 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = module.enabled_google_apis.project_id name = var.cluster_name diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf index 5ff24c3c02..5803a64c6f 100644 --- a/examples/shared_vpc/main.tf +++ b/examples/shared_vpc/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf index 125ba24706..d98f7f00df 100644 --- a/examples/simple_autopilot_private/main.tf +++ b/examples/simple_autopilot_private/main.tf @@ -35,7 +35,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_autopilot_private_non_default_sa/main.tf b/examples/simple_autopilot_private_non_default_sa/main.tf index b9ff6e92a5..332e41f1cc 100644 --- a/examples/simple_autopilot_private_non_default_sa/main.tf +++ b/examples/simple_autopilot_private_non_default_sa/main.tf @@ -35,7 +35,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index 2fc462ca3a..451ef70317 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -34,7 +34,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-public-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index 5fc839611d..2127fa9eea 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index cd76c5dcc6..2c1f082af9 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf index 2b120d14d8..25cf124ef9 100644 --- a/examples/simple_regional_private/main.tf +++ b/examples/simple_regional_private/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index 43d2f7835f..822c7946ce 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private_with_cluster_version/main.tf b/examples/simple_regional_private_with_cluster_version/main.tf index 6d95353710..23b5b83c99 100644 --- a/examples/simple_regional_private_with_cluster_version/main.tf +++ b/examples/simple_regional_private_with_cluster_version/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_with_gateway_api/main.tf b/examples/simple_regional_with_gateway_api/main.tf index b96367d767..34500ada3a 100644 --- a/examples/simple_regional_with_gateway_api/main.tf +++ b/examples/simple_regional_with_gateway_api/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf index a2fcc3c72e..7387bb0c15 100644 --- a/examples/simple_regional_with_kubeconfig/main.tf +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" @@ -45,7 +45,7 @@ module "gke" { module "gke_auth" { source = "terraform-google-modules/kubernetes-engine/google//modules/auth" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_regional_with_networking/main.tf b/examples/simple_regional_with_networking/main.tf index 28363ea059..a37c1fb6e9 100644 --- a/examples/simple_regional_with_networking/main.tf +++ b/examples/simple_regional_with_networking/main.tf @@ -53,7 +53,7 @@ module "gcp-network" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = var.cluster_name diff --git a/examples/simple_windows_node_pool/main.tf b/examples/simple_windows_node_pool/main.tf index 2ec1464bd3..0562eea5a4 100644 --- a/examples/simple_windows_node_pool/main.tf +++ b/examples/simple_windows_node_pool/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf index a541829254..138bfcd314 100644 --- a/examples/simple_zonal_private/main.tf +++ b/examples/simple_zonal_private/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index cee5eda4d2..56d510cb89 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -16,7 +16,7 @@ module "acm" { source = "terraform-google-modules/kubernetes-engine/google//modules/acm" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_zonal_with_acm/main.tf b/examples/simple_zonal_with_acm/main.tf index de06aa5d46..c62dc3b26b 100644 --- a/examples/simple_zonal_with_acm/main.tf +++ b/examples/simple_zonal_with_acm/main.tf @@ -32,7 +32,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index f9b368000a..f54653b1ed 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -28,7 +28,7 @@ data "google_project" "project" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "test-prefix-cluster-test-suffix" @@ -57,7 +57,7 @@ module "gke" { module "asm" { source = "terraform-google-modules/kubernetes-engine/google//modules/asm" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id cluster_name = module.gke.name diff --git a/examples/simple_zonal_with_hub/hub.tf b/examples/simple_zonal_with_hub/hub.tf index 36120501b3..5b7171ab4c 100644 --- a/examples/simple_zonal_with_hub/hub.tf +++ b/examples/simple_zonal_with_hub/hub.tf @@ -16,7 +16,7 @@ module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_zonal_with_hub/main.tf b/examples/simple_zonal_with_hub/main.tf index 4b4563d8d0..6c13cbdbbc 100644 --- a/examples/simple_zonal_with_hub/main.tf +++ b/examples/simple_zonal_with_hub/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_with_hub_kubeconfig/hub.tf b/examples/simple_zonal_with_hub_kubeconfig/hub.tf index 19e243947a..d904d87c6b 100644 --- a/examples/simple_zonal_with_hub_kubeconfig/hub.tf +++ b/examples/simple_zonal_with_hub_kubeconfig/hub.tf @@ -16,7 +16,7 @@ module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/hub-legacy" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id location = "remote" diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf index 8607a6fc72..82599a7534 100644 --- a/examples/stub_domains/main.tf +++ b/examples/stub_domains/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf index 5ebc7a057a..5bb6268ffc 100644 --- a/examples/stub_domains_private/main.tf +++ b/examples/stub_domains_private/main.tf @@ -30,7 +30,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf index 02639383dd..5a95ab8e69 100644 --- a/examples/stub_domains_upstream_nameservers/main.tf +++ b/examples/stub_domains_upstream_nameservers/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf index 7349ab5cdf..876152ad28 100644 --- a/examples/upstream_nameservers/main.tf +++ b/examples/upstream_nameservers/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index fe1b13bfcd..98b406e31b 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" @@ -54,7 +54,7 @@ module "gke" { # example without existing KSA module "workload_identity" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "iden-${module.gke.name}" @@ -74,7 +74,7 @@ resource "kubernetes_service_account" "test" { module "workload_identity_existing_ksa" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "existing-${module.gke.name}" @@ -93,7 +93,7 @@ resource "google_service_account" "custom" { module "workload_identity_existing_gsa" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = google_service_account.custom.account_id diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index 856591c444..4ee285814d 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 30.0" + version = "~> 31.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" From 15380ebc28bf05eb899da9dd15e8c0c85f74a512 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 09:05:42 -0700 Subject: [PATCH 084/176] chore(deps): Update module github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test to v0.15.1 (#1963) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 8 ++++---- test/integration/go.sum | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 66e00997e6..22c3f33686 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -1,11 +1,11 @@ module github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration -go 1.21 +go 1.22 -toolchain go1.22.3 +toolchain go1.22.4 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.0 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.1 github.com/gruntwork-io/terratest v0.46.15 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.1 @@ -109,7 +109,7 @@ require ( k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kustomize/kyaml v0.17.0 // indirect + sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/test/integration/go.sum b/test/integration/go.sum index ff32902444..86bcb3a020 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.0 h1:zT+PND04OQ96kmnQorLFtuY4Ny3KZ4fqxdy9faxMS6A= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.0/go.mod h1:Srfs5phdVU1kwoRWedu4hngTkwN3OILEWgUgE+IVp6s= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.1 h1:c1tEK/Ma0NstqqkjS1tCClrFxIX1cNLdrM5cB03Sv24= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.1/go.mod h1:bssUTs81Q0xIUg/dYT8/8fqEXOVB8GQVyngw9U79EN4= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -1080,8 +1080,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/kyaml v0.17.0 h1:G2bWs03V9Ur2PinHLzTUJ8Ded+30SzXZKiO92SRDs3c= -sigs.k8s.io/kustomize/kyaml v0.17.0/go.mod h1:6lxkYF1Cv9Ic8g/N7I86cvxNc5iinUo/P2vKsHNmpyE= +sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= +sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= From 29113e4c0fc5f69b7b5a7a53f059dd239b2c928d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 08:21:32 -0700 Subject: [PATCH 085/176] chore(deps): Update nginx Docker tag to v1.27.0 (#1970) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/deploy_service/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index a7151da4b2..418cc61ed1 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -55,7 +55,7 @@ resource "kubernetes_pod" "nginx-example" { spec { container { - image = "nginx:1.26.0" + image = "nginx:1.27.0" name = "nginx-example" } } From 329c08f5a0410fc89af018407151e521896248d1 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 11 Jun 2024 12:33:04 -0700 Subject: [PATCH 086/176] chore(CI): add CURRENT_STATE_DECRYPTED (#1974) --- .../disable_client_cert/testdata/TestDisableClientCert.json | 1 + .../testdata/TestPrivateZonalWithNetworking.json | 1 + test/integration/safer_cluster/testdata/TestSaferCluster.json | 1 + .../sandbox_enabled/testdata/TestSandboxEnabled.json | 1 + .../testdata/TestSimpleAutopilotPrivate.json | 1 + .../testdata/TestSimpleAutopilotPublic.json | 1 + .../simple_regional/testdata/TestSimpleRegional.json | 1 + .../testdata/TestSimpleRegionalPrivate.json | 1 + .../simple_regional_with_gateway_api/controls/gcloud.rb | 2 +- test/integration/simple_regional_with_ipv6/controls/gcloud.rb | 2 +- .../testdata/TestSimpleRegionalWithKubeConfig.json | 1 + .../testdata/TestSimpleRegionalWithNetworking.json | 1 + .../testdata/TestSimpleWindowsNodePool.json | 1 + test/integration/simple_zonal/testdata/TestSimpleZonal.json | 1 + .../simple_zonal_private/testdata/TestSimpleZonalPrivate.json | 1 + 15 files changed, 15 insertions(+), 2 deletions(-) diff --git a/test/integration/disable_client_cert/testdata/TestDisableClientCert.json b/test/integration/disable_client_cert/testdata/TestDisableClientCert.json index d10f0d2945..235c0a8b8b 100755 --- a/test/integration/disable_client_cert/testdata/TestDisableClientCert.json +++ b/test/integration/disable_client_cert/testdata/TestDisableClientCert.json @@ -27,6 +27,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json b/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json index 51f49e2285..c6bdd3f7cb 100755 --- a/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json +++ b/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json @@ -27,6 +27,7 @@ "currentNodeCount": 1, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/safer_cluster/testdata/TestSaferCluster.json b/test/integration/safer_cluster/testdata/TestSaferCluster.json index cb1bdb3674..e2836b34c7 100755 --- a/test/integration/safer_cluster/testdata/TestSaferCluster.json +++ b/test/integration/safer_cluster/testdata/TestSaferCluster.json @@ -29,6 +29,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.23.14-gke.401", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json b/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json index cb2ffe680c..6ba2bb70cb 100755 --- a/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json +++ b/test/integration/sandbox_enabled/testdata/TestSandboxEnabled.json @@ -25,6 +25,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json b/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json index 997ba9b5e5..62103f7ee9 100644 --- a/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json +++ b/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json @@ -70,6 +70,7 @@ "currentNodeCount": 2, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json b/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json index 0e92769fe6..d014c325dc 100644 --- a/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json +++ b/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json @@ -70,6 +70,7 @@ "currentNodeCount": 2, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_regional/testdata/TestSimpleRegional.json b/test/integration/simple_regional/testdata/TestSimpleRegional.json index 85c8e55db7..16d6297fdc 100644 --- a/test/integration/simple_regional/testdata/TestSimpleRegional.json +++ b/test/integration/simple_regional/testdata/TestSimpleRegional.json @@ -38,6 +38,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.27.3-gke.100", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_regional_private/testdata/TestSimpleRegionalPrivate.json b/test/integration/simple_regional_private/testdata/TestSimpleRegionalPrivate.json index 295ae578f7..4c9fbcd32b 100644 --- a/test/integration/simple_regional_private/testdata/TestSimpleRegionalPrivate.json +++ b/test/integration/simple_regional_private/testdata/TestSimpleRegionalPrivate.json @@ -25,6 +25,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.25.4-gke.2100", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb b/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb index 14722175bd..631eae3d2a 100644 --- a/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb +++ b/test/integration/simple_regional_with_gateway_api/controls/gcloud.rb @@ -66,7 +66,7 @@ end it "has the expected databaseEncryption config" do - expect(data['databaseEncryption']).to eq({ + expect(data['databaseEncryption']).to include({ "state" => 'DECRYPTED', }) end diff --git a/test/integration/simple_regional_with_ipv6/controls/gcloud.rb b/test/integration/simple_regional_with_ipv6/controls/gcloud.rb index 6b3e65e3ce..0080ed5c14 100644 --- a/test/integration/simple_regional_with_ipv6/controls/gcloud.rb +++ b/test/integration/simple_regional_with_ipv6/controls/gcloud.rb @@ -64,7 +64,7 @@ end it "has the expected databaseEncryption config" do - expect(data['databaseEncryption']).to eq({ + expect(data['databaseEncryption']).to include({ "state" => 'DECRYPTED', }) end diff --git a/test/integration/simple_regional_with_kubeconfig/testdata/TestSimpleRegionalWithKubeConfig.json b/test/integration/simple_regional_with_kubeconfig/testdata/TestSimpleRegionalWithKubeConfig.json index 33e3de8c05..216876af9f 100644 --- a/test/integration/simple_regional_with_kubeconfig/testdata/TestSimpleRegionalWithKubeConfig.json +++ b/test/integration/simple_regional_with_kubeconfig/testdata/TestSimpleRegionalWithKubeConfig.json @@ -25,6 +25,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.25.5-gke.1500", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_regional_with_networking/testdata/TestSimpleRegionalWithNetworking.json b/test/integration/simple_regional_with_networking/testdata/TestSimpleRegionalWithNetworking.json index 5c2b2478f4..82160d884e 100644 --- a/test/integration/simple_regional_with_networking/testdata/TestSimpleRegionalWithNetworking.json +++ b/test/integration/simple_regional_with_networking/testdata/TestSimpleRegionalWithNetworking.json @@ -25,6 +25,7 @@ "currentNodeCount": 3, "currentNodeVersion": "1.25.5-gke.1500", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json b/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json index d5569ab489..b1cb9ae910 100644 --- a/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json +++ b/test/integration/simple_windows_node_pool/testdata/TestSimpleWindowsNodePool.json @@ -35,6 +35,7 @@ "currentNodeCount": 2, "currentNodeVersion": "1.24.7-gke.900", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_zonal/testdata/TestSimpleZonal.json b/test/integration/simple_zonal/testdata/TestSimpleZonal.json index 5d1987285b..79b4b79a8b 100644 --- a/test/integration/simple_zonal/testdata/TestSimpleZonal.json +++ b/test/integration/simple_zonal/testdata/TestSimpleZonal.json @@ -26,6 +26,7 @@ "currentNodeCount": 4, "currentNodeVersion": "1.25.6-gke.1000", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { diff --git a/test/integration/simple_zonal_private/testdata/TestSimpleZonalPrivate.json b/test/integration/simple_zonal_private/testdata/TestSimpleZonalPrivate.json index 0172ee91fd..c0f5e13070 100644 --- a/test/integration/simple_zonal_private/testdata/TestSimpleZonalPrivate.json +++ b/test/integration/simple_zonal_private/testdata/TestSimpleZonalPrivate.json @@ -25,6 +25,7 @@ "currentNodeCount": 1, "currentNodeVersion": "1.25.5-gke.1500", "databaseEncryption": { + "currentState": "CURRENT_STATE_DECRYPTED", "state": "DECRYPTED" }, "defaultMaxPodsConstraint": { From 6dd46d133edc317e36fe0eb1aecbebd3c36fe6f0 Mon Sep 17 00:00:00 2001 From: Naveen Mandadhi Date: Wed, 12 Jun 2024 15:56:28 -0500 Subject: [PATCH 087/176] chore: add gke island cluster anywhere in GCP design (#1967) --- .../README.md | 37 ++++ .../main.tf | 93 ++++++++ .../manifests/k8s.yaml | 88 ++++++++ .../network.tf | 207 ++++++++++++++++++ .../outputs.tf | 19 ++ .../router.tf | 54 +++++ .../terraform.tfvars | 46 ++++ .../variables.tf | 78 +++++++ .../versions.tf | 28 +++ 9 files changed, 650 insertions(+) create mode 100644 examples/island_cluster_anywhere_in_gcp_design/README.md create mode 100644 examples/island_cluster_anywhere_in_gcp_design/main.tf create mode 100644 examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml create mode 100644 examples/island_cluster_anywhere_in_gcp_design/network.tf create mode 100644 examples/island_cluster_anywhere_in_gcp_design/outputs.tf create mode 100644 examples/island_cluster_anywhere_in_gcp_design/router.tf create mode 100644 examples/island_cluster_anywhere_in_gcp_design/terraform.tfvars create mode 100644 examples/island_cluster_anywhere_in_gcp_design/variables.tf create mode 100644 examples/island_cluster_anywhere_in_gcp_design/versions.tf diff --git a/examples/island_cluster_anywhere_in_gcp_design/README.md b/examples/island_cluster_anywhere_in_gcp_design/README.md new file mode 100644 index 0000000000..73a18ff5ca --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/README.md @@ -0,0 +1,37 @@ +# GKE island cluster anywhere in GCP design + +This example provisions a cluster in an island VPC allowing reuse of the IP address space for multiple clusters across different GCP organizations. + +## Deploy + +1. Create NCC hub. +2. Update `ncc_hub_project_id`, `ncc_hub_name`, `network_name` and gke spokes in `terraform.tfvars`. +3. Run `terraform apply`. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| gke\_spokes | n/a | `any` | n/a | yes | +| ingress\_ip\_addrs\_subnet\_cidr | Subnet to use for reserving internal ip addresses for the ILBs. | `string` | n/a | yes | +| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | n/a | yes | +| ncc\_hub\_name | n/a | `string` | n/a | yes | +| ncc\_hub\_project\_id | n/a | `string` | n/a | yes | +| net\_attachment\_subnet\_cidr | Subnet for the router PSC interface network attachment in island network. | `string` | n/a | yes | +| node\_locations | n/a | `list(string)` | n/a | yes | +| primary\_net\_name | Primary VPC network name. | `string` | n/a | yes | +| primary\_subnet | Subnet to use in primary network to deploy the router. | `string` | n/a | yes | +| proxy\_subnet\_cidr | CIDR for the regional managed proxy subnet. | `string` | n/a | yes | +| region | n/a | `string` | n/a | yes | +| router\_machine\_type | n/a | `string` | n/a | yes | +| secondary\_ranges | n/a | `map(string)` | n/a | yes | +| subnet\_cidr | Primary subnet CIDR used by the cluster. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| cluster\_ids | n/a | + + diff --git a/examples/island_cluster_anywhere_in_gcp_design/main.tf b/examples/island_cluster_anywhere_in_gcp_design/main.tf new file mode 100644 index 0000000000..8dbbe9894b --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/main.tf @@ -0,0 +1,93 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_id" "rand" { + byte_length = 4 +} + +resource "google_service_account" "gke-sa" { + for_each = { for k, v in var.gke_spokes : k => v } + + account_id = "gke-sa-${random_id.rand.hex}" + project = each.value["project_id"] +} + +module "gke" { + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" + version = "~> 31.0" + + for_each = { for k, v in var.gke_spokes : k => v } + + name = each.value["cluster_name"] + project_id = each.value["project_id"] + region = var.region + release_channel = "RAPID" + zones = var.node_locations + network = module.net[each.key].network_name + subnetwork = "${each.value["cluster_name"]}-${var.region}-snet" + ip_range_pods = "${each.value["cluster_name"]}-${var.region}-snet-pods" + ip_range_services = "${each.value["cluster_name"]}-${var.region}-snet-services" + enable_private_endpoint = true + enable_private_nodes = true + datapath_provider = "ADVANCED_DATAPATH" + monitoring_enable_managed_prometheus = false + enable_shielded_nodes = true + master_global_access_enabled = false + master_ipv4_cidr_block = var.secondary_ranges["master_cidr"] + master_authorized_networks = var.master_authorized_networks + deletion_protection = false + remove_default_node_pool = true + disable_default_snat = true + gateway_api_channel = "CHANNEL_STANDARD" + + node_pools = [ + { + name = "default" + machine_type = "e2-highcpu-2" + min_count = 1 + max_count = 100 + local_ssd_count = 0 + spot = true + local_ssd_ephemeral_count = 0 + disk_size_gb = 100 + disk_type = "pd-standard" + image_type = "COS_CONTAINERD" + logging_variant = "DEFAULT" + auto_repair = true + auto_upgrade = true + service_account = google_service_account.gke-sa[each.key].email + initial_node_count = 1 + enable_secure_boot = true + }, + ] + + node_pools_tags = { + all = ["gke-${random_id.rand.hex}"] + } + + node_pools_oauth_scopes = { + all = [ + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + ] + } + + timeouts = { + create = "15m" + update = "15m" + delete = "15m" + } +} diff --git a/examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml b/examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml new file mode 100644 index 0000000000..b728ce8a59 --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml @@ -0,0 +1,88 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: whereami +spec: + replicas: 3 + selector: + matchLabels: + app: whereami + template: + metadata: + labels: + app: whereami + spec: + containers: + - name: whereami + image: us-docker.pkg.dev/google-samples/containers/gke/whereami:v1.2.19 + ports: + - name: http + containerPort: 8080 + resources: + requests: + cpu: "50m" + memory: 128Mi + limits: + cpu: "100m" + memory: 256Mi + readinessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 1 +--- +apiVersion: v1 +kind: Service +metadata: + name: whereami +spec: + type: ClusterIP + selector: + app: whereami + ports: + - port: 80 + targetPort: 8080 + protocol: TCP +--- +kind: Gateway +apiVersion: gateway.networking.k8s.io/v1beta1 +metadata: + name: l7-ilb +spec: + gatewayClassName: gke-l7-rilb + listeners: + - name: http + protocol: HTTP + port: 80 + addresses: + - type: NamedAddress + value: gke-spoke-1-l7-rilb-ip +--- +kind: HTTPRoute +apiVersion: gateway.networking.k8s.io/v1beta1 +metadata: + name: whereami +spec: + parentRefs: + - kind: Gateway + name: l7-ilb + rules: + - backendRefs: + - name: whereami + port: 80 diff --git a/examples/island_cluster_anywhere_in_gcp_design/network.tf b/examples/island_cluster_anywhere_in_gcp_design/network.tf new file mode 100644 index 0000000000..a0539c8252 --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/network.tf @@ -0,0 +1,207 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +module "net" { + source = "terraform-google-modules/network/google" + version = "~> 9.0" + + for_each = { for k, v in var.gke_spokes : k => v } + + network_name = "gke-net-${random_id.rand.hex}" + routing_mode = "GLOBAL" + project_id = each.value["project_id"] + + subnets = [ + { + subnet_name = "${each.value["cluster_name"]}-${var.region}-snet" + subnet_ip = var.subnet_cidr + subnet_region = var.region + subnet_private_access = "true" + }, + { + subnet_name = "${each.value["cluster_name"]}-${var.region}-int-ip-addr-snet" + subnet_ip = var.ingress_ip_addrs_subnet_cidr + subnet_region = var.region + subnet_private_access = "true" + }, + { + subnet_name = "${each.value["cluster_name"]}-${var.region}-net-attachment-snet" + subnet_ip = var.net_attachment_subnet_cidr + subnet_region = var.region + subnet_private_access = "true" + }, + { + subnet_name = "${each.value["cluster_name"]}-${var.region}-proxy-snet" + subnet_ip = var.proxy_subnet_cidr + subnet_region = var.region + purpose = "REGIONAL_MANAGED_PROXY" + role = "ACTIVE" + }, + { + subnet_name = "${each.value["cluster_name"]}-${var.region}-private-nat-snet" + subnet_ip = each.value["private_nat_subnet_cidr"] + subnet_region = var.region + subnet_private_access = "true" + purpose = "PRIVATE_NAT" + }, + ] + + secondary_ranges = { + "${each.value["cluster_name"]}-${var.region}-snet" = [ + { + range_name = "${each.value["cluster_name"]}-${var.region}-snet-pods" + ip_cidr_range = var.secondary_ranges["pods"] + }, + { + range_name = "${each.value["cluster_name"]}-${var.region}-snet-services" + ip_cidr_range = var.secondary_ranges["services"] + }, + ] + } + + firewall_rules = [ + { + name = "${each.value["cluster_name"]}-iap" + direction = "INGRESS" + allow = [ + { + protocol = "TCP" + ports = ["22"] + } + ] + ranges = ["35.235.240.0/20"] + }, + { + name = "${each.value["cluster_name"]}-tcp-primary" + direction = "INGRESS" + allow = [ + { + protocol = "TCP" + } + ] + ranges = [ + var.net_attachment_subnet_cidr + ] + }, + { + name = "${each.value["cluster_name"]}-allow-proxy" + direction = "INGRESS" + allow = [ + { + protocol = "TCP" + } + ] + ranges = [var.proxy_subnet_cidr] + target_service_accounts = [google_service_account.gke-sa[each.key].email] + }, + ] +} + +resource "google_compute_route" "primary_to_spoke" { + for_each = { for k, v in var.gke_spokes : k => v } + + name = "primary-to-spoke-for-${each.value["cluster_name"]}" + description = "primary to GKE spoke through router" + project = var.ncc_hub_project_id + network = var.primary_net_name + dest_range = each.value["spoke_netmap_subnet"] + next_hop_instance = google_compute_instance.vm[each.key].id +} + +resource "google_network_connectivity_spoke" "spoke" { + provider = google-beta + for_each = { for k, v in var.gke_spokes : k => v } + + name = "${each.value["cluster_name"]}-spoke-${random_id.rand.hex}" + project = each.value["project_id"] + location = "global" + description = "vpc spoke for inter vpc nat" + hub = "projects/${var.ncc_hub_project_id}/locations/global/hubs/${var.ncc_hub_name}" + linked_vpc_network { + exclude_export_ranges = [ + var.subnet_cidr, + var.ingress_ip_addrs_subnet_cidr, + var.net_attachment_subnet_cidr, + var.secondary_ranges["pods"], + var.secondary_ranges["services"], + var.secondary_ranges["master_cidr"], + var.proxy_subnet_cidr + ] + uri = module.net[each.key].network_self_link + } +} + +resource "google_compute_network_attachment" "router_net_attachment" { + provider = google-beta + for_each = { for k, v in var.gke_spokes : k => v } + + name = "net-attachment-${each.value["cluster_name"]}" + project = each.value["project_id"] + region = var.region + description = "router network attachment for cluster ${each.value["cluster_name"]}" + connection_preference = "ACCEPT_MANUAL" + + subnetworks = [ + module.net[each.key].subnets["${var.region}/${each.value["cluster_name"]}-${var.region}-net-attachment-snet"]["self_link"] + ] + + producer_accept_lists = [ + var.ncc_hub_project_id + ] +} + +module "cloud_router" { + source = "terraform-google-modules/cloud-router/google" + version = "~> 6.0" + for_each = { for k, v in var.gke_spokes : k => v } + + name = "router-${each.value["cluster_name"]}-${random_id.rand.hex}" + project = each.value["project_id"] + network = module.net[each.key].network_name + region = var.region +} + +resource "google_compute_router_nat" "nat_type" { + provider = google-beta + depends_on = [module.cloud_router] + + for_each = { for k, v in var.gke_spokes : k => v } + + name = "private-nat-${random_id.rand.hex}" + router = "router-${each.value["cluster_name"]}-${random_id.rand.hex}" + project = each.value["project_id"] + region = var.region + source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES" + type = "PRIVATE" + rules { + rule_number = 100 + description = "rule for private nat" + match = "nexthop.hub == \"//networkconnectivity.googleapis.com/projects/${var.ncc_hub_project_id}/locations/global/hubs/${var.ncc_hub_name}\"" + action { + source_nat_active_ranges = [ + module.net[each.key].subnets["${var.region}/${each.value["cluster_name"]}-${var.region}-private-nat-snet"]["self_link"] + ] + } + } +} + +resource "google_compute_address" "gke-l7-rilb-ip" { + for_each = { for k, v in var.gke_spokes : k => v } + + name = "${each.value["cluster_name"]}-l7-rilb-ip" + address_type = "INTERNAL" + region = var.region + project = each.value["project_id"] + subnetwork = module.net[each.key].subnets["${var.region}/${each.value["cluster_name"]}-${var.region}-int-ip-addr-snet"]["self_link"] +} diff --git a/examples/island_cluster_anywhere_in_gcp_design/outputs.tf b/examples/island_cluster_anywhere_in_gcp_design/outputs.tf new file mode 100644 index 0000000000..438d3f7be0 --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/outputs.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "cluster_ids" { + value = [for c in module.gke : c.cluster_id] +} diff --git a/examples/island_cluster_anywhere_in_gcp_design/router.tf b/examples/island_cluster_anywhere_in_gcp_design/router.tf new file mode 100644 index 0000000000..3e91f328de --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/router.tf @@ -0,0 +1,54 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_compute_instance" "vm" { + provider = google-beta + for_each = { for k, v in var.gke_spokes : k => v } + + project = var.ncc_hub_project_id + zone = var.node_locations[0] + name = "${each.value["cluster_name"]}-router-${random_id.rand.hex}" + machine_type = var.router_machine_type + allow_stopping_for_update = true + boot_disk { + initialize_params { + image = "debian-cloud/debian-12" + } + } + can_ip_forward = true + shielded_instance_config { + enable_secure_boot = true + } + network_interface { + subnetwork = var.primary_subnet + } + network_interface { + network_attachment = google_compute_network_attachment.router_net_attachment[each.key].self_link + } + metadata_startup_script = <<-EOT + #!/bin/bash + set -ex + sudo apt-get update + echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf + sudo sysctl -p + sudo iptables -t nat -A PREROUTING -d ${each.value["spoke_netmap_subnet"]} -i ens4 -j NETMAP --to ${var.ingress_ip_addrs_subnet_cidr} + GWY_URL="http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/1/gateway" + GWY_IP=$(curl $${GWY_URL} -H "Metadata-Flavor: Google") + sudo ip route add ${var.ingress_ip_addrs_subnet_cidr} via $${GWY_IP} dev ens5 + sudo iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE + sudo iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE + EOT +} diff --git a/examples/island_cluster_anywhere_in_gcp_design/terraform.tfvars b/examples/island_cluster_anywhere_in_gcp_design/terraform.tfvars new file mode 100644 index 0000000000..ebdd1f0e13 --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/terraform.tfvars @@ -0,0 +1,46 @@ +ncc_hub_project_id = "" +ncc_hub_name = "" +region = "us-central1" +primary_net_name = "" +primary_subnet = "projects//regions/us-central1/subnetworks/" +gke_spokes = [ + { + project_id = "", + cluster_name = "gke-spoke-1", + private_nat_subnet_cidr = "100.65.1.0/24", + spoke_netmap_subnet = "10.244.0.0/28" + }, + { + project_id = "", + cluster_name = "gke-spoke-2", + private_nat_subnet_cidr = "100.65.2.0/24", + spoke_netmap_subnet = "10.244.0.16/28" + }, + { + project_id = "", + cluster_name = "gke-spoke-3", + private_nat_subnet_cidr = "100.65.3.0/24", + spoke_netmap_subnet = "10.244.0.32/28" + } +] +node_locations = [ + "us-central1-a", + "us-central1-b", + "us-central1-f" +] +subnet_cidr = "100.64.0.0/19" +net_attachment_subnet_cidr = "100.64.87.0/29" +router_machine_type = "n2-highcpu-4" +secondary_ranges = { + pods = "100.64.32.0/19" + services = "100.64.64.0/20" + master_cidr = "100.64.96.32/28" +} +proxy_subnet_cidr = "100.64.83.0/24" +ingress_ip_addrs_subnet_cidr = "100.64.84.0/28" +master_authorized_networks = [ + { + cidr_block = "100.64.0.0/10" + display_name = "cluster net" + } +] diff --git a/examples/island_cluster_anywhere_in_gcp_design/variables.tf b/examples/island_cluster_anywhere_in_gcp_design/variables.tf new file mode 100644 index 0000000000..293165c18f --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/variables.tf @@ -0,0 +1,78 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "region" { + type = string +} + +variable "node_locations" { + type = list(string) +} + +variable "subnet_cidr" { + type = string + description = "Primary subnet CIDR used by the cluster." +} + +variable "net_attachment_subnet_cidr" { + type = string + description = "Subnet for the router PSC interface network attachment in island network." +} + +variable "ingress_ip_addrs_subnet_cidr" { + type = string + description = "Subnet to use for reserving internal ip addresses for the ILBs." +} + +variable "proxy_subnet_cidr" { + type = string + description = "CIDR for the regional managed proxy subnet." +} + +variable "secondary_ranges" { + type = map(string) +} + +variable "master_authorized_networks" { + type = list(object({ cidr_block = string, display_name = string })) + description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." +} + +variable "primary_net_name" { + type = string + description = "Primary VPC network name." +} + +variable "ncc_hub_project_id" { + type = string +} + +variable "ncc_hub_name" { + type = string +} + +variable "router_machine_type" { + type = string +} + +variable "primary_subnet" { + type = string + description = "Subnet to use in primary network to deploy the router." +} + +variable "gke_spokes" { + type = any +} diff --git a/examples/island_cluster_anywhere_in_gcp_design/versions.tf b/examples/island_cluster_anywhere_in_gcp_design/versions.tf new file mode 100644 index 0000000000..4818f24fa7 --- /dev/null +++ b/examples/island_cluster_anywhere_in_gcp_design/versions.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.3" + + required_providers { + google = { + source = "hashicorp/google" + } + google-beta = { + source = "hashicorp/google-beta" + } + } +} From eec38a2de73d637b5871881e0a3335f0e4a2f413 Mon Sep 17 00:00:00 2001 From: Piotr Kassin-Lenik Date: Thu, 13 Jun 2024 17:33:10 +0200 Subject: [PATCH 088/176] feat: add pod_pids_limit for kubelet_config in all modules, example and autogen (#1922) --- autogen/main/README.md | 1 + autogen/main/cluster.tf.tmpl | 3 ++- examples/node_pool/main.tf | 1 + modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 6 ++++-- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 6 ++++-- modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 6 ++++-- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 6 ++++-- 11 files changed, 24 insertions(+), 9 deletions(-) diff --git a/autogen/main/README.md b/autogen/main/README.md index f47c6171d7..4206111f2f 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -201,6 +201,7 @@ The node_pools variable takes the following parameters: | cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional | | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | +| pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | {% endif %} | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 859499c51a..ddeccb61ef 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -985,13 +985,14 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] )) != 0 ? [1] : [] content { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } {% endif %} diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 634a3b2965..8da1827934 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -79,6 +79,7 @@ module "gke" { cpu_manager_policy = "static" cpu_cfs_quota = true local_ssd_ephemeral_count = 2 + pod_pids_limit = 4096 }, { name = "pool-04" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index df021bbc49..813c0148a7 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -352,6 +352,7 @@ The node_pools variable takes the following parameters: | cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional | | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | +| pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index a5b96fd63c..cef54d371d 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -868,13 +868,14 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] )) != 0 ? [1] : [] content { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1153,13 +1154,14 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] )) != 0 ? [1] : [] content { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 2fec641037..eb2c47b61e 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -330,6 +330,7 @@ The node_pools variable takes the following parameters: | cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional | | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | +| pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4ec2614867..5fbe49a699 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -789,13 +789,14 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] )) != 0 ? [1] : [] content { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1073,13 +1074,14 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] )) != 0 ? [1] : [] content { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index eb71fa8cf5..3f43c0a471 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -339,6 +339,7 @@ The node_pools variable takes the following parameters: | cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional | | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | +| pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 8461ae63b7..9795922e4f 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -849,13 +849,14 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] )) != 0 ? [1] : [] content { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1134,13 +1135,14 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] )) != 0 ? [1] : [] content { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 5f1d6445f9..1e8a3ef9fb 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -317,6 +317,7 @@ The node_pools variable takes the following parameters: | cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional | | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | +| pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 0a92c4d317..73dad2ee55 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -770,13 +770,14 @@ resource "google_container_node_pool" "pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] )) != 0 ? [1] : [] content { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } @@ -1054,13 +1055,14 @@ resource "google_container_node_pool" "windows_pools" { dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), - ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"] + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] )) != 0 ? [1] : [] content { cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } From 654868e292a68fbc0f5ef7dd4bf50336fa8efc48 Mon Sep 17 00:00:00 2001 From: CPL Markus <106060626+CPL-markus@users.noreply.github.com> Date: Fri, 14 Jun 2024 00:05:58 +0200 Subject: [PATCH 089/176] feat: Set boot_disk_kms_key cluster wide and for cluster_autoscaling (#1959) --- README.md | 1 + autogen/main/cluster.tf.tmpl | 4 +++- autogen/main/variables.tf.tmpl | 8 ++++++++ cluster.tf | 2 ++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 4 +++- modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 4 +++- modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 4 +++- modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 4 +++- modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 2 ++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 2 ++ modules/private-cluster/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 23 files changed, 78 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index cd04741814..8927e84d4b 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | +| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index ddeccb61ef..426ba4c301 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -139,6 +139,8 @@ resource "google_container_cluster" "primary" { service_account = local.service_account oauth_scopes = local.node_pools_oauth_scopes["all"] + boot_disk_kms_key = var.boot_disk_kms_key + management { auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade",true) @@ -524,7 +526,7 @@ resource "google_container_cluster" "primary" { } } - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) {% endif %} shielded_instance_config { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 375df975b5..32b57a5c19 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -413,6 +413,14 @@ variable "service_account_name" { default = "" } +{% if autopilot_cluster != true %} +variable "boot_disk_kms_key" { + type = string + description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + default = null +} + +{% endif %} variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/cluster.tf b/cluster.tf index 7bb3a42d4e..969a0bf57a 100644 --- a/cluster.tf +++ b/cluster.tf @@ -112,6 +112,8 @@ resource "google_container_cluster" "primary" { service_account = local.service_account oauth_scopes = local.node_pools_oauth_scopes["all"] + boot_disk_kms_key = var.boot_disk_kms_key + management { auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 813c0148a7..ba2948a962 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -174,6 +174,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | +| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index cef54d371d..f3f6c1d216 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -118,6 +118,8 @@ resource "google_container_cluster" "primary" { service_account = local.service_account oauth_scopes = local.node_pools_oauth_scopes["all"] + boot_disk_kms_key = var.boot_disk_kms_key + management { auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) @@ -450,7 +452,7 @@ resource "google_container_cluster" "primary" { } } - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) shielded_instance_config { enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index f5bae458a5..da51f48691 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -403,6 +403,12 @@ variable "service_account_name" { default = "" } +variable "boot_disk_kms_key" { + type = string + description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + default = null +} + variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index eb2c47b61e..863d39522f 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -152,6 +152,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | +| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 5fbe49a699..dfcd012def 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -118,6 +118,8 @@ resource "google_container_cluster" "primary" { service_account = local.service_account oauth_scopes = local.node_pools_oauth_scopes["all"] + boot_disk_kms_key = var.boot_disk_kms_key + management { auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) @@ -450,7 +452,7 @@ resource "google_container_cluster" "primary" { } } - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) shielded_instance_config { enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index f5bae458a5..da51f48691 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -403,6 +403,12 @@ variable "service_account_name" { default = "" } +variable "boot_disk_kms_key" { + type = string + description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + default = null +} + variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 3f43c0a471..5976e0a7c8 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -168,6 +168,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | +| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 9795922e4f..60a9f80687 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -118,6 +118,8 @@ resource "google_container_cluster" "primary" { service_account = local.service_account oauth_scopes = local.node_pools_oauth_scopes["all"] + boot_disk_kms_key = var.boot_disk_kms_key + management { auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) @@ -450,7 +452,7 @@ resource "google_container_cluster" "primary" { } } - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) shielded_instance_config { enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 0a3b46eefb..cc0ae40e23 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -403,6 +403,12 @@ variable "service_account_name" { default = "" } +variable "boot_disk_kms_key" { + type = string + description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + default = null +} + variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 1e8a3ef9fb..fb40bfb57d 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -146,6 +146,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | +| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | | cloudrun\_load\_balancer\_type | (Beta) Configure the Cloud Run load balancer type. External by default. Set to `LOAD_BALANCER_TYPE_INTERNAL` to configure as an internal load balancer. | `string` | `""` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 73dad2ee55..6be429c0b6 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -118,6 +118,8 @@ resource "google_container_cluster" "primary" { service_account = local.service_account oauth_scopes = local.node_pools_oauth_scopes["all"] + boot_disk_kms_key = var.boot_disk_kms_key + management { auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) @@ -450,7 +452,7 @@ resource "google_container_cluster" "primary" { } } - boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "") + boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key) shielded_instance_config { enable_secure_boot = lookup(var.node_pools[0], "enable_secure_boot", false) diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 0a3b46eefb..cc0ae40e23 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -403,6 +403,12 @@ variable "service_account_name" { default = "" } +variable "boot_disk_kms_key" { + type = string + description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + default = null +} + variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index ad4e7d90cf..ffcab6b500 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -171,6 +171,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | +| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index a6bff1de29..03c3082bb4 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -112,6 +112,8 @@ resource "google_container_cluster" "primary" { service_account = local.service_account oauth_scopes = local.node_pools_oauth_scopes["all"] + boot_disk_kms_key = var.boot_disk_kms_key + management { auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 9f3c9f0952..85b100dbb3 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -397,6 +397,12 @@ variable "service_account_name" { default = "" } +variable "boot_disk_kms_key" { + type = string + description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + default = null +} + variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 692d0a0e79..053b9feb87 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -149,6 +149,7 @@ Then perform the following commands on the root folder: | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | +| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | 
object({
    enabled                     = bool
    autoscaling_profile         = string
    min_cpu_cores               = number
    max_cpu_cores               = number
    min_memory_gb               = number
    max_memory_gb               = number
    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))
    auto_repair                 = bool
    auto_upgrade                = bool
    disk_size                   = optional(number)
    disk_type                   = optional(string)
    image_type                  = optional(string)
    strategy                    = optional(string)
    max_surge                   = optional(number)
    max_unavailable             = optional(number)
    node_pool_soak_duration     = optional(string)
    batch_soak_duration         = optional(string)
    batch_percentage            = optional(number)
    batch_node_count            = optional(number)
    enable_secure_boot          = optional(bool, false)
    enable_integrity_monitoring = optional(bool, true)
  })
| 
{
  "auto_repair": true,
  "auto_upgrade": true,
  "autoscaling_profile": "BALANCED",
  "disk_size": 100,
  "disk_type": "pd-standard",
  "enable_integrity_monitoring": true,
  "enable_secure_boot": false,
  "enabled": false,
  "gpu_resources": [],
  "image_type": "COS_CONTAINERD",
  "max_cpu_cores": 0,
  "max_memory_gb": 0,
  "min_cpu_cores": 0,
  "min_memory_gb": 0
}
| no | | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no | | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 7f3f78766b..21edac9a01 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -112,6 +112,8 @@ resource "google_container_cluster" "primary" { service_account = local.service_account oauth_scopes = local.node_pools_oauth_scopes["all"] + boot_disk_kms_key = var.boot_disk_kms_key + management { auto_repair = lookup(var.cluster_autoscaling, "auto_repair", true) auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true) diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 9f3c9f0952..85b100dbb3 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -397,6 +397,12 @@ variable "service_account_name" { default = "" } +variable "boot_disk_kms_key" { + type = string + description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + default = null +} + variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" diff --git a/variables.tf b/variables.tf index bf850ccc99..eef896bf04 100644 --- a/variables.tf +++ b/variables.tf @@ -397,6 +397,12 @@ variable "service_account_name" { default = "" } +variable "boot_disk_kms_key" { + type = string + description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption" + default = null +} + variable "issue_client_certificate" { type = bool description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" From e7b20cd193188bdfebd8e2f6a4eb863b0f5af21c Mon Sep 17 00:00:00 2001 From: Georgia Zoi Leng <58770450+GorginZ@users.noreply.github.com> Date: Fri, 21 Jun 2024 02:27:42 +1000 Subject: [PATCH 090/176] fix: firewall rules for autopilot clusters are ineffective. add cluster_network_tag to autopilot cluster network_tags if firewalls are toggled on (#1817) Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 4 +- build/int.cloudbuild.yaml | 21 + .../autopilot_private_firewalls/README.md | 42 ++ examples/autopilot_private_firewalls/main.tf | 63 ++ .../autopilot_private_firewalls/network.tf | 49 ++ .../autopilot_private_firewalls/outputs.tf | 71 ++ .../autopilot_private_firewalls/variables.tf | 24 + .../autopilot_private_firewalls/versions.tf | 27 + .../beta-autopilot-private-cluster/cluster.tf | 4 +- .../beta-autopilot-public-cluster/cluster.tf | 4 +- .../autopilot_private_firewalls/example.tf | 22 + .../autopilot_private_firewalls/outputs.tf | 52 ++ .../autopilot_private_firewalls/variables.tf | 25 + .../autopilot_private_firewalls_test.go | 72 ++ .../TestAutopilotPrivateFirewalls.json | 651 ++++++++++++++++++ 15 files changed, 1125 insertions(+), 6 deletions(-) create mode 100644 examples/autopilot_private_firewalls/README.md create mode 100644 examples/autopilot_private_firewalls/main.tf create mode 100644 examples/autopilot_private_firewalls/network.tf create mode 100644 examples/autopilot_private_firewalls/outputs.tf create mode 100644 examples/autopilot_private_firewalls/variables.tf create mode 100644 examples/autopilot_private_firewalls/versions.tf create mode 100644 test/fixtures/autopilot_private_firewalls/example.tf create mode 100644 test/fixtures/autopilot_private_firewalls/outputs.tf create mode 100644 test/fixtures/autopilot_private_firewalls/variables.tf create mode 100644 test/integration/autopilot_private_firewalls/autopilot_private_firewalls_test.go create mode 100644 test/integration/autopilot_private_firewalls/testdata/TestAutopilotPrivateFirewalls.json diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 426ba4c301..663d9a8e9a 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -258,10 +258,10 @@ resource "google_container_cluster" "primary" { } {% if autopilot_cluster %} dynamic "node_pool_auto_config" { - for_each = length(var.network_tags) > 0 ? [1] : [] + for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : [] content { network_tags { - tags = var.network_tags + tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : var.network_tags } } } diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 8dc74732aa..13306c87b8 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -454,6 +454,27 @@ steps: - verify simple-autopilot-private-local name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPrivate --stage teardown --verbose'] +- id: init autopilot-private-firewalls + waitFor: + - create-all + - destroy simple-autopilot-private-local + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestAutopilotPrivateFirewalls --stage init --verbose'] +- id: apply autopilot-private-firewalls + waitFor: + - init autopilot-private-firewalls + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestAutopilotPrivateFirewalls --stage apply --verbose'] +- id: verify autopilot-private-firewalls + waitFor: + - apply autopilot-private-firewalls + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestAutopilotPrivateFirewalls --stage verify --verbose'] +- id: destroy autopilot-private-firewalls + waitFor: + - verify autopilot-private-firewalls + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestAutopilotPrivateFirewalls --stage destroy --verbose'] - id: init simple-autopilot-public-local waitFor: - create-all diff --git a/examples/autopilot_private_firewalls/README.md b/examples/autopilot_private_firewalls/README.md new file mode 100644 index 0000000000..1ee0a0ba32 --- /dev/null +++ b/examples/autopilot_private_firewalls/README.md @@ -0,0 +1,42 @@ +# Private Regional Autopilot Cluster With Firewall Rules + +This example creates a regional autopilot cluster with beta features + +It will: +- Create a private autopilot cluster +- Variables ```add_cluster_firewall_rules```, ```add_master_webhook_firewall_rules``` and ```add_shadow_firewal_rules``` are toggled on. In a environment with stringent firewall rules, these cluster firewall rules may be required to allow intra cluster communication +- Adds an example network tag. This example network tag aligns with a firewall rule target tag from the [terraform-example-foundation](https://github.com/terraform-google-modules/terraform-example-foundation) configuration to allow google api access + +>note: this example does **not** create a network with stringent firewall rules. This example shows what cluster configuration may be required for a networking configuration comparable to the [terraform-example-foundation](https://github.com/terraform-google-modules/terraform-example-foundation)'s base shared VPCs, or any VPC with firewall rules to deny 0.0.0.0/0 egress and an allow rule for private google api egress access which targets tags "allow-google-apis". By toggling on the firewall rules variables and adding network_tags to allow private google api access, a private cluster can come up healthy with no internet egress. This configuration shows how to ensure those firewalls that explicitly allow intra cluster ingress and egress are created and appropriate network tags are attached to the cluster. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| project\_id | The project ID to host the cluster in | `any` | n/a | yes | +| region | The region the cluster in | `string` | `"us-central1"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| ca\_certificate | The cluster ca certificate (base64 encoded) | +| cluster\_name | Cluster name | +| kubernetes\_endpoint | The cluster endpoint | +| location | n/a | +| master\_kubernetes\_version | Kubernetes version of the master | +| network\_name | The name of the VPC being created | +| project\_id | The project ID the cluster is in | +| region | The region in which the cluster resides | +| service\_account | The service account to default running nodes as if not overridden in `node_pools`. | +| subnet\_names | The names of the subnet being created | +| zones | List of zones in which the cluster resides | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/autopilot_private_firewalls/main.tf b/examples/autopilot_private_firewalls/main.tf new file mode 100644 index 0000000000..979261c992 --- /dev/null +++ b/examples/autopilot_private_firewalls/main.tf @@ -0,0 +1,63 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cluster_type = "autopilot-private-firewalls" + network_name = "${local.cluster_type}-network" + subnet_name = "${local.cluster_type}-subnet" + master_auth_subnetwork = "${local.cluster_type}-master-subnet" + pods_range_name = "ip-range-pods-${local.cluster_type}" + svc_range_name = "ip-range-svc-${local.cluster_type}" + subnet_names = [for subnet_self_link in module.gcp-network.subnets_self_links : split("/", subnet_self_link)[length(split("/", subnet_self_link)) - 1]] +} + +data "google_client_config" "default" {} + +provider "kubernetes" { + host = "https://${module.gke.endpoint}" + token = data.google_client_config.default.access_token + cluster_ca_certificate = base64decode(module.gke.ca_certificate) +} + +module "gke" { + source = "../../modules/beta-autopilot-private-cluster/" + project_id = var.project_id + name = "${local.cluster_type}-cluster" + regional = true + region = var.region + network = module.gcp-network.network_name + subnetwork = local.subnet_names[index(module.gcp-network.subnets_names, local.subnet_name)] + ip_range_pods = local.pods_range_name + ip_range_services = local.svc_range_name + release_channel = "REGULAR" + enable_vertical_pod_autoscaling = true + enable_private_endpoint = true + enable_private_nodes = true + master_ipv4_cidr_block = "172.16.0.0/28" + add_cluster_firewall_rules = true + add_master_webhook_firewall_rules = true + add_shadow_firewall_rules = true + network_tags = ["allow-google-apis"] + deletion_protection = false + + master_authorized_networks = [ + { + cidr_block = "10.60.0.0/17" + display_name = "VPC" + }, + ] +} + diff --git a/examples/autopilot_private_firewalls/network.tf b/examples/autopilot_private_firewalls/network.tf new file mode 100644 index 0000000000..acb96e0289 --- /dev/null +++ b/examples/autopilot_private_firewalls/network.tf @@ -0,0 +1,49 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "gcp-network" { + source = "terraform-google-modules/network/google" + version = ">= 9.0.0" + + project_id = var.project_id + network_name = local.network_name + + subnets = [ + { + subnet_name = local.subnet_name + subnet_ip = "10.0.0.0/17" + subnet_region = var.region + }, + { + subnet_name = local.master_auth_subnetwork + subnet_ip = "10.60.0.0/17" + subnet_region = var.region + }, + ] + + secondary_ranges = { + (local.subnet_name) = [ + { + range_name = local.pods_range_name + ip_cidr_range = "192.168.0.0/18" + }, + { + range_name = local.svc_range_name + ip_cidr_range = "192.168.64.0/18" + }, + ] + } +} diff --git a/examples/autopilot_private_firewalls/outputs.tf b/examples/autopilot_private_firewalls/outputs.tf new file mode 100644 index 0000000000..9691215da6 --- /dev/null +++ b/examples/autopilot_private_firewalls/outputs.tf @@ -0,0 +1,71 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "kubernetes_endpoint" { + description = "The cluster endpoint" + sensitive = true + value = module.gke.endpoint +} + +output "cluster_name" { + description = "Cluster name" + value = module.gke.name +} + +output "location" { + value = module.gke.location +} + +output "master_kubernetes_version" { + description = "Kubernetes version of the master" + value = module.gke.master_version +} + +output "ca_certificate" { + sensitive = true + description = "The cluster ca certificate (base64 encoded)" + value = module.gke.ca_certificate +} + +output "service_account" { + description = "The service account to default running nodes as if not overridden in `node_pools`." + value = module.gke.service_account +} + +output "network_name" { + description = "The name of the VPC being created" + value = module.gcp-network.network_name +} + +output "subnet_names" { + description = "The names of the subnet being created" + value = module.gcp-network.subnets_names +} + +output "region" { + description = "The region in which the cluster resides" + value = module.gke.region +} + +output "zones" { + description = "List of zones in which the cluster resides" + value = module.gke.zones +} + +output "project_id" { + description = "The project ID the cluster is in" + value = var.project_id +} diff --git a/examples/autopilot_private_firewalls/variables.tf b/examples/autopilot_private_firewalls/variables.tf new file mode 100644 index 0000000000..25d63aeb49 --- /dev/null +++ b/examples/autopilot_private_firewalls/variables.tf @@ -0,0 +1,24 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project ID to host the cluster in" +} + +variable "region" { + description = "The region the cluster in" + default = "us-central1" +} diff --git a/examples/autopilot_private_firewalls/versions.tf b/examples/autopilot_private_firewalls/versions.tf new file mode 100644 index 0000000000..7e6d0ea44b --- /dev/null +++ b/examples/autopilot_private_firewalls/versions.tf @@ -0,0 +1,27 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + kubernetes = { + source = "hashicorp/kubernetes" + } + } + required_version = ">= 0.13" +} diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 397c7755b9..4a08c7e256 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -99,10 +99,10 @@ resource "google_container_cluster" "primary" { } } dynamic "node_pool_auto_config" { - for_each = length(var.network_tags) > 0 ? [1] : [] + for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : [] content { network_tags { - tags = var.network_tags + tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : var.network_tags } } } diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 01ea54baf4..9d9573fd3d 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -99,10 +99,10 @@ resource "google_container_cluster" "primary" { } } dynamic "node_pool_auto_config" { - for_each = length(var.network_tags) > 0 ? [1] : [] + for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? [1] : [] content { network_tags { - tags = var.network_tags + tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : var.network_tags } } } diff --git a/test/fixtures/autopilot_private_firewalls/example.tf b/test/fixtures/autopilot_private_firewalls/example.tf new file mode 100644 index 0000000000..7c7a7bbe06 --- /dev/null +++ b/test/fixtures/autopilot_private_firewalls/example.tf @@ -0,0 +1,22 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "example" { + source = "../../../examples/autopilot_private_firewalls" + + project_id = var.project_ids[0] + region = var.region +} diff --git a/test/fixtures/autopilot_private_firewalls/outputs.tf b/test/fixtures/autopilot_private_firewalls/outputs.tf new file mode 100644 index 0000000000..f453fce016 --- /dev/null +++ b/test/fixtures/autopilot_private_firewalls/outputs.tf @@ -0,0 +1,52 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "project_id" { + value = module.example.project_id +} + +output "region" { + value = module.example.region +} + +output "cluster_name" { + description = "Cluster name" + value = module.example.cluster_name +} +output "location" { + value = module.example.location +} + +output "master_kubernetes_version" { + description = "The master Kubernetes version" + value = module.example.master_kubernetes_version +} + +output "kubernetes_endpoint" { + sensitive = true + value = module.example.kubernetes_endpoint +} + +output "ca_certificate" { + description = "The cluster CA certificate" + value = module.example.ca_certificate + sensitive = true +} + +output "service_account" { + description = "The service account to default running nodes as if not overridden in `node_pools`." + value = module.example.service_account +} diff --git a/test/fixtures/autopilot_private_firewalls/variables.tf b/test/fixtures/autopilot_private_firewalls/variables.tf new file mode 100644 index 0000000000..b451d85cc0 --- /dev/null +++ b/test/fixtures/autopilot_private_firewalls/variables.tf @@ -0,0 +1,25 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_ids" { + type = list(string) + description = "The GCP projects to use for integration tests" +} + +variable "region" { + description = "The GCP region to create and test resources in" + default = "us-central1" +} diff --git a/test/integration/autopilot_private_firewalls/autopilot_private_firewalls_test.go b/test/integration/autopilot_private_firewalls/autopilot_private_firewalls_test.go new file mode 100644 index 0000000000..8ba773fbc1 --- /dev/null +++ b/test/integration/autopilot_private_firewalls/autopilot_private_firewalls_test.go @@ -0,0 +1,72 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package autopilot_private_firewalls + +import ( + "fmt" + "testing" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/golden" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/stretchr/testify/assert" +) + +func TestAutopilotPrivateFirewalls(t *testing.T) { + bpt := tft.NewTFBlueprintTest(t) + bpt.DefineVerify(func(assert *assert.Assertions) { + //Skipping Default Verify as the Verify Stage fails due to change in Client Cert Token + // bpt.DefaultVerify(assert) + projectId := bpt.GetStringOutput("project_id") + location := bpt.GetStringOutput("location") + clusterName := bpt.GetStringOutput("cluster_name") + serviceAccount := bpt.GetStringOutput("service_account") + clusterNetworkTag := "gke-" + clusterName + firewallRules := []string{"gke-%s-intra-cluster-egress", "gke-%s-webhooks", "gke-shadow-%s-all", "gke-shadow-%s-master", "gke-shadow-%s-vms", "gke-shadow-%s-inkubelet", "gke-shadow-%s-exkubelet"} + var fws []string + for _, fw := range firewallRules { + n := fmt.Sprintf(fw, clusterName) + fws = append(fws, n) + } + op := gcloud.Runf(t, "container clusters describe %s --zone %s --project %s", clusterName, location, projectId) + g := golden.NewOrUpdate(t, op.String(), + golden.WithSanitizer(golden.StringSanitizer(serviceAccount, "SERVICE_ACCOUNT")), + golden.WithSanitizer(golden.StringSanitizer(projectId, "PROJECT_ID")), + golden.WithSanitizer(golden.StringSanitizer(clusterName, "CLUSTER_NAME")), + ) + validateJSONPaths := []string{ + "autopilot.enabled", + "location", + "privateClusterConfig.enablePrivateEndpoint", + "privateClusterConfig.enablePrivateNodes", + "privateClusterConfig.addClusterFirewallRules", + "privateClusterConfig.addMasterWebhookFirewallRules", + "privateClusterConfig.addShadowFirewallRules", + } + + for _, pth := range validateJSONPaths { + g.JSONEq(assert, op, pth) + } + + assert.Contains([]string{"RUNNING", "RECONCILING"}, op.Get("status").String()) // comes up healthy + assert.Contains(op.Get("nodePoolAutoConfig.networkTags.tags").String(), "allow-google-apis") // example network_tag attached + assert.Contains(op.Get("nodePoolAutoConfig.networkTags.tags").String(), clusterNetworkTag) // the cluster_network_tag attached + + for _, n := range fws { + fw := gcloud.Runf(t, "compute firewall-rules --project %s describe %s", projectId, n) + assert.Contains(fw.Get("targetTags").String(), clusterNetworkTag) // firewall target tag is the cluster_network_tag + } + }) + bpt.Test() +} diff --git a/test/integration/autopilot_private_firewalls/testdata/TestAutopilotPrivateFirewalls.json b/test/integration/autopilot_private_firewalls/testdata/TestAutopilotPrivateFirewalls.json new file mode 100644 index 0000000000..f0ebc6d6b2 --- /dev/null +++ b/test/integration/autopilot_private_firewalls/testdata/TestAutopilotPrivateFirewalls.json @@ -0,0 +1,651 @@ +{ + "addonsConfig": { + "dnsCacheConfig": { + "enabled": true + }, + "gcePersistentDiskCsiDriverConfig": { + "enabled": true + }, + "gcpFilestoreCsiDriverConfig": { + "enabled": true + }, + "horizontalPodAutoscaling": {}, + "httpLoadBalancing": {}, + "kubernetesDashboard": { + "disabled": true + }, + "networkPolicyConfig": { + "disabled": true + } + }, + "autopilot": { + "enabled": true + }, + "autoscaling": { + "autoprovisioningNodePoolDefaults": { + "imageType": "COS_CONTAINERD", + "management": { + "autoRepair": true, + "autoUpgrade": true + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "serviceAccount": "SERVICE_ACCOUNT", + "upgradeSettings": { + "maxSurge": 1, + "strategy": "SURGE" + } + }, + "autoscalingProfile": "OPTIMIZE_UTILIZATION", + "enableNodeAutoprovisioning": true, + "resourceLimits": [ + { + "maximum": "1000000000", + "resourceType": "cpu" + }, + { + "maximum": "1000000000", + "resourceType": "memory" + }, + { + "maximum": "1000000000", + "resourceType": "nvidia-tesla-t4" + }, + { + "maximum": "1000000000", + "resourceType": "nvidia-tesla-a100" + } + ] + }, + "binaryAuthorization": {}, + "clusterIpv4Cidr": "192.168.0.0/18", + "createTime": "2023-05-31T03:55:39+00:00", + "currentMasterVersion": "1.25.8-gke.500", + "currentNodeCount": 2, + "currentNodeVersion": "1.25.8-gke.500", + "databaseEncryption": { + "state": "DECRYPTED" + }, + "defaultMaxPodsConstraint": { + "maxPodsPerNode": "110" + }, + "endpoint": "172.16.0.2", + "etag": "0a9c3c48-c0b7-4d97-adc4-32c2d5932e77", + "id": "7fef9574a79a47b58296ba7cbd693fbe1def4ffc85ce44cfa460136ebaba8662", + "initialClusterVersion": "1.25.8-gke.500", + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-fi-default-pool-7732941f-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-fi-default-pool-c1061d21-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instanceGroupManagers/gk3-autopilot-private-firewall-pool-1-4cfe33eb-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-firewall-pool-1-9fe99a0d-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-firewall-pool-1-05734eb6-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instanceGroupManagers/gk3-autopilot-private-firewall-pool-2-cf415b1a-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-firewall-pool-2-56509f37-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-firewall-pool-2-8f59aa08-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instanceGroupManagers/gk3-autopilot-private-firewall-pool-3-779199f3-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-firewall-pool-3-b6b392e2-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-firewall-pool-3-d24d5320-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instanceGroupManagers/gk3-autopilot-private-firewall-pool-4-198236ad-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-firewall-pool-4-7aa8bf57-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-firewall-pool-4-0c0020e0-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instanceGroupManagers/gk3-autopilot-private-firewall-pool-5-2d5a875e-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-firewall-pool-5-f44f3ecf-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-firewall-pool-5-042d3615-grp" + ], + "ipAllocationPolicy": { + "additionalPodRangesConfig": {}, + "clusterIpv4Cidr": "192.168.0.0/18", + "clusterIpv4CidrBlock": "192.168.0.0/18", + "clusterSecondaryRangeName": "ip-range-pods-autopilot-private-firewalls", + "podCidrOverprovisionConfig": {}, + "servicesIpv4Cidr": "192.168.64.0/18", + "servicesIpv4CidrBlock": "192.168.64.0/18", + "servicesSecondaryRangeName": "ip-range-svc-autopilot-private-firewalls", + "stackType": "IPV4", + "useIpAliases": true + }, + "labelFingerprint": "a9dc16a7", + "legacyAbac": {}, + "location": "us-central1", + "locations": [ + "us-central1-a", + "us-central1-c", + "us-central1-f" + ], + "loggingConfig": { + "componentConfig": { + "enableComponents": [ + "SYSTEM_COMPONENTS", + "WORKLOADS" + ] + } + }, + "loggingService": "logging.googleapis.com/kubernetes", + "maintenancePolicy": { + "resourceVersion": "ce912209", + "window": { + "dailyMaintenanceWindow": { + "duration": "PT4H0M0S", + "startTime": "05:00" + } + } + }, + "masterAuth": { + "clusterCaCertificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMRENDQXBTZ0F3SUJBZ0lRZGg2ZnJnM21EOFpSMFNmREt2TmtwakFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlSaE16ZGtZMkl5WmkxbVpUZzRMVFJrWlRBdE9EZGlNaTA1WkRReE5EVXdNVGhpT0RBdwpJQmNOTWpNd05UTXhNREkxTlRRd1doZ1BNakExTXpBMU1qTXdNelUxTkRCYU1DOHhMVEFyQmdOVkJBTVRKR0V6Ck4yUmpZakptTFdabE9EZ3ROR1JsTUMwNE4ySXlMVGxrTkRFME5UQXhPR0k0TURDQ0FhSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0dQQURDQ0FZb0NnZ0dCQUtZODdIY25YaWdvbTFEVnZrUG1aQ1h2VXk2RXFndjI3eHcxelJEWgp2OGNYUWYwenQyNVViRTRkZWlIY3lVcHYwTGhVL3FYaVErYkt4SUlJdkRYL2J1NzFyaGxHcExUb3d5b0RHTTh6ClUrYVQvYjZlcmVtd1VxcSs3cmNXZXdDM3NCU0ZOTzdEWk1VOHpKL0docFVyWmowY0pTNnRxVHFOeW1wbU0ySnoKaTlobTRXekEzeVhzNGJRSjQxV1I1SXFWbFFncTlsM0J5ZWpVaUM4RS9rTEk5eEl0Tll5QVArOTVMRmFnek9GNApFdzZwZU55d3B4YVFTcXVJYWx0MUx3bW05bWVRL2RsZTdxczFmRTIvbjhEWmkzMFlxY1hESXFacHhRaUFjOFgxCkRIUlIxbkNJZWkxV2NRcXd6L2NMRHlkTGlneUdmU0ZpRzAyK1hhNHQwL011TmN2Z2sxVXQydEtnejh5WVpmNGkKMlBJcHBRYlVvNTc5OXpoQm5MRkNjVVhoTk5BV1lCMERIZjlVK05FYTVVMmJsbGtpYVA0YnAvN24yNXRUQlZXRApxdkhkd0czalVwaThDNm94a0lhZ0dZZUxSVkhBL1dZZlJXUEtjcDgxVDdVOEgraGM3VnRVdCtDeXJ5dTI1dVpuCkp1Z2pGVWhzKzJMayswRnBYT3VWWTRZaS9RSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQWdRd0R3WUQKVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVEeHc4eldmakJIM3dIVHd3bDJIZTdYV0lkTjR3RFFZSgpLb1pJaHZjTkFRRUxCUUFEZ2dHQkFJWEVoNnczT0lINWJhZDROaEwyNFlFV3pLU2lDUWdSN1ZxTk9GVWl2RGdVCnpwVGNiYnp5QmluZ00zRGNMTGlzTFByOUlJUkpjNGE4MmpIcHQyV3NOL1BvYjZXcTlSelA4UE8zSWx5OUZyVFgKVmIxdUllT3dTdXBlZVVQYkRaMUdHUzlRdXVIT1ExaXFzcEgyZkUyVk9aS0c1eXVFRHJFSmllRUk4NFQ2UU8xZgpSMXlDd1FuaTNEMHlpL2R6MTBOck9iK1crclAxV2FlbnIzQUlzYS9KbUxwUlRTYVc2QnExaUdrQkxWYmZwaEx3Ck1IV2FlRlZQc2hCOUZNeG9DNUkxMVd2VUpIazQzV29SY2J3c2RJSjJ4a1RsZHVVaFF6RDFManFjd1gvenVYUnIKaU1IclhMWjQ3NzJiWGhzeHdFKzJDY3JDRzZ3ZFFZbTlrbXJIaksyeStCM1FWYTBXUXYyWGVGMERSWnFWZGxMNAp0MGhWcVNQbUdyRHArNFgrbWhmSEh5OXZ6T1IxM0FFekJTYzcxVUVMVFkvR0krcnVKWnFLQmJFd1dhS3F5ZE85CmJtaGZxWnY0bmFIbGswdDRiZlpOVHoxdUxpRmdEc1k3UlNFQWY4cXUzYVppaElSVEUxLy9LR3U1ZFlYa1pzNGEKRmh4UEJXSHR2a3Y4bjhlM2QyQnczQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" + }, + "masterAuthorizedNetworksConfig": { + "cidrBlocks": [ + { + "cidrBlock": "10.60.0.0/17", + "displayName": "VPC" + } + ], + "enabled": true + }, + "monitoringConfig": { + "componentConfig": { + "enableComponents": [ + "SYSTEM_COMPONENTS" + ] + }, + "managedPrometheusConfig": { + "enabled": true + } + }, + "monitoringService": "monitoring.googleapis.com/kubernetes", + "name": "CLUSTER_NAME", + "network": "autopilot-private-firewalls-network", + "networkConfig": { + "datapathProvider": "ADVANCED_DATAPATH", + "defaultSnatStatus": {}, + "enableIntraNodeVisibility": true, + "network": "projects/PROJECT_ID/global/networks/autopilot-private-firewalls-network", + "serviceExternalIpsConfig": {}, + "subnetwork": "projects/PROJECT_ID/regions/us-central1/subnetworks/autopilot-private-firewalls-subnet" + }, + "nodeConfig": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS_CONTAINERD", + "machineType": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "reservationAffinity": { + "consumeReservationType": "NO_RESERVATION" + }, + "serviceAccount": "SERVICE_ACCOUNT", + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true, + "enableSecureBoot": true + }, + "tags": [ + "allow-google-apis", + "gke-CLUSTER_NAME" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "nodePoolAutoConfig": { + "networkTags": { + "tags": [ + "allow-google-apis", + "gke-CLUSTER_NAME" + ] + } + }, + "nodePoolDefaults": { + "nodeConfigDefaults": { + "gcfsConfig": { + "enabled": true + }, + "loggingConfig": { + "variantConfig": { + "variant": "DEFAULT" + } + } + } + }, + "nodePools": [ + { + "autoscaling": { + "enabled": true, + "locationPolicy": "BALANCED", + "maxNodeCount": 1000 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS_CONTAINERD", + "machineType": "e2-medium", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "reservationAffinity": { + "consumeReservationType": "NO_RESERVATION" + }, + "serviceAccount": "SERVICE_ACCOUNT", + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true, + "enableSecureBoot": true + }, + "tags": [ + "allow-google-apis", + "gke-CLUSTER_NAME" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "etag": "45c7e170-8f72-410c-81cb-d78a369e4866", + "initialNodeCount": 1, + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-fi-default-pool-7732941f-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-fi-default-pool-c1061d21-grp" + ], + "locations": [ + "us-central1-f", + "us-central1-c" + ], + "management": { + "autoRepair": true, + "autoUpgrade": true + }, + "maxPodsConstraint": { + "maxPodsPerNode": "32" + }, + "name": "default-pool", + "networkConfig": { + "podIpv4CidrBlock": "192.168.0.0/18", + "podRange": "ip-range-pods-autopilot-private-firewalls" + }, + "podIpv4CidrSize": 26, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/us-central1/clusters/CLUSTER_NAME/nodePools/default-pool", + "status": "RUNNING", + "upgradeSettings": { + "maxSurge": 1, + "strategy": "SURGE" + }, + "version": "1.25.8-gke.500" + }, + { + "autoscaling": { + "enabled": true, + "locationPolicy": "BALANCED", + "maxNodeCount": 1000 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS_CONTAINERD", + "machineType": "e2-standard-2", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "reservationAffinity": { + "consumeReservationType": "NO_RESERVATION" + }, + "serviceAccount": "SERVICE_ACCOUNT", + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true, + "enableSecureBoot": true + }, + "tags": [ + "allow-google-apis", + "gke-CLUSTER_NAME" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "etag": "6d016d3f-178f-4f4d-9b59-ced698a74fc4", + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instanceGroupManagers/gk3-autopilot-private-firewall-pool-1-4cfe33eb-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-firewall-pool-1-9fe99a0d-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-firewall-pool-1-05734eb6-grp" + ], + "locations": [ + "us-central1-a", + "us-central1-c", + "us-central1-f" + ], + "management": { + "autoRepair": true, + "autoUpgrade": true + }, + "maxPodsConstraint": { + "maxPodsPerNode": "32" + }, + "name": "pool-1", + "networkConfig": { + "podIpv4CidrBlock": "192.168.0.0/18", + "podRange": "ip-range-pods-autopilot-private-firewalls" + }, + "podIpv4CidrSize": 26, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/us-central1/clusters/CLUSTER_NAME/nodePools/pool-1", + "status": "RUNNING", + "upgradeSettings": { + "maxSurge": 1, + "strategy": "SURGE" + }, + "version": "1.25.8-gke.500" + }, + { + "autoscaling": { + "enabled": true, + "locationPolicy": "BALANCED", + "maxNodeCount": 1000 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS_CONTAINERD", + "machineType": "e2-standard-4", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "reservationAffinity": { + "consumeReservationType": "NO_RESERVATION" + }, + "serviceAccount": "SERVICE_ACCOUNT", + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true, + "enableSecureBoot": true + }, + "tags": [ + "allow-google-apis", + "gke-CLUSTER_NAME" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "etag": "95e67a5b-95b5-419b-9d9b-0dac3bd9602a", + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instanceGroupManagers/gk3-autopilot-private-firewall-pool-2-cf415b1a-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-firewall-pool-2-56509f37-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-firewall-pool-2-8f59aa08-grp" + ], + "locations": [ + "us-central1-a", + "us-central1-c", + "us-central1-f" + ], + "management": { + "autoRepair": true, + "autoUpgrade": true + }, + "maxPodsConstraint": { + "maxPodsPerNode": "32" + }, + "name": "pool-2", + "networkConfig": { + "podIpv4CidrBlock": "192.168.0.0/18", + "podRange": "ip-range-pods-autopilot-private-firewalls" + }, + "podIpv4CidrSize": 26, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/us-central1/clusters/CLUSTER_NAME/nodePools/pool-2", + "status": "RUNNING", + "upgradeSettings": { + "maxSurge": 1, + "strategy": "SURGE" + }, + "version": "1.25.8-gke.500" + }, + { + "autoscaling": { + "enabled": true, + "locationPolicy": "BALANCED", + "maxNodeCount": 1000 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS_CONTAINERD", + "machineType": "e2-standard-8", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "reservationAffinity": { + "consumeReservationType": "NO_RESERVATION" + }, + "serviceAccount": "SERVICE_ACCOUNT", + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true, + "enableSecureBoot": true + }, + "tags": [ + "allow-google-apis", + "gke-CLUSTER_NAME" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "etag": "f4814faf-6986-48d4-b913-3f85af33dfae", + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instanceGroupManagers/gk3-autopilot-private-firewall-pool-3-779199f3-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-firewall-pool-3-b6b392e2-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-firewall-pool-3-d24d5320-grp" + ], + "locations": [ + "us-central1-a", + "us-central1-c", + "us-central1-f" + ], + "management": { + "autoRepair": true, + "autoUpgrade": true + }, + "maxPodsConstraint": { + "maxPodsPerNode": "32" + }, + "name": "pool-3", + "networkConfig": { + "podIpv4CidrBlock": "192.168.0.0/18", + "podRange": "ip-range-pods-autopilot-private-firewalls" + }, + "podIpv4CidrSize": 26, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/us-central1/clusters/CLUSTER_NAME/nodePools/pool-3", + "status": "RUNNING", + "upgradeSettings": { + "maxSurge": 1, + "strategy": "SURGE" + }, + "version": "1.25.8-gke.500" + }, + { + "autoscaling": { + "enabled": true, + "locationPolicy": "BALANCED", + "maxNodeCount": 1000 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS_CONTAINERD", + "machineType": "e2-standard-16", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "reservationAffinity": { + "consumeReservationType": "NO_RESERVATION" + }, + "serviceAccount": "SERVICE_ACCOUNT", + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true, + "enableSecureBoot": true + }, + "tags": [ + "allow-google-apis", + "gke-CLUSTER_NAME" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "etag": "0921ac09-d6fe-47a1-9897-6d3c3fe113a1", + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instanceGroupManagers/gk3-autopilot-private-firewall-pool-4-198236ad-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-firewall-pool-4-7aa8bf57-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-firewall-pool-4-0c0020e0-grp" + ], + "locations": [ + "us-central1-a", + "us-central1-c", + "us-central1-f" + ], + "management": { + "autoRepair": true, + "autoUpgrade": true + }, + "maxPodsConstraint": { + "maxPodsPerNode": "32" + }, + "name": "pool-4", + "networkConfig": { + "podIpv4CidrBlock": "192.168.0.0/18", + "podRange": "ip-range-pods-autopilot-private-firewalls" + }, + "podIpv4CidrSize": 26, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/us-central1/clusters/CLUSTER_NAME/nodePools/pool-4", + "status": "RUNNING", + "upgradeSettings": { + "maxSurge": 1, + "strategy": "SURGE" + }, + "version": "1.25.8-gke.500" + }, + { + "autoscaling": { + "enabled": true, + "locationPolicy": "BALANCED", + "maxNodeCount": 1000 + }, + "config": { + "diskSizeGb": 100, + "diskType": "pd-standard", + "imageType": "COS_CONTAINERD", + "machineType": "e2-standard-32", + "metadata": { + "disable-legacy-endpoints": "true" + }, + "oauthScopes": [ + "https://www.googleapis.com/auth/userinfo.email", + "https://www.googleapis.com/auth/cloud-platform" + ], + "reservationAffinity": { + "consumeReservationType": "NO_RESERVATION" + }, + "serviceAccount": "SERVICE_ACCOUNT", + "shieldedInstanceConfig": { + "enableIntegrityMonitoring": true, + "enableSecureBoot": true + }, + "tags": [ + "allow-google-apis", + "gke-CLUSTER_NAME" + ], + "windowsNodeConfig": {}, + "workloadMetadataConfig": { + "mode": "GKE_METADATA" + } + }, + "etag": "1d141704-04fc-4f24-9da1-b6105f7309c5", + "instanceGroupUrls": [ + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-a/instanceGroupManagers/gk3-autopilot-private-firewall-pool-5-2d5a875e-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-c/instanceGroupManagers/gk3-autopilot-private-firewall-pool-5-f44f3ecf-grp", + "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/us-central1-f/instanceGroupManagers/gk3-autopilot-private-firewall-pool-5-042d3615-grp" + ], + "locations": [ + "us-central1-a", + "us-central1-c", + "us-central1-f" + ], + "management": { + "autoRepair": true, + "autoUpgrade": true + }, + "maxPodsConstraint": { + "maxPodsPerNode": "32" + }, + "name": "pool-5", + "networkConfig": { + "podIpv4CidrBlock": "192.168.0.0/18", + "podRange": "ip-range-pods-autopilot-private-firewalls" + }, + "podIpv4CidrSize": 26, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/us-central1/clusters/CLUSTER_NAME/nodePools/pool-5", + "status": "RUNNING", + "upgradeSettings": { + "maxSurge": 1, + "strategy": "SURGE" + }, + "version": "1.25.8-gke.500" + } + ], + "notificationConfig": { + "pubsub": {} + }, + "privateClusterConfig": { + "enablePrivateEndpoint": true, + "enablePrivateNodes": true, + "masterGlobalAccessConfig": { + "enabled": true + }, + "masterIpv4CidrBlock": "172.16.0.0/28", + "peeringName": "gke-n425cd81899d813812bb-278b-fee3-peer", + "privateEndpoint": "172.16.0.2", + "publicEndpoint": "35.192.78.37" + }, + "releaseChannel": { + "channel": "REGULAR" + }, + "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/locations/us-central1/clusters/CLUSTER_NAME", + "servicesIpv4Cidr": "192.168.64.0/18", + "shieldedNodes": { + "enabled": true + }, + "status": "RUNNING", + "subnetwork": "autopilot-private-firewalls-subnet", + "verticalPodAutoscaling": { + "enabled": true + }, + "workloadIdentityConfig": { + "workloadPool": "PROJECT_ID.svc.id.goog" + }, + "zone": "us-central1" +} From c48dc6eb00f475ab4f213549a503da5434a7e926 Mon Sep 17 00:00:00 2001 From: kliu47 <88392374+kliu47@users.noreply.github.com> Date: Thu, 20 Jun 2024 13:59:29 -0500 Subject: [PATCH 091/176] feat: Add enable_l4_ilb_subsetting for autopilot clusters (#1969) Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 2 +- autogen/main/variables.tf.tmpl | 2 +- examples/simple_autopilot_public/main.tf | 1 + modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 2 ++ modules/beta-autopilot-private-cluster/variables.tf | 5 +++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 2 ++ modules/beta-autopilot-public-cluster/variables.tf | 5 +++++ 9 files changed, 19 insertions(+), 2 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 663d9a8e9a..d197879e47 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -235,9 +235,9 @@ resource "google_container_cluster" "primary" { } } {% endif %} + {% endif %} enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting - {% endif %} {% if beta_cluster %} enable_fqdn_network_policy = var.enable_fqdn_network_policy {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 32b57a5c19..d420ed96ce 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -810,12 +810,12 @@ variable "config_connector" { default = false } +{% endif %} variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" default = false } -{% endif %} {% if beta_cluster %} {% if autopilot_cluster != true %} diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index 451ef70317..dfad96d0dc 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -48,4 +48,5 @@ module "gke" { enable_vertical_pod_autoscaling = true network_tags = [local.cluster_type] deletion_protection = false + enable_l4_ilb_subsetting = true } diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 5628cde23f..dd10eb2185 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -91,6 +91,7 @@ Then perform the following commands on the root folder: | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 4a08c7e256..c51ef9c661 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -84,6 +84,8 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } + + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 9e5c223a81..8efc4a1388 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -456,6 +456,11 @@ variable "timeouts" { } } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." type = bool diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 0e3c169dff..bb063d68c7 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -84,6 +84,7 @@ Then perform the following commands on the root folder: | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 9d9573fd3d..c56f3a954f 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -84,6 +84,8 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } + + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 0ecca7a1a3..5a2d71d26c 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -426,6 +426,11 @@ variable "timeouts" { } } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." type = bool From a6210fc3d607772c2ef83ece2725fc58981ea7fe Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Sat, 22 Jun 2024 02:58:47 +0200 Subject: [PATCH 092/176] fix: Fix the value of output "identity_service_enabled" in beta modules (#1982) --- autogen/main/main.tf.tmpl | 2 ++ autogen/main/outputs.tf.tmpl | 2 +- modules/beta-autopilot-private-cluster/main.tf | 2 ++ modules/beta-autopilot-private-cluster/outputs.tf | 2 +- modules/beta-autopilot-public-cluster/main.tf | 2 ++ modules/beta-autopilot-public-cluster/outputs.tf | 2 +- modules/beta-private-cluster-update-variant/main.tf | 2 ++ modules/beta-private-cluster-update-variant/outputs.tf | 2 +- modules/beta-private-cluster/main.tf | 2 ++ modules/beta-private-cluster/outputs.tf | 2 +- modules/beta-public-cluster-update-variant/main.tf | 2 ++ modules/beta-public-cluster-update-variant/outputs.tf | 2 +- modules/beta-public-cluster/main.tf | 2 ++ modules/beta-public-cluster/outputs.tf | 2 +- 14 files changed, 21 insertions(+), 7 deletions(-) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index d13c8cd614..38aa098b0b 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -168,6 +168,7 @@ locals { cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # /BETA features {% endif %} @@ -237,6 +238,7 @@ locals { {% endif %} cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled # /BETA features {% endif %} diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 3d5be22ea9..1dda329642 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -231,7 +231,7 @@ output "intranode_visibility_enabled" { output "identity_service_enabled" { description = "Whether Identity Service is enabled" - value = local.cluster_pod_security_policy_enabled + value = local.cluster_identity_service_enabled } {% endif %} diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 3354fc71a1..f879c2d6eb 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -92,6 +92,7 @@ locals { cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # /BETA features @@ -129,6 +130,7 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled # /BETA features diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index beb7a8c030..9e73ca043c 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -186,7 +186,7 @@ output "intranode_visibility_enabled" { output "identity_service_enabled" { description = "Whether Identity Service is enabled" - value = local.cluster_pod_security_policy_enabled + value = local.cluster_identity_service_enabled } output "fleet_membership" { diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 9df7f76c14..b00176d69b 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -91,6 +91,7 @@ locals { cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # /BETA features @@ -128,6 +129,7 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled # /BETA features diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 17e634faf2..3e3578d6d9 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -176,7 +176,7 @@ output "intranode_visibility_enabled" { output "identity_service_enabled" { description = "Whether Identity Service is enabled" - value = local.cluster_pod_security_policy_enabled + value = local.cluster_identity_service_enabled } output "fleet_membership" { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 24204e08be..15f03a4b94 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -140,6 +140,7 @@ locals { cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # /BETA features @@ -194,6 +195,7 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled # /BETA features diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index 3209aca8ae..c067f6b030 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -212,7 +212,7 @@ output "intranode_visibility_enabled" { output "identity_service_enabled" { description = "Whether Identity Service is enabled" - value = local.cluster_pod_security_policy_enabled + value = local.cluster_identity_service_enabled } output "fleet_membership" { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 24204e08be..15f03a4b94 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -140,6 +140,7 @@ locals { cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # /BETA features @@ -194,6 +195,7 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled # /BETA features diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index 3209aca8ae..c067f6b030 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -212,7 +212,7 @@ output "intranode_visibility_enabled" { output "identity_service_enabled" { description = "Whether Identity Service is enabled" - value = local.cluster_pod_security_policy_enabled + value = local.cluster_identity_service_enabled } output "fleet_membership" { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index fcad187b5d..69b8c783d6 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -139,6 +139,7 @@ locals { cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # /BETA features @@ -193,6 +194,7 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled # /BETA features diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index 29df3aad34..ee0170e457 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -202,7 +202,7 @@ output "intranode_visibility_enabled" { output "identity_service_enabled" { description = "Whether Identity Service is enabled" - value = local.cluster_pod_security_policy_enabled + value = local.cluster_identity_service_enabled } output "fleet_membership" { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index fcad187b5d..69b8c783d6 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -139,6 +139,7 @@ locals { cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # /BETA features @@ -193,6 +194,7 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled # /BETA features diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 29df3aad34..ee0170e457 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -202,7 +202,7 @@ output "intranode_visibility_enabled" { output "identity_service_enabled" { description = "Whether Identity Service is enabled" - value = local.cluster_pod_security_policy_enabled + value = local.cluster_identity_service_enabled } output "fleet_membership" { From 72cf8732fa05964596f9f266dd34217803e2c0cc Mon Sep 17 00:00:00 2001 From: SavvasM1 <83591012+SavvasM1@users.noreply.github.com> Date: Tue, 25 Jun 2024 18:21:46 +0300 Subject: [PATCH 093/176] feat: Add enable_cilium_clusterwide_network_policy support (#1972) --- README.md | 1 + autogen/main/cluster.tf.tmpl | 3 +++ autogen/main/variables.tf.tmpl | 7 +++++++ cluster.tf | 3 +++ modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 5 ++++- modules/beta-autopilot-private-cluster/variables.tf | 7 +++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 5 ++++- modules/beta-autopilot-public-cluster/variables.tf | 7 +++++++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 5 ++++- modules/beta-private-cluster-update-variant/variables.tf | 7 +++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 5 ++++- modules/beta-private-cluster/variables.tf | 7 +++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 5 ++++- modules/beta-public-cluster-update-variant/variables.tf | 7 +++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 5 ++++- modules/beta-public-cluster/variables.tf | 7 +++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 3 +++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 3 +++ modules/private-cluster/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 29 files changed, 112 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 8927e84d4b..9633443be2 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index d197879e47..633ba69312 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -238,6 +238,9 @@ resource "google_container_cluster" "primary" { {% endif %} enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + {% if beta_cluster %} enable_fqdn_network_policy = var.enable_fqdn_network_policy {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d420ed96ce..515a8af1fd 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -592,8 +592,15 @@ variable "enable_fqdn_network_policy" { description = "Enable FQDN Network Policies on the cluster" default = null } + {% endif %} +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/cluster.tf b/cluster.tf index 969a0bf57a..01f808aeea 100644 --- a/cluster.tf +++ b/cluster.tf @@ -177,6 +177,9 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index dd10eb2185..751d7fca52 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -88,6 +88,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index c51ef9c661..bfee2c0445 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -85,7 +85,10 @@ resource "google_container_cluster" "primary" { enabled = var.enable_vertical_pod_autoscaling } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 8efc4a1388..6e6f2b157a 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -399,6 +399,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index bb063d68c7..2adc826408 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -81,6 +81,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index c56f3a954f..8fb6118780 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -85,7 +85,10 @@ resource "google_container_cluster" "primary" { enabled = var.enable_vertical_pod_autoscaling } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 5a2d71d26c..173fc99402 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -369,6 +369,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index ba2948a962..871ae3bcec 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -197,6 +197,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index f3f6c1d216..359d57c007 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index da51f48691..9733efd774 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -568,6 +568,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 863d39522f..e9be4250ba 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -175,6 +175,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index dfcd012def..3a3f911291 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index da51f48691..9733efd774 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -568,6 +568,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 5976e0a7c8..7d4c7d512b 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -190,6 +190,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 60a9f80687..3c3f34f0cb 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index cc0ae40e23..a55430896e 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -538,6 +538,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index fb40bfb57d..8a4e99701e 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -168,6 +168,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 6be429c0b6..fe6a6c242e 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index cc0ae40e23..a55430896e 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -538,6 +538,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index ffcab6b500..b3ee327805 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -191,6 +191,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 03c3082bb4..04837e28e6 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -177,6 +177,9 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 85b100dbb3..d032c417db 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -544,6 +544,12 @@ variable "enable_confidential_nodes" { default = false } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 053b9feb87..4934cf9c64 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -169,6 +169,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 21edac9a01..31573d02a9 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -177,6 +177,9 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 85b100dbb3..d032c417db 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -544,6 +544,12 @@ variable "enable_confidential_nodes" { default = false } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/variables.tf b/variables.tf index eef896bf04..d36fe30142 100644 --- a/variables.tf +++ b/variables.tf @@ -514,6 +514,12 @@ variable "enable_confidential_nodes" { default = false } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string From 746211e0b352a09bc100b693ee1bab107cafd6f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Jun 2024 15:46:27 -0700 Subject: [PATCH 094/176] chore(deps): bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5 in /test/integration (#1983) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- test/integration/go.mod | 2 +- test/integration/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 22c3f33686..d7a5134283 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -45,7 +45,7 @@ require ( github.com/gruntwork-io/go-commons v0.17.1 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-getter v1.7.4 // indirect + github.com/hashicorp/go-getter v1.7.5 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-safetemp v1.0.0 // indirect github.com/hashicorp/go-version v1.6.0 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index 86bcb3a020..04ff14e885 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -385,8 +385,8 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-getter v1.7.4 h1:3yQjWuxICvSpYwqSayAdKRFcvBl1y/vogCxczWSmix0= -github.com/hashicorp/go-getter v1.7.4/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= +github.com/hashicorp/go-getter v1.7.5 h1:dT58k9hQ/vbxNMwoI5+xFYAJuv6152UNvdHokfI5wE4= +github.com/hashicorp/go-getter v1.7.5/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= From 165a4ae3d5a8d8235b30fac8edd09fe7030d2046 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Fri, 28 Jun 2024 08:43:37 -0700 Subject: [PATCH 095/176] chore(master): release 31.1.0 (#1961) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 18 ++++++++++++++++++ autogen/main/versions.tf.tmpl | 4 ++-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- .../beta-autopilot-private-cluster/versions.tf | 2 +- .../beta-autopilot-public-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- .../private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- .../safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 22 files changed, 42 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 906450b4e7..820ef52609 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [31.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v31.0.0...v31.1.0) (2024-06-26) + + +### Features + +* Add enable_cilium_clusterwide_network_policy support ([#1972](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1972)) ([72cf873](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/72cf8732fa05964596f9f266dd34217803e2c0cc)) +* Add enable_l4_ilb_subsetting for autopilot clusters ([#1969](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1969)) ([c48dc6e](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/c48dc6eb00f475ab4f213549a503da5434a7e926)) +* add pod_pids_limit for kubelet_config in all modules, example and autogen ([#1922](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1922)) ([eec38a2](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/eec38a2de73d637b5871881e0a3335f0e4a2f413)) +* Adding extra permissions to the cluster's default service account ([#1943](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1943)) ([4fab404](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/4fab404c2f63abcd5070b922edd024e24d8294b9)) +* Set boot_disk_kms_key cluster wide and for cluster_autoscaling ([#1959](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1959)) ([654868e](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/654868e292a68fbc0f5ef7dd4bf50336fa8efc48)) + + +### Bug Fixes + +* avoid `auto_provisioning_defaults` drift ([#1806](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1806)) ([0005ab9](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/0005ab9f9b9d23e4747dae9e369f69bbaab40b27)) +* firewall rules for autopilot clusters are ineffective. add cluster_network_tag to autopilot cluster network_tags if firewalls are toggled on ([#1817](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1817)) ([e7b20cd](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/e7b20cd193188bdfebd8e2f6a4eb863b0f5af21c)) +* Fix the value of output "identity_service_enabled" in beta modules ([#1982](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1982)) ([a6210fc](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/a6210fc3d607772c2ef83ece2725fc58981ea7fe)) + ## [31.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.3.0...v31.0.0) (2024-05-28) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 3e266f9fc4..edf3026f61 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.1.0" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.1.0" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 3ad61d487a..7ade294457 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.1.0" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index a9babfe8f8..39a6314c0d 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v31.1.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v31.1.0" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index d45b12a96f..4beacc5b5e 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v31.1.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v31.1.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index bc3a4c4d0c..c2fcca4bd9 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v31.1.0" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index ef38f35edc..043c1ea029 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v31.1.0" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index bc43de8446..bafcc4a3be 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v31.1.0" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index d9385ca73d..04135a831d 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v31.1.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 7184582867..1a14037382 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v31.1.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index afe9612323..4a889c15d7 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v31.1.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 4bacb721c0..74cc24942d 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v31.1.0" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 66482b1b99..4a30790141 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v31.1.0" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 7b774dcdbe..588e277364 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v31.1.0" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index 678714ab54..041d775143 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v31.1.0" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index b20b93f068..b36073ae8d 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v31.1.0" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index b349b6fc93..f13959f817 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v31.1.0" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index f2270feaaa..3f31c69871 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v31.1.0" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index fc44a1e96d..b6298aaf94 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v31.1.0" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 8413aa45f8..311c31a977 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v31.1.0" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 29ead8fb56..b7b9a890dc 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v31.1.0" } } diff --git a/versions.tf b/versions.tf index efb1764683..87a1e3ebee 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v31.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v31.1.0" } } From c19756ccfd1c52238aa15cab36e360336690de69 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 11:03:11 -0700 Subject: [PATCH 096/176] chore(deps): Update go modules (#1991) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 8 ++++---- test/integration/go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index d7a5134283..c2c00694e2 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -5,8 +5,8 @@ go 1.22 toolchain go1.22.4 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.1 - github.com/gruntwork-io/terratest v0.46.15 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.0 + github.com/gruntwork-io/terratest v0.46.16 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.1 ) @@ -51,7 +51,7 @@ require ( github.com/hashicorp/go-version v1.6.0 // indirect github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f // indirect github.com/hashicorp/hcl/v2 v2.20.1 // indirect - github.com/hashicorp/terraform-config-inspect v0.0.0-20240509232506-4708120f8f30 // indirect + github.com/hashicorp/terraform-config-inspect v0.0.0-20240607080351-271db412dbcb // indirect github.com/hashicorp/terraform-json v0.22.1 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/jinzhu/copier v0.4.0 // indirect @@ -82,7 +82,7 @@ require ( github.com/zclconf/go-cty v1.14.4 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.21.0 // indirect - golang.org/x/mod v0.17.0 // indirect + golang.org/x/mod v0.18.0 // indirect golang.org/x/net v0.23.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.4.0 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index 04ff14e885..66a92cb291 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.1 h1:c1tEK/Ma0NstqqkjS1tCClrFxIX1cNLdrM5cB03Sv24= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.15.1/go.mod h1:bssUTs81Q0xIUg/dYT8/8fqEXOVB8GQVyngw9U79EN4= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.0 h1:1rjUGjXuTnVp/RANDMfCRnDsUi0lIFJUQf4K1aPf5YE= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.0/go.mod h1:EJ+GwRNr/M3wZmmsaBpoUYgQ31+IO+y3sOtKIxw48PI= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -378,8 +378,8 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0= github.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk= -github.com/gruntwork-io/terratest v0.46.15 h1:qfqjTFveymaqe7aAWn3LjlK0SwVGpRfoOut5ggNyfQ8= -github.com/gruntwork-io/terratest v0.46.15/go.mod h1:9bd22zAojjBBiYdsp+AR1iyl2iB6bRUVm2Yf1AFhfrA= +github.com/gruntwork-io/terratest v0.46.16 h1:l+HHuU7lNLwoAl2sP8zkYJy0uoE2Mwha2nw+rim+OhQ= +github.com/gruntwork-io/terratest v0.46.16/go.mod h1:oywHw1cFKXSYvKPm27U7quZVzDUlA22H2xUrKCe26xM= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -399,8 +399,8 @@ github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f h1:UdxlrJz4JOnY8W+Db github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f/go.mod h1:oZtUIOe8dh44I2q6ScRibXws4Ajl+d+nod3AaR9vL5w= github.com/hashicorp/hcl/v2 v2.20.1 h1:M6hgdyz7HYt1UN9e61j+qKJBqR3orTWbI1HKBJEdxtc= github.com/hashicorp/hcl/v2 v2.20.1/go.mod h1:TZDqQ4kNKCbh1iJp99FdPiUaVDDUPivbqxZulxDYqL4= -github.com/hashicorp/terraform-config-inspect v0.0.0-20240509232506-4708120f8f30 h1:0qwr2oZy9mIIJMWh7W9NTHLWGMbEF5KEQ+QqM9hym34= -github.com/hashicorp/terraform-config-inspect v0.0.0-20240509232506-4708120f8f30/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI= +github.com/hashicorp/terraform-config-inspect v0.0.0-20240607080351-271db412dbcb h1:6gCfY5aQdQgRr0G5VDjnV5ENpd+hTamWaZfVz+lJ724= +github.com/hashicorp/terraform-config-inspect v0.0.0-20240607080351-271db412dbcb/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI= github.com/hashicorp/terraform-json v0.22.1 h1:xft84GZR0QzjPVWs4lRUwvTcPnegqlyS7orfb5Ltvec= github.com/hashicorp/terraform-json v0.22.1/go.mod h1:JbWSQCLFSXFFhg42T7l9iJwdGXBYV8fmmD6o/ML4p3A= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -571,8 +571,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= +golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= From 3b0bbe8a60532cc2a2b8b676db1dfb7f0d2d0054 Mon Sep 17 00:00:00 2001 From: kliu47 <88392374+kliu47@users.noreply.github.com> Date: Mon, 8 Jul 2024 16:18:01 -0500 Subject: [PATCH 097/176] feat: Add additional functionality for autopilot clusters (#1985) --- autogen/main/cluster.tf.tmpl | 11 ++++----- autogen/main/main.tf.tmpl | 2 +- autogen/main/variables.tf.tmpl | 2 +- cluster.tf | 8 +++---- examples/simple_autopilot_public/main.tf | 3 +++ .../beta-autopilot-private-cluster/README.md | 3 +++ .../beta-autopilot-private-cluster/cluster.tf | 24 +++++++++++++++++++ .../beta-autopilot-private-cluster/main.tf | 3 +++ .../variables.tf | 18 ++++++++++++++ .../beta-autopilot-public-cluster/README.md | 3 +++ .../beta-autopilot-public-cluster/cluster.tf | 24 +++++++++++++++++++ modules/beta-autopilot-public-cluster/main.tf | 3 +++ .../variables.tf | 18 ++++++++++++++ .../cluster.tf | 9 ++++--- modules/beta-private-cluster/cluster.tf | 9 ++++--- .../cluster.tf | 9 ++++--- modules/beta-public-cluster/cluster.tf | 9 ++++--- .../private-cluster-update-variant/cluster.tf | 8 +++---- modules/private-cluster/cluster.tf | 8 +++---- 19 files changed, 134 insertions(+), 40 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 633ba69312..824e4942cc 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -324,6 +324,11 @@ resource "google_container_cluster" "primary" { } } + config_connector_config { + enabled = var.config_connector + } + {% endif %} + dynamic "gke_backup_agent_config" { for_each = local.gke_backup_agent_config @@ -347,13 +352,7 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } - - config_connector_config { - enabled = var.config_connector - } - {% endif %} {% if beta_cluster and autopilot_cluster != true %} - istio_config { disabled = !var.istio auth = var.istio_auth diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 38aa098b0b..46f408bda0 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -107,10 +107,10 @@ locals { }] cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] logmon_config_is_set = length(var.logging_enabled_components) > 0 || length(var.monitoring_enabled_components) > 0 || var.monitoring_enable_managed_prometheus +{% endif %} gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] -{% endif %} {% if beta_cluster and autopilot_cluster != true %} cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 515a8af1fd..f0c5d7d520 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -741,6 +741,7 @@ variable "gce_pd_csi_driver" { default = true } +{% endif %} variable "gke_backup_agent_config" { type = bool description = "Whether Backup for GKE agent is enabled for this cluster." @@ -759,7 +760,6 @@ variable "stateful_ha" { default = false } -{% endif %} variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/cluster.tf b/cluster.tf index 01f808aeea..2eefcc924d 100644 --- a/cluster.tf +++ b/cluster.tf @@ -244,6 +244,10 @@ resource "google_container_cluster" "primary" { } } + config_connector_config { + enabled = var.config_connector + } + dynamic "gke_backup_agent_config" { for_each = local.gke_backup_agent_config @@ -267,10 +271,6 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } - - config_connector_config { - enabled = var.config_connector - } } datapath_provider = var.datapath_provider diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index dfad96d0dc..38741490cb 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -49,4 +49,7 @@ module "gke" { network_tags = [local.cluster_type] deletion_protection = false enable_l4_ilb_subsetting = true + gcs_fuse_csi_driver = true + stateful_ha = false + gke_backup_agent_config = false } diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 751d7fca52..46887b7b64 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -104,6 +104,8 @@ Then perform the following commands on the root folder: | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | +| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | +| gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | @@ -141,6 +143,7 @@ Then perform the following commands on the root folder: | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index bfee2c0445..8f36118449 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -135,6 +135,30 @@ resource "google_container_cluster" "primary" { disabled = !var.horizontal_pod_autoscaling } + + dynamic "gke_backup_agent_config" { + for_each = local.gke_backup_agent_config + + content { + enabled = gke_backup_agent_config.value.enabled + } + } + + dynamic "gcs_fuse_csi_driver_config" { + for_each = local.gcs_fuse_csi_driver_config + + content { + enabled = gcs_fuse_csi_driver_config.value.enabled + } + } + + dynamic "stateful_ha_config" { + for_each = local.stateful_ha_config + + content { + enabled = stateful_ha_config.value.enabled + } + } } allow_net_admin = var.allow_net_admin diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index f879c2d6eb..52427188dc 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -66,6 +66,9 @@ locals { cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0])) : [] + gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] + gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 6e6f2b157a..fb7040461f 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -453,6 +453,24 @@ variable "database_encryption" { } +variable "gke_backup_agent_config" { + type = bool + description = "Whether Backup for GKE agent is enabled for this cluster." + default = false +} + +variable "gcs_fuse_csi_driver" { + type = bool + description = "Whether GCE FUSE CSI driver is enabled for this cluster." + default = false +} + +variable "stateful_ha" { + type = bool + description = "Whether the Stateful HA Addon is enabled for this cluster." + default = false +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 2adc826408..257b5b398b 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -95,6 +95,8 @@ Then perform the following commands on the root folder: | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | +| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | +| gke\_backup\_agent\_config | Whether Backup for GKE agent is enabled for this cluster. | `bool` | `false` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | | http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no | @@ -130,6 +132,7 @@ Then perform the following commands on the root folder: | shadow\_firewall\_rules\_log\_config | The log\_config for shadow firewall rules. You can set this variable to `null` to disable logging. | 
object({
    metadata = string
  })
| 
{
  "metadata": "INCLUDE_ALL_METADATA"
}
| no | | shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no | | stack\_type | The stack type to use for this cluster. Either `IPV4` or `IPV4_IPV6`. Defaults to `IPV4`. | `string` | `"IPV4"` | no | +| stateful\_ha | Whether the Stateful HA Addon is enabled for this cluster. | `bool` | `false` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no | | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 8fb6118780..2945356182 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -135,6 +135,30 @@ resource "google_container_cluster" "primary" { disabled = !var.horizontal_pod_autoscaling } + + dynamic "gke_backup_agent_config" { + for_each = local.gke_backup_agent_config + + content { + enabled = gke_backup_agent_config.value.enabled + } + } + + dynamic "gcs_fuse_csi_driver_config" { + for_each = local.gcs_fuse_csi_driver_config + + content { + enabled = gcs_fuse_csi_driver_config.value.enabled + } + } + + dynamic "stateful_ha_config" { + for_each = local.stateful_ha_config + + content { + enabled = stateful_ha_config.value.enabled + } + } } allow_net_admin = var.allow_net_admin diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index b00176d69b..3be62c142f 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -66,6 +66,9 @@ locals { cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} pod_all_ip_ranges = var.add_cluster_firewall_rules ? compact(concat([local.cluster_alias_ranges_cidr[var.ip_range_pods]], [for range in var.additional_ip_range_pods : local.cluster_alias_ranges_cidr[range] if length(range) > 0])) : [] + gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] + gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] + stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 173fc99402..82a52262fc 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -423,6 +423,24 @@ variable "database_encryption" { } +variable "gke_backup_agent_config" { + type = bool + description = "Whether Backup for GKE agent is enabled for this cluster." + default = false +} + +variable "gcs_fuse_csi_driver" { + type = bool + description = "Whether GCE FUSE CSI driver is enabled for this cluster." + default = false +} + +variable "stateful_ha" { + type = bool + description = "Whether the Stateful HA Addon is enabled for this cluster." + default = false +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 359d57c007..1a54007c7d 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -267,6 +267,10 @@ resource "google_container_cluster" "primary" { } } + config_connector_config { + enabled = var.config_connector + } + dynamic "gke_backup_agent_config" { for_each = local.gke_backup_agent_config @@ -290,11 +294,6 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } - - config_connector_config { - enabled = var.config_connector - } - istio_config { disabled = !var.istio auth = var.istio_auth diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 3a3f911291..3c3e75a137 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -267,6 +267,10 @@ resource "google_container_cluster" "primary" { } } + config_connector_config { + enabled = var.config_connector + } + dynamic "gke_backup_agent_config" { for_each = local.gke_backup_agent_config @@ -290,11 +294,6 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } - - config_connector_config { - enabled = var.config_connector - } - istio_config { disabled = !var.istio auth = var.istio_auth diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 3c3f34f0cb..08c7a9fb98 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -267,6 +267,10 @@ resource "google_container_cluster" "primary" { } } + config_connector_config { + enabled = var.config_connector + } + dynamic "gke_backup_agent_config" { for_each = local.gke_backup_agent_config @@ -290,11 +294,6 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } - - config_connector_config { - enabled = var.config_connector - } - istio_config { disabled = !var.istio auth = var.istio_auth diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index fe6a6c242e..f4ce6624b8 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -267,6 +267,10 @@ resource "google_container_cluster" "primary" { } } + config_connector_config { + enabled = var.config_connector + } + dynamic "gke_backup_agent_config" { for_each = local.gke_backup_agent_config @@ -290,11 +294,6 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } - - config_connector_config { - enabled = var.config_connector - } - istio_config { disabled = !var.istio auth = var.istio_auth diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 04837e28e6..62228fbecf 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -244,6 +244,10 @@ resource "google_container_cluster" "primary" { } } + config_connector_config { + enabled = var.config_connector + } + dynamic "gke_backup_agent_config" { for_each = local.gke_backup_agent_config @@ -267,10 +271,6 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } - - config_connector_config { - enabled = var.config_connector - } } datapath_provider = var.datapath_provider diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 31573d02a9..c82ca3d399 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -244,6 +244,10 @@ resource "google_container_cluster" "primary" { } } + config_connector_config { + enabled = var.config_connector + } + dynamic "gke_backup_agent_config" { for_each = local.gke_backup_agent_config @@ -267,10 +271,6 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } - - config_connector_config { - enabled = var.config_connector - } } datapath_provider = var.datapath_provider From 5c58d892cc52074c70032a73a9f7fc37d25738f5 Mon Sep 17 00:00:00 2001 From: Mikhail Zholobov Date: Tue, 9 Jul 2024 21:00:49 +0200 Subject: [PATCH 098/176] feat(TPG>=5.33)!: add secret manager add-on config to beta modules (#1977) --- autogen/main/cluster.tf.tmpl | 7 +++++++ autogen/main/main.tf.tmpl | 2 ++ autogen/main/outputs.tf.tmpl | 5 +++++ autogen/main/variables.tf.tmpl | 6 ++++++ autogen/main/versions.tf.tmpl | 4 ++-- modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/main.tf | 10 ++++++---- modules/beta-autopilot-private-cluster/outputs.tf | 5 +++++ modules/beta-autopilot-private-cluster/versions.tf | 4 ++-- modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/main.tf | 10 ++++++---- modules/beta-autopilot-public-cluster/outputs.tf | 5 +++++ modules/beta-autopilot-public-cluster/versions.tf | 4 ++-- modules/beta-private-cluster-update-variant/README.md | 2 ++ modules/beta-private-cluster-update-variant/cluster.tf | 7 +++++++ modules/beta-private-cluster-update-variant/main.tf | 10 ++++++---- modules/beta-private-cluster-update-variant/outputs.tf | 5 +++++ .../beta-private-cluster-update-variant/variables.tf | 6 ++++++ .../beta-private-cluster-update-variant/versions.tf | 4 ++-- modules/beta-private-cluster/README.md | 2 ++ modules/beta-private-cluster/cluster.tf | 7 +++++++ modules/beta-private-cluster/main.tf | 10 ++++++---- modules/beta-private-cluster/outputs.tf | 5 +++++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster/versions.tf | 4 ++-- modules/beta-public-cluster-update-variant/README.md | 2 ++ modules/beta-public-cluster-update-variant/cluster.tf | 7 +++++++ modules/beta-public-cluster-update-variant/main.tf | 10 ++++++---- modules/beta-public-cluster-update-variant/outputs.tf | 5 +++++ .../beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/versions.tf | 4 ++-- modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster.tf | 7 +++++++ modules/beta-public-cluster/main.tf | 10 ++++++---- modules/beta-public-cluster/outputs.tf | 5 +++++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster/versions.tf | 4 ++-- 37 files changed, 162 insertions(+), 38 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 824e4942cc..f5815a15d8 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -221,6 +221,13 @@ resource "google_container_cluster" "primary" { {% if beta_cluster %} enable_intranode_visibility = var.enable_intranode_visibility + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 46f408bda0..427ef73ad7 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -169,6 +169,7 @@ locals { cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features {% endif %} @@ -239,6 +240,7 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features {% endif %} diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 1dda329642..9cf774cca8 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -233,6 +233,11 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled } + +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} {% endif %} output "fleet_membership" { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index f0c5d7d520..9eb45d9a20 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -862,6 +862,12 @@ variable "enable_pod_security_policy" { default = false } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} + variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index edf3026f61..059774ef6c 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 46887b7b64..3985ee8bb4 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -181,6 +181,7 @@ Then perform the following commands on the root folder: | pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | release\_channel | The release channel of this cluster | +| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 52427188dc..19355a74dc 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -92,10 +92,11 @@ locals { cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -134,6 +135,7 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index 9e73ca043c..9d3954fb45 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -189,6 +189,11 @@ output "identity_service_enabled" { value = local.cluster_identity_service_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 043c1ea029..f873195a97 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 257b5b398b..f0c16822e4 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -168,6 +168,7 @@ Then perform the following commands on the root folder: | pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | release\_channel | The release channel of this cluster | +| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 3be62c142f..9c89bd9b67 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -91,10 +91,11 @@ locals { cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -133,6 +134,7 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 3e3578d6d9..f23b1ed6ac 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -179,6 +179,11 @@ output "identity_service_enabled" { value = local.cluster_identity_service_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index bafcc4a3be..6bba2e28b8 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 871ae3bcec..7f0575c31d 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -212,6 +212,7 @@ Then perform the following commands on the root folder: | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | +| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | @@ -329,6 +330,7 @@ Then perform the following commands on the root folder: | pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | release\_channel | The release channel of this cluster | +| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 1a54007c7d..630ccc6669 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -184,6 +184,13 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 15f03a4b94..96267061f4 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -137,10 +137,11 @@ locals { cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -196,6 +197,7 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index c067f6b030..3702c4b729 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -215,6 +215,11 @@ output "identity_service_enabled" { value = local.cluster_identity_service_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 9733efd774..aa76cf0a3f 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -826,6 +826,12 @@ variable "enable_pod_security_policy" { default = false } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} + variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 04135a831d..df9b26ca58 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index e9be4250ba..e6faa6b955 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -190,6 +190,7 @@ Then perform the following commands on the root folder: | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | +| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | @@ -307,6 +308,7 @@ Then perform the following commands on the root folder: | pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | release\_channel | The release channel of this cluster | +| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 3c3e75a137..88469dd152 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -184,6 +184,13 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 15f03a4b94..96267061f4 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -137,10 +137,11 @@ locals { cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -196,6 +197,7 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index c067f6b030..3702c4b729 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -215,6 +215,11 @@ output "identity_service_enabled" { value = local.cluster_identity_service_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 9733efd774..aa76cf0a3f 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -826,6 +826,12 @@ variable "enable_pod_security_policy" { default = false } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} + variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 1a14037382..102e899572 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 7d4c7d512b..780d094616 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -203,6 +203,7 @@ Then perform the following commands on the root folder: | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | +| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | @@ -316,6 +317,7 @@ Then perform the following commands on the root folder: | pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | release\_channel | The release channel of this cluster | +| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 08c7a9fb98..91608910c7 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -184,6 +184,13 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 69b8c783d6..f435b715cb 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -136,10 +136,11 @@ locals { cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -195,6 +196,7 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index ee0170e457..c45e89b6df 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -205,6 +205,11 @@ output "identity_service_enabled" { value = local.cluster_identity_service_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index a55430896e..5601d6af18 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -796,6 +796,12 @@ variable "enable_pod_security_policy" { default = false } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} + variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 4a889c15d7..a72a0b13ac 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 8a4e99701e..4fc82a77dc 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -181,6 +181,7 @@ Then perform the following commands on the root folder: | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | +| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no | @@ -294,6 +295,7 @@ Then perform the following commands on the root folder: | pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | release\_channel | The release channel of this cluster | +| secret\_manager\_addon\_enabled | Whether Secret Manager add-on is enabled | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | tpu\_ipv4\_cidr\_block | The IP range in CIDR notation used for the TPUs | | type | Cluster type (regional / zonal) | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index f4ce6624b8..102b17e3da 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -184,6 +184,13 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 69b8c783d6..f435b715cb 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -136,10 +136,11 @@ locals { cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false # BETA features - cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false - cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false + cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false + cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -195,6 +196,7 @@ locals { cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled + cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index ee0170e457..c45e89b6df 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -205,6 +205,11 @@ output "identity_service_enabled" { value = local.cluster_identity_service_enabled } +output "secret_manager_addon_enabled" { + description = "Whether Secret Manager add-on is enabled" + value = local.cluster_secret_manager_addon_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index a55430896e..5601d6af18 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -796,6 +796,12 @@ variable "enable_pod_security_policy" { default = false } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} + variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 74cc24942d..193dad6b2f 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.25.0, < 6" + version = ">= 5.33.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" From 08028a89d9ca812034f4b7d487e7f28131b41061 Mon Sep 17 00:00:00 2001 From: abdel <181392+abdel@users.noreply.github.com> Date: Fri, 12 Jul 2024 04:04:14 +1000 Subject: [PATCH 099/176] feat: add support for `logging_variant` in Autopilot clusters (#1962) Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 8 ++++++++ autogen/main/variables.tf.tmpl | 8 ++++++++ modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 6 ++++++ modules/beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 6 ++++++ modules/beta-autopilot-public-cluster/variables.tf | 6 ++++++ 8 files changed, 42 insertions(+) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index f5815a15d8..a40116eab3 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -640,6 +640,14 @@ resource "google_container_cluster" "primary" { } } {% endif %} + {% if beta_cluster and autopilot_cluster %} + + node_pool_defaults { + node_config_defaults { + logging_variant = var.logging_variant + } + } + {% endif %} {% if beta_cluster %} depends_on = [google_project_iam_member.service_agent] diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 9eb45d9a20..dea04e2728 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -914,3 +914,11 @@ variable "fleet_project_grant_service_agent" { default = false } {% endif %} +{% if beta_cluster and autopilot_cluster %} + +variable "logging_variant" { + description = "(Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT." + type = string + default = null +} +{% endif %} diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 3985ee8bb4..71a415fa3c 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -116,6 +116,7 @@ Then perform the following commands on the root folder: | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | +| logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 8f36118449..331ce7b1a9 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -299,5 +299,11 @@ resource "google_container_cluster" "primary" { } } + node_pool_defaults { + node_config_defaults { + logging_variant = var.logging_variant + } + } + depends_on = [google_project_iam_member.service_agent] } diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index fb7040461f..017f13766e 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -503,3 +503,9 @@ variable "fleet_project_grant_service_agent" { type = bool default = false } + +variable "logging_variant" { + description = "(Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT." + type = string + default = null +} diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index f0c16822e4..d29fa7a7ae 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -107,6 +107,7 @@ Then perform the following commands on the root folder: | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | +| logging\_variant | (Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX\_THROUGHPUT. | `string` | `null` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | | maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 2945356182..57b9288fcf 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -280,5 +280,11 @@ resource "google_container_cluster" "primary" { } } + node_pool_defaults { + node_config_defaults { + logging_variant = var.logging_variant + } + } + depends_on = [google_project_iam_member.service_agent] } diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 82a52262fc..f73b556115 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -473,3 +473,9 @@ variable "fleet_project_grant_service_agent" { type = bool default = false } + +variable "logging_variant" { + description = "(Optional) The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT." + type = string + default = null +} From a37bf7ed87d7f17e897926ac2ddf59e9b13030f5 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 11 Jul 2024 19:12:21 +0000 Subject: [PATCH 100/176] chore(deps): Update dependency go to v1.22.5 (#1993) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index c2c00694e2..4224097241 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -2,7 +2,7 @@ module github.com/terraform-google-modules/terraform-google-kubernetes-engine/te go 1.22 -toolchain go1.22.4 +toolchain go1.22.5 require ( github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.0 From 4274b0e286509103c25ae9b2d62f932e922f7659 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Mon, 15 Jul 2024 15:04:05 -0400 Subject: [PATCH 101/176] feat: bump `enable_intranode_visibility` to GA (#1956) --- README.md | 2 ++ autogen/main/cluster.tf.tmpl | 4 ++-- autogen/main/main.tf.tmpl | 4 ++-- autogen/main/outputs.tf.tmpl | 10 +++++----- autogen/main/variables.tf.tmpl | 12 ++++++------ cluster.tf | 6 ++++-- main.tf | 4 +++- modules/beta-autopilot-private-cluster/main.tf | 6 +++--- modules/beta-autopilot-private-cluster/outputs.tf | 10 +++++----- modules/beta-autopilot-public-cluster/main.tf | 6 +++--- modules/beta-autopilot-public-cluster/outputs.tf | 10 +++++----- modules/beta-private-cluster-update-variant/main.tf | 6 +++--- .../beta-private-cluster-update-variant/outputs.tf | 10 +++++----- .../beta-private-cluster-update-variant/variables.tf | 12 ++++++------ modules/beta-private-cluster/main.tf | 6 +++--- modules/beta-private-cluster/outputs.tf | 10 +++++----- modules/beta-private-cluster/variables.tf | 12 ++++++------ modules/beta-public-cluster-update-variant/main.tf | 6 +++--- .../beta-public-cluster-update-variant/outputs.tf | 10 +++++----- .../beta-public-cluster-update-variant/variables.tf | 12 ++++++------ modules/beta-public-cluster/main.tf | 6 +++--- modules/beta-public-cluster/outputs.tf | 10 +++++----- modules/beta-public-cluster/variables.tf | 12 ++++++------ modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 6 ++++-- modules/private-cluster-update-variant/main.tf | 4 +++- modules/private-cluster-update-variant/outputs.tf | 5 +++++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 6 ++++-- modules/private-cluster/main.tf | 4 +++- modules/private-cluster/outputs.tf | 5 +++++ modules/private-cluster/variables.tf | 6 ++++++ outputs.tf | 5 +++++ variables.tf | 6 ++++++ 35 files changed, 147 insertions(+), 96 deletions(-) diff --git a/README.md b/README.md index 9633443be2..f78a2470e1 100644 --- a/README.md +++ b/README.md @@ -165,6 +165,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | @@ -258,6 +259,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | | instance\_group\_urls | List of GKE generated instance groups | +| intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index a40116eab3..5d5b5a6bcc 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -216,11 +216,11 @@ resource "google_container_cluster" "primary" { } } - enable_kubernetes_alpha = var.enable_kubernetes_alpha + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu - {% if beta_cluster %} enable_intranode_visibility = var.enable_intranode_visibility + {% if beta_cluster %} dynamic "secret_manager_config" { for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] content { diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 427ef73ad7..dbeef5fc7a 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -162,12 +162,12 @@ locals { cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility {% if beta_cluster %} # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false @@ -225,6 +225,7 @@ locals { workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled {% if autopilot_cluster != true %} cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates @@ -238,7 +239,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null {% endif %} cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 9cf774cca8..7bf4b04ab9 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -224,11 +224,6 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "intranode_visibility_enabled" { - description = "Whether intra-node visibility is enabled" - value = local.cluster_intranode_visibility_enabled -} - output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled @@ -240,6 +235,11 @@ output "secret_manager_addon_enabled" { } {% endif %} +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index dea04e2728..c429de7f35 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -817,6 +817,12 @@ variable "config_connector" { default = false } +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + {% endif %} variable "enable_l4_ilb_subsetting" { type = bool @@ -874,12 +880,6 @@ variable "sandbox_enabled" { default = false } -variable "enable_intranode_visibility" { - type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" - default = false -} - variable "enable_identity_service" { type = bool description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." diff --git a/cluster.tf b/cluster.tf index 2eefcc924d..1bdf843645 100644 --- a/cluster.tf +++ b/cluster.tf @@ -173,8 +173,10 @@ resource "google_container_cluster" "primary" { } } - enable_kubernetes_alpha = var.enable_kubernetes_alpha - enable_tpu = var.enable_tpu + enable_kubernetes_alpha = var.enable_kubernetes_alpha + enable_tpu = var.enable_tpu + enable_intranode_visibility = var.enable_intranode_visibility + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting diff --git a/main.tf b/main.tf index f41e968be5..68624dd498 100644 --- a/main.tf +++ b/main.tf @@ -122,6 +122,7 @@ locals { cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ @@ -165,7 +166,8 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 19355a74dc..c8843bbcea 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -90,11 +90,11 @@ locals { cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false @@ -128,12 +128,12 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index 9d3954fb45..a7ecafb1d4 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -179,11 +179,6 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "intranode_visibility_enabled" { - description = "Whether intra-node visibility is enabled" - value = local.cluster_intranode_visibility_enabled -} - output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled @@ -194,6 +189,11 @@ output "secret_manager_addon_enabled" { value = local.cluster_secret_manager_addon_enabled } +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 9c89bd9b67..04d1560feb 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -89,11 +89,11 @@ locals { cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false @@ -127,12 +127,12 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index f23b1ed6ac..15700691ae 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -169,11 +169,6 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "intranode_visibility_enabled" { - description = "Whether intra-node visibility is enabled" - value = local.cluster_intranode_visibility_enabled -} - output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled @@ -184,6 +179,11 @@ output "secret_manager_addon_enabled" { value = local.cluster_secret_manager_addon_enabled } +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 96267061f4..c99571da2d 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -135,11 +135,11 @@ locals { cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false @@ -186,7 +186,8 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -195,7 +196,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index 3702c4b729..fedfd98dcb 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -205,11 +205,6 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "intranode_visibility_enabled" { - description = "Whether intra-node visibility is enabled" - value = local.cluster_intranode_visibility_enabled -} - output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled @@ -220,6 +215,11 @@ output "secret_manager_addon_enabled" { value = local.cluster_secret_manager_addon_enabled } +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index aa76cf0a3f..1dc85ac867 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -784,6 +784,12 @@ variable "config_connector" { default = false } +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" @@ -838,12 +844,6 @@ variable "sandbox_enabled" { default = false } -variable "enable_intranode_visibility" { - type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" - default = false -} - variable "enable_identity_service" { type = bool description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 96267061f4..c99571da2d 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -135,11 +135,11 @@ locals { cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false @@ -186,7 +186,8 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -195,7 +196,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index 3702c4b729..fedfd98dcb 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -205,11 +205,6 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "intranode_visibility_enabled" { - description = "Whether intra-node visibility is enabled" - value = local.cluster_intranode_visibility_enabled -} - output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled @@ -220,6 +215,11 @@ output "secret_manager_addon_enabled" { value = local.cluster_secret_manager_addon_enabled } +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index aa76cf0a3f..1dc85ac867 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -784,6 +784,12 @@ variable "config_connector" { default = false } +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" @@ -838,12 +844,6 @@ variable "sandbox_enabled" { default = false } -variable "enable_intranode_visibility" { - type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" - default = false -} - variable "enable_identity_service" { type = bool description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index f435b715cb..2c68d8c4d7 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -134,11 +134,11 @@ locals { cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false @@ -185,7 +185,8 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -194,7 +195,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index c45e89b6df..a2cb3583f8 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -195,11 +195,6 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "intranode_visibility_enabled" { - description = "Whether intra-node visibility is enabled" - value = local.cluster_intranode_visibility_enabled -} - output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled @@ -210,6 +205,11 @@ output "secret_manager_addon_enabled" { value = local.cluster_secret_manager_addon_enabled } +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 5601d6af18..6175048ab5 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -754,6 +754,12 @@ variable "config_connector" { default = false } +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" @@ -808,12 +814,6 @@ variable "sandbox_enabled" { default = false } -variable "enable_intranode_visibility" { - type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" - default = false -} - variable "enable_identity_service" { type = bool description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index f435b715cb..2c68d8c4d7 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -134,11 +134,11 @@ locals { cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false @@ -185,7 +185,8 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -194,7 +195,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index c45e89b6df..a2cb3583f8 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -195,11 +195,6 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "intranode_visibility_enabled" { - description = "Whether intra-node visibility is enabled" - value = local.cluster_intranode_visibility_enabled -} - output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_identity_service_enabled @@ -210,6 +205,11 @@ output "secret_manager_addon_enabled" { value = local.cluster_secret_manager_addon_enabled } +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 5601d6af18..6175048ab5 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -754,6 +754,12 @@ variable "config_connector" { default = false } +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" @@ -808,12 +814,6 @@ variable "sandbox_enabled" { default = false } -variable "enable_intranode_visibility" { - type = bool - description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" - default = false -} - variable "enable_identity_service" { type = bool description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index b3ee327805..98d97d5a35 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -194,6 +194,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | @@ -291,6 +292,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | | instance\_group\_urls | List of GKE generated instance groups | +| intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 62228fbecf..2872a0649e 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -173,8 +173,10 @@ resource "google_container_cluster" "primary" { } } - enable_kubernetes_alpha = var.enable_kubernetes_alpha - enable_tpu = var.enable_tpu + enable_kubernetes_alpha = var.enable_kubernetes_alpha + enable_tpu = var.enable_tpu + enable_intranode_visibility = var.enable_intranode_visibility + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 7c7de2529f..7525e01485 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -123,6 +123,7 @@ locals { cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ @@ -166,7 +167,8 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 8f35e71fe0..fbc4cf14ee 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -190,6 +190,11 @@ output "dns_cache_enabled" { value = local.cluster_dns_cache_enabled } +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index d032c417db..31e1435bce 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -759,6 +759,12 @@ variable "config_connector" { default = false } +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 4934cf9c64..6ed41131d3 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -172,6 +172,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | @@ -269,6 +270,7 @@ Then perform the following commands on the root folder: | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | | instance\_group\_urls | List of GKE generated instance groups | +| intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index c82ca3d399..4216d133d0 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -173,8 +173,10 @@ resource "google_container_cluster" "primary" { } } - enable_kubernetes_alpha = var.enable_kubernetes_alpha - enable_tpu = var.enable_tpu + enable_kubernetes_alpha = var.enable_kubernetes_alpha + enable_tpu = var.enable_tpu + enable_intranode_visibility = var.enable_intranode_visibility + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 7c7de2529f..7525e01485 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -123,6 +123,7 @@ locals { cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false + cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ @@ -166,7 +167,8 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] - confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] + cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 8f35e71fe0..fbc4cf14ee 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -190,6 +190,11 @@ output "dns_cache_enabled" { value = local.cluster_dns_cache_enabled } +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index d032c417db..31e1435bce 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -759,6 +759,12 @@ variable "config_connector" { default = false } +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/outputs.tf b/outputs.tf index 7aa1c3be10..442fd87a7a 100644 --- a/outputs.tf +++ b/outputs.tf @@ -180,6 +180,11 @@ output "dns_cache_enabled" { value = local.cluster_dns_cache_enabled } +output "intranode_visibility_enabled" { + description = "Whether intra-node visibility is enabled" + value = local.cluster_intranode_visibility_enabled +} + output "fleet_membership" { description = "Fleet membership (if registered)" value = local.fleet_membership diff --git a/variables.tf b/variables.tf index d36fe30142..087a42b962 100644 --- a/variables.tf +++ b/variables.tf @@ -729,6 +729,12 @@ variable "config_connector" { default = false } +variable "enable_intranode_visibility" { + type = bool + description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" + default = false +} + variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" From 9ff1b5e373a4aafa6199abbc07f8c07bf092ac2f Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Tue, 16 Jul 2024 19:04:30 -0400 Subject: [PATCH 102/176] feat: add notification event filter (#1996) Co-authored-by: Amine Laabi --- README.md | 1 + autogen/main/cluster.tf.tmpl | 7 +++++++ autogen/main/variables.tf.tmpl | 10 ++++++++-- cluster.tf | 7 +++++++ modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-public-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 7 +++++++ .../beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 7 +++++++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 7 +++++++ .../beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 7 +++++++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 7 +++++++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 7 +++++++ modules/private-cluster/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 29 files changed, 141 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f78a2470e1..91ee510acc 100644 --- a/README.md +++ b/README.md @@ -222,6 +222,7 @@ Then perform the following commands on the root folder: | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 5d5b5a6bcc..5e79561d49 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -628,6 +628,13 @@ resource "google_container_cluster" "primary" { pubsub { enabled = var.notification_config_topic != "" ? true : false topic = var.notification_config_topic + + dynamic "filter" { + for_each = length(var.notification_filter_event_type) > 0 ? [1] : [] + content { + event_type = var.notification_filter_event_type + } + } } } {% if beta_cluster and autopilot_cluster != true %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index c429de7f35..8c11019aef 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -620,9 +620,15 @@ variable "disable_default_snat" { } variable "notification_config_topic" { - type = string + type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." - default = "" + default = "" +} + +variable "notification_filter_event_type" { + type = list(string) + description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." + default = [] } variable "deletion_protection" { diff --git a/cluster.tf b/cluster.tf index 1bdf843645..2f3d2b26be 100644 --- a/cluster.tf +++ b/cluster.tf @@ -465,6 +465,13 @@ resource "google_container_cluster" "primary" { pubsub { enabled = var.notification_config_topic != "" ? true : false topic = var.notification_config_topic + + dynamic "filter" { + for_each = length(var.notification_filter_event_type) > 0 ? [1] : [] + content { + event_type = var.notification_filter_event_type + } + } } } } diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 71a415fa3c..ab7c564231 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -130,6 +130,7 @@ Then perform the following commands on the root folder: | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 331ce7b1a9..a7283e1e35 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -296,6 +296,13 @@ resource "google_container_cluster" "primary" { pubsub { enabled = var.notification_config_topic != "" ? true : false topic = var.notification_config_topic + + dynamic "filter" { + for_each = length(var.notification_filter_event_type) > 0 ? [1] : [] + content { + event_type = var.notification_filter_event_type + } + } } } diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 017f13766e..88cadf8abf 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -430,6 +430,12 @@ variable "notification_config_topic" { default = "" } +variable "notification_filter_event_type" { + type = list(string) + description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." + default = [] +} + variable "deletion_protection" { type = bool description = "Whether or not to allow Terraform to destroy the cluster." diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index d29fa7a7ae..52b472a7ac 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -119,6 +119,7 @@ Then perform the following commands on the root folder: | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 57b9288fcf..ff4c88b6f2 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -277,6 +277,13 @@ resource "google_container_cluster" "primary" { pubsub { enabled = var.notification_config_topic != "" ? true : false topic = var.notification_config_topic + + dynamic "filter" { + for_each = length(var.notification_filter_event_type) > 0 ? [1] : [] + content { + event_type = var.notification_filter_event_type + } + } } } diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index f73b556115..d5a2ad0cb8 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -400,6 +400,12 @@ variable "notification_config_topic" { default = "" } +variable "notification_filter_event_type" { + type = list(string) + description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." + default = [] +} + variable "deletion_protection" { type = bool description = "Whether or not to allow Terraform to destroy the cluster." diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 7f0575c31d..5c823a11f8 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -270,6 +270,7 @@ Then perform the following commands on the root folder: | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 630ccc6669..8946f7dae3 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -544,6 +544,13 @@ resource "google_container_cluster" "primary" { pubsub { enabled = var.notification_config_topic != "" ? true : false topic = var.notification_config_topic + + dynamic "filter" { + for_each = length(var.notification_filter_event_type) > 0 ? [1] : [] + content { + event_type = var.notification_filter_event_type + } + } } } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 1dc85ac867..6c0fa1aafa 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -599,6 +599,12 @@ variable "notification_config_topic" { default = "" } +variable "notification_filter_event_type" { + type = list(string) + description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." + default = [] +} + variable "deletion_protection" { type = bool description = "Whether or not to allow Terraform to destroy the cluster." diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index e6faa6b955..b56788608b 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -248,6 +248,7 @@ Then perform the following commands on the root folder: | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 88469dd152..1b385d77dc 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -544,6 +544,13 @@ resource "google_container_cluster" "primary" { pubsub { enabled = var.notification_config_topic != "" ? true : false topic = var.notification_config_topic + + dynamic "filter" { + for_each = length(var.notification_filter_event_type) > 0 ? [1] : [] + content { + event_type = var.notification_filter_event_type + } + } } } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 1dc85ac867..6c0fa1aafa 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -599,6 +599,12 @@ variable "notification_config_topic" { default = "" } +variable "notification_filter_event_type" { + type = list(string) + description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." + default = [] +} + variable "deletion_protection" { type = bool description = "Whether or not to allow Terraform to destroy the cluster." diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 780d094616..666df46159 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -259,6 +259,7 @@ Then perform the following commands on the root folder: | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 91608910c7..47971c2e64 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -525,6 +525,13 @@ resource "google_container_cluster" "primary" { pubsub { enabled = var.notification_config_topic != "" ? true : false topic = var.notification_config_topic + + dynamic "filter" { + for_each = length(var.notification_filter_event_type) > 0 ? [1] : [] + content { + event_type = var.notification_filter_event_type + } + } } } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 6175048ab5..19b6d13654 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -569,6 +569,12 @@ variable "notification_config_topic" { default = "" } +variable "notification_filter_event_type" { + type = list(string) + description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." + default = [] +} + variable "deletion_protection" { type = bool description = "Whether or not to allow Terraform to destroy the cluster." diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 4fc82a77dc..7c23ef23de 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -237,6 +237,7 @@ Then perform the following commands on the root folder: | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 102b17e3da..933912fa2f 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -525,6 +525,13 @@ resource "google_container_cluster" "primary" { pubsub { enabled = var.notification_config_topic != "" ? true : false topic = var.notification_config_topic + + dynamic "filter" { + for_each = length(var.notification_filter_event_type) > 0 ? [1] : [] + content { + event_type = var.notification_filter_event_type + } + } } } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 6175048ab5..19b6d13654 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -569,6 +569,12 @@ variable "notification_config_topic" { default = "" } +variable "notification_filter_event_type" { + type = list(string) + description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." + default = [] +} + variable "deletion_protection" { type = bool description = "Whether or not to allow Terraform to destroy the cluster." diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 98d97d5a35..8b2eafc05a 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -255,6 +255,7 @@ Then perform the following commands on the root folder: | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 2872a0649e..c933889af7 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -484,6 +484,13 @@ resource "google_container_cluster" "primary" { pubsub { enabled = var.notification_config_topic != "" ? true : false topic = var.notification_config_topic + + dynamic "filter" { + for_each = length(var.notification_filter_event_type) > 0 ? [1] : [] + content { + event_type = var.notification_filter_event_type + } + } } } } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 31e1435bce..26b97acc22 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -574,6 +574,12 @@ variable "notification_config_topic" { default = "" } +variable "notification_filter_event_type" { + type = list(string) + description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." + default = [] +} + variable "deletion_protection" { type = bool description = "Whether or not to allow Terraform to destroy the cluster." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 6ed41131d3..4fb6f586be 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -233,6 +233,7 @@ Then perform the following commands on the root folder: | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | +| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 4216d133d0..2f4882393e 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -484,6 +484,13 @@ resource "google_container_cluster" "primary" { pubsub { enabled = var.notification_config_topic != "" ? true : false topic = var.notification_config_topic + + dynamic "filter" { + for_each = length(var.notification_filter_event_type) > 0 ? [1] : [] + content { + event_type = var.notification_filter_event_type + } + } } } } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 31e1435bce..26b97acc22 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -574,6 +574,12 @@ variable "notification_config_topic" { default = "" } +variable "notification_filter_event_type" { + type = list(string) + description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." + default = [] +} + variable "deletion_protection" { type = bool description = "Whether or not to allow Terraform to destroy the cluster." diff --git a/variables.tf b/variables.tf index 087a42b962..3af25f7cd7 100644 --- a/variables.tf +++ b/variables.tf @@ -544,6 +544,12 @@ variable "notification_config_topic" { default = "" } +variable "notification_filter_event_type" { + type = list(string) + description = "Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE_AVAILABLE_EVENT, UPGRADE_EVENT, and SECURITY_BULLETIN_EVENT." + default = [] +} + variable "deletion_protection" { type = bool description = "Whether or not to allow Terraform to destroy the cluster." From 9ae8b385ce84d705cf3ac7722bad89a24d056302 Mon Sep 17 00:00:00 2001 From: 0Delta <0deltast@gmail.com> Date: Thu, 18 Jul 2024 07:04:11 +0900 Subject: [PATCH 103/176] fix: empty addons_config handling (#1978) Co-authored-by: Andrew Peabody --- autogen/main/main.tf.tmpl | 6 +++--- main.tf | 6 +++--- modules/beta-autopilot-private-cluster/main.tf | 4 ++-- modules/beta-autopilot-public-cluster/main.tf | 4 ++-- modules/beta-private-cluster-update-variant/main.tf | 6 +++--- modules/beta-private-cluster/main.tf | 6 +++--- modules/beta-public-cluster-update-variant/main.tf | 6 +++--- modules/beta-public-cluster/main.tf | 6 +++--- modules/private-cluster-update-variant/main.tf | 6 +++--- modules/private-cluster/main.tf | 6 +++--- 10 files changed, 28 insertions(+), 28 deletions(-) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index dbeef5fc7a..4c6d3c4093 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -157,10 +157,10 @@ locals { cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service {% if autopilot_cluster != true %} - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled + cluster_output_network_policy_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "network_policy_config", [{}]), [{ disabled=false }])[0].disabled {% endif %} - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_http_load_balancing_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "http_load_balancing", [{}]), [{ disabled=false }])[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled=false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility diff --git a/main.tf b/main.tf index 68624dd498..75850241f3 100644 --- a/main.tf +++ b/main.tf @@ -118,9 +118,9 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_network_policy_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "network_policy_config", [{}]), [{ disabled = false }])[0].disabled + cluster_output_http_load_balancing_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "http_load_balancing", [{}]), [{ disabled = false }])[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index c8843bbcea..447e359152 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -87,8 +87,8 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_http_load_balancing_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "http_load_balancing", [{}]), [{ disabled = false }])[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 04d1560feb..62b573380a 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -86,8 +86,8 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_http_load_balancing_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "http_load_balancing", [{}]), [{ disabled = false }])[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index c99571da2d..974b652c08 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -131,9 +131,9 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_network_policy_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "network_policy_config", [{}]), [{ disabled = false }])[0].disabled + cluster_output_http_load_balancing_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "http_load_balancing", [{}]), [{ disabled = false }])[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index c99571da2d..974b652c08 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -131,9 +131,9 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_network_policy_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "network_policy_config", [{}]), [{ disabled = false }])[0].disabled + cluster_output_http_load_balancing_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "http_load_balancing", [{}]), [{ disabled = false }])[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 2c68d8c4d7..32c29929eb 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -130,9 +130,9 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_network_policy_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "network_policy_config", [{}]), [{ disabled = false }])[0].disabled + cluster_output_http_load_balancing_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "http_load_balancing", [{}]), [{ disabled = false }])[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 2c68d8c4d7..32c29929eb 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -130,9 +130,9 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_network_policy_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "network_policy_config", [{}]), [{ disabled = false }])[0].disabled + cluster_output_http_load_balancing_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "http_load_balancing", [{}]), [{ disabled = false }])[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 7525e01485..3aeaf1414a 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -119,9 +119,9 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_network_policy_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "network_policy_config", [{}]), [{ disabled = false }])[0].disabled + cluster_output_http_load_balancing_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "http_load_balancing", [{}]), [{ disabled = false }])[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 7525e01485..3aeaf1414a 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -119,9 +119,9 @@ locals { cluster_output_min_master_version = google_container_cluster.primary.min_master_version cluster_output_logging_service = google_container_cluster.primary.logging_service cluster_output_monitoring_service = google_container_cluster.primary.monitoring_service - cluster_output_network_policy_enabled = google_container_cluster.primary.addons_config[0].network_policy_config[0].disabled - cluster_output_http_load_balancing_enabled = google_container_cluster.primary.addons_config[0].http_load_balancing[0].disabled - cluster_output_horizontal_pod_autoscaling_enabled = google_container_cluster.primary.addons_config[0].horizontal_pod_autoscaling[0].disabled + cluster_output_network_policy_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "network_policy_config", [{}]), [{ disabled = false }])[0].disabled + cluster_output_http_load_balancing_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "http_load_balancing", [{}]), [{ disabled = false }])[0].disabled + cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility From 9d6a4005ea8601dc88ce2a64edcc5ce663765893 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Thu, 18 Jul 2024 17:24:07 -0400 Subject: [PATCH 104/176] feat: bump identity_service_config to ga (#1997) Co-authored-by: Andrew Peabody --- README.md | 2 ++ autogen/main/cluster.tf.tmpl | 14 +++++++------- autogen/main/main.tf.tmpl | 4 ++-- autogen/main/outputs.tf.tmpl | 10 +++++----- autogen/main/variables.tf.tmpl | 12 +++++++----- cluster.tf | 7 +++++++ main.tf | 2 ++ modules/beta-autopilot-private-cluster/main.tf | 4 ++-- modules/beta-autopilot-private-cluster/outputs.tf | 10 +++++----- .../beta-autopilot-private-cluster/variables.tf | 1 + modules/beta-autopilot-public-cluster/main.tf | 4 ++-- modules/beta-autopilot-public-cluster/outputs.tf | 10 +++++----- modules/beta-autopilot-public-cluster/variables.tf | 1 + .../beta-private-cluster-update-variant/cluster.tf | 14 +++++++------- .../beta-private-cluster-update-variant/main.tf | 4 ++-- .../beta-private-cluster-update-variant/outputs.tf | 10 +++++----- .../variables.tf | 8 ++++---- modules/beta-private-cluster/cluster.tf | 14 +++++++------- modules/beta-private-cluster/main.tf | 4 ++-- modules/beta-private-cluster/outputs.tf | 10 +++++----- modules/beta-private-cluster/variables.tf | 8 ++++---- .../beta-public-cluster-update-variant/cluster.tf | 14 +++++++------- modules/beta-public-cluster-update-variant/main.tf | 4 ++-- .../beta-public-cluster-update-variant/outputs.tf | 10 +++++----- .../variables.tf | 8 ++++---- modules/beta-public-cluster/cluster.tf | 14 +++++++------- modules/beta-public-cluster/main.tf | 4 ++-- modules/beta-public-cluster/outputs.tf | 10 +++++----- modules/beta-public-cluster/variables.tf | 8 ++++---- modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 7 +++++++ modules/private-cluster-update-variant/main.tf | 2 ++ modules/private-cluster-update-variant/outputs.tf | 5 +++++ .../private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 7 +++++++ modules/private-cluster/main.tf | 2 ++ modules/private-cluster/outputs.tf | 5 +++++ modules/private-cluster/variables.tf | 6 ++++++ outputs.tf | 5 +++++ variables.tf | 6 ++++++ 41 files changed, 175 insertions(+), 105 deletions(-) diff --git a/README.md b/README.md index 91ee510acc..9ec5ef5031 100644 --- a/README.md +++ b/README.md @@ -165,6 +165,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | @@ -259,6 +260,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 5e79561d49..927f5012dc 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -216,6 +216,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility @@ -234,13 +241,6 @@ resource "google_container_cluster" "primary" { enabled = pod_security_policy_config.value } } - - dynamic "identity_service_config" { - for_each = var.enable_identity_service ? [var.enable_identity_service] : [] - content { - enabled = identity_service_config.value - } - } {% endif %} {% endif %} diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 4c6d3c4093..5356f7dd69 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -163,12 +163,12 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled=false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false {% if beta_cluster %} # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -226,6 +226,7 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled {% if autopilot_cluster != true %} cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates @@ -239,7 +240,6 @@ locals { cluster_telemetry_type_is_set = var.cluster_telemetry_type != null {% endif %} cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 7bf4b04ab9..bd11d979b3 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -224,17 +224,17 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "identity_service_enabled" { - description = "Whether Identity Service is enabled" - value = local.cluster_identity_service_enabled -} - output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled } {% endif %} +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 8c11019aef..a9da55d219 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -886,18 +886,20 @@ variable "sandbox_enabled" { default = false } -variable "enable_identity_service" { +variable "enable_gcfs" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Enable image streaming on cluster level." default = false } + {% endif %} +{% endif %} -variable "enable_gcfs" { +{% if autopilot_cluster != true %} +variable "enable_identity_service" { type = bool - description = "Enable image streaming on cluster level." + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } - {% endif %} {% endif %} {% if autopilot_cluster %} variable "allow_net_admin" { diff --git a/cluster.tf b/cluster.tf index 2f3d2b26be..07d93f26fd 100644 --- a/cluster.tf +++ b/cluster.tf @@ -173,6 +173,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility diff --git a/main.tf b/main.tf index 75850241f3..f7bb8b486b 100644 --- a/main.tf +++ b/main.tf @@ -123,6 +123,7 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ @@ -168,6 +169,7 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 447e359152..836c151bc1 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -91,11 +91,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -130,11 +130,11 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index a7ecafb1d4..66610c3682 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -179,16 +179,16 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "identity_service_enabled" { - description = "Whether Identity Service is enabled" - value = local.cluster_identity_service_enabled -} - output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 88cadf8abf..7d9fd4262e 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -492,6 +492,7 @@ variable "enable_l4_ilb_subsetting" { description = "Enable L4 ILB Subsetting on the cluster" default = false } + variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." type = bool diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 62b573380a..fb8af5bef8 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -90,11 +90,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -129,11 +129,11 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 15700691ae..98cf3fbdd3 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -169,16 +169,16 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "identity_service_enabled" { - description = "Whether Identity Service is enabled" - value = local.cluster_identity_service_enabled -} - output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index d5a2ad0cb8..fc60d9c42e 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -462,6 +462,7 @@ variable "enable_l4_ilb_subsetting" { description = "Enable L4 ILB Subsetting on the cluster" default = false } + variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." type = bool diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 8946f7dae3..2e79946dd3 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -180,6 +180,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility @@ -198,13 +205,6 @@ resource "google_container_cluster" "primary" { } } - dynamic "identity_service_config" { - for_each = var.enable_identity_service ? [var.enable_identity_service] : [] - content { - enabled = identity_service_config.value - } - } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 974b652c08..1bfa3658a5 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -136,11 +136,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -188,6 +188,7 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -196,7 +197,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index fedfd98dcb..99a88a3264 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -205,16 +205,16 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "identity_service_enabled" { - description = "Whether Identity Service is enabled" - value = local.cluster_identity_service_enabled -} - output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 6c0fa1aafa..62717aff0d 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -850,15 +850,15 @@ variable "sandbox_enabled" { default = false } -variable "enable_identity_service" { +variable "enable_gcfs" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Enable image streaming on cluster level." default = false } -variable "enable_gcfs" { +variable "enable_identity_service" { type = bool - description = "Enable image streaming on cluster level." + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 1b385d77dc..9e25b40547 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -180,6 +180,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility @@ -198,13 +205,6 @@ resource "google_container_cluster" "primary" { } } - dynamic "identity_service_config" { - for_each = var.enable_identity_service ? [var.enable_identity_service] : [] - content { - enabled = identity_service_config.value - } - } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 974b652c08..1bfa3658a5 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -136,11 +136,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -188,6 +188,7 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -196,7 +197,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index fedfd98dcb..99a88a3264 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -205,16 +205,16 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "identity_service_enabled" { - description = "Whether Identity Service is enabled" - value = local.cluster_identity_service_enabled -} - output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 6c0fa1aafa..62717aff0d 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -850,15 +850,15 @@ variable "sandbox_enabled" { default = false } -variable "enable_identity_service" { +variable "enable_gcfs" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Enable image streaming on cluster level." default = false } -variable "enable_gcfs" { +variable "enable_identity_service" { type = bool - description = "Enable image streaming on cluster level." + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 47971c2e64..c0db8debc1 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -180,6 +180,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility @@ -198,13 +205,6 @@ resource "google_container_cluster" "primary" { } } - dynamic "identity_service_config" { - for_each = var.enable_identity_service ? [var.enable_identity_service] : [] - content { - enabled = identity_service_config.value - } - } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 32c29929eb..0039ec882f 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -135,11 +135,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -187,6 +187,7 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -195,7 +196,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index a2cb3583f8..9747767770 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -195,16 +195,16 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "identity_service_enabled" { - description = "Whether Identity Service is enabled" - value = local.cluster_identity_service_enabled -} - output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 19b6d13654..71c4561b65 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -820,15 +820,15 @@ variable "sandbox_enabled" { default = false } -variable "enable_identity_service" { +variable "enable_gcfs" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Enable image streaming on cluster level." default = false } -variable "enable_gcfs" { +variable "enable_identity_service" { type = bool - description = "Enable image streaming on cluster level." + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 933912fa2f..13d35fac17 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -180,6 +180,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility @@ -198,13 +205,6 @@ resource "google_container_cluster" "primary" { } } - dynamic "identity_service_config" { - for_each = var.enable_identity_service ? [var.enable_identity_service] : [] - content { - enabled = identity_service_config.value - } - } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 32c29929eb..0039ec882f 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -135,11 +135,11 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false # BETA features cluster_output_istio_disabled = google_container_cluster.primary.addons_config[0].istio_config != null && length(google_container_cluster.primary.addons_config[0].istio_config) == 1 ? google_container_cluster.primary.addons_config[0].istio_config[0].disabled : false cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config[0].enabled : false - cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features @@ -187,6 +187,7 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] @@ -195,7 +196,6 @@ locals { cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_telemetry_type_is_set = var.cluster_telemetry_type != null cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled - cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_secret_manager_addon_enabled = local.cluster_output_secret_manager_addon_enabled # /BETA features diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index a2cb3583f8..9747767770 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -195,16 +195,16 @@ output "pod_security_policy_enabled" { value = local.cluster_pod_security_policy_enabled } -output "identity_service_enabled" { - description = "Whether Identity Service is enabled" - value = local.cluster_identity_service_enabled -} - output "secret_manager_addon_enabled" { description = "Whether Secret Manager add-on is enabled" value = local.cluster_secret_manager_addon_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 19b6d13654..71c4561b65 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -820,15 +820,15 @@ variable "sandbox_enabled" { default = false } -variable "enable_identity_service" { +variable "enable_gcfs" { type = bool - description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + description = "Enable image streaming on cluster level." default = false } -variable "enable_gcfs" { +variable "enable_identity_service" { type = bool - description = "Enable image streaming on cluster level." + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 8b2eafc05a..cb64b72928 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -194,6 +194,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | @@ -292,6 +293,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index c933889af7..4d0622639b 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -173,6 +173,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 3aeaf1414a..90702177dd 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -124,6 +124,7 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ @@ -169,6 +170,7 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index fbc4cf14ee..eeec118921 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -190,6 +190,11 @@ output "dns_cache_enabled" { value = local.cluster_dns_cache_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 26b97acc22..abf2a688ff 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -777,6 +777,12 @@ variable "enable_l4_ilb_subsetting" { default = false } +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 4fb6f586be..419120b95f 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -172,6 +172,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | @@ -270,6 +271,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | location | Cluster location (region if regional cluster, zone if zonal cluster) | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 2f4882393e..4f3296f4db 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -173,6 +173,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 3aeaf1414a..90702177dd 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -124,6 +124,7 @@ locals { cluster_output_horizontal_pod_autoscaling_enabled = coalescelist(lookup(coalescelist(google_container_cluster.primary.addons_config, [{}])[0], "horizontal_pod_autoscaling", [{}]), [{ disabled = false }])[0].disabled cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling[0].enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ @@ -169,6 +170,7 @@ locals { }] confidential_node_config = var.enable_confidential_nodes == true ? [{ enabled = true }] : [] cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled + cluster_identity_service_enabled = local.cluster_output_identity_service_enabled cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ enable_certificates = var.enable_mesh_certificates }] : [] diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index fbc4cf14ee..eeec118921 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -190,6 +190,11 @@ output "dns_cache_enabled" { value = local.cluster_dns_cache_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 26b97acc22..abf2a688ff 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -777,6 +777,12 @@ variable "enable_l4_ilb_subsetting" { default = false } +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string diff --git a/outputs.tf b/outputs.tf index 442fd87a7a..c6a853f743 100644 --- a/outputs.tf +++ b/outputs.tf @@ -180,6 +180,11 @@ output "dns_cache_enabled" { value = local.cluster_dns_cache_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_identity_service_enabled +} + output "intranode_visibility_enabled" { description = "Whether intra-node visibility is enabled" value = local.cluster_intranode_visibility_enabled diff --git a/variables.tf b/variables.tf index 3af25f7cd7..338f0c4f3a 100644 --- a/variables.tf +++ b/variables.tf @@ -747,6 +747,12 @@ variable "enable_l4_ilb_subsetting" { default = false } +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string From 6bd1bc103955fa4f4af8aca53e2afddd68a43a1c Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Fri, 19 Jul 2024 11:34:48 -0400 Subject: [PATCH 105/176] feat: bump kubelet config to ga + minor doc fixes (#1994) Co-authored-by: Andrew Peabody --- README.md | 7 +++++ autogen/main/README.md | 6 ++-- autogen/main/cluster.tf.tmpl | 16 +++++------ cluster.tf | 26 +++++++++++++++++ .../README.md | 2 +- .../cluster.tf | 28 +++++++++---------- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/cluster.tf | 28 +++++++++---------- .../README.md | 2 +- .../cluster.tf | 28 +++++++++---------- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/cluster.tf | 28 +++++++++---------- .../private-cluster-update-variant/README.md | 6 ++++ .../private-cluster-update-variant/cluster.tf | 26 +++++++++++++++++ modules/private-cluster/README.md | 6 ++++ modules/private-cluster/cluster.tf | 26 +++++++++++++++++ 16 files changed, 167 insertions(+), 72 deletions(-) diff --git a/README.md b/README.md index 9ec5ef5031..aba792c6d4 100644 --- a/README.md +++ b/README.md @@ -298,6 +298,10 @@ The node_pools variable takes the following parameters: | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | | boot_disk_kms_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. | " " | Optional | +| cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional | +| cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | +| cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | +| pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -330,6 +334,9 @@ The node_pools variable takes the following parameters: | min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with total limits. | 1 | Optional | | total_min_count | Total minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with per zone limits. | null | Optional | | name | The name of the node pool | | Required | +| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | | Optional | +| pod_range | The name of the secondary range for pod IPs. | | Optional | +| enable_private_nodes | Whether nodes have internal IP addresses only. | | Optional | | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required | | node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional | | node_metadata | Options to expose the node metadata to the workload running on the node | | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index 4206111f2f..7a3960f1a1 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -197,11 +197,11 @@ The node_pools variable takes the following parameters: | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | | boot_disk_kms_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. | " " | Optional | -{% if beta_cluster %} | cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional | | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | +{% if beta_cluster %} | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | {% endif %} | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | @@ -239,13 +239,11 @@ The node_pools variable takes the following parameters: | min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with total limits. | 1 | Optional | | total_min_count | Total minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with per zone limits. | null | Optional | | name | The name of the node pool | | Required | -{% if beta_cluster %} -| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | Optional | +| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | | Optional | | pod_range | The name of the secondary range for pod IPs. | | Optional | {% if not private_cluster %} | enable_private_nodes | Whether nodes have internal IP addresses only. | | Optional | {% endif %} -{% endif %} | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required | | node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional | | node_metadata | Options to expose the node metadata to the workload running on the node | | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 927f5012dc..88780e48c3 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -1000,14 +1000,6 @@ resource "google_container_node_pool" "windows_pools" { } } - {% if beta_cluster %} - dynamic "sandbox_config" { - for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value - } - } - dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), @@ -1021,6 +1013,14 @@ resource "google_container_node_pool" "windows_pools" { pod_pids_limit = lookup(each.value, "pod_pids_limit", null) } } + {% if beta_cluster %} + + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } {% endif %} {% if i == 0 %} diff --git a/cluster.tf b/cluster.tf index 07d93f26fd..ec7f020cc4 100644 --- a/cluster.tf +++ b/cluster.tf @@ -709,6 +709,19 @@ resource "google_container_node_pool" "pools" { } } + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(each.value), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + )) != 0 ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + } + } dynamic "linux_node_config" { for_each = length(merge( @@ -968,6 +981,19 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(each.value), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + )) != 0 ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + } + } boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 5c823a11f8..55578df95b 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -392,7 +392,7 @@ The node_pools variable takes the following parameters: | min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with total limits. | 1 | Optional | | total_min_count | Total minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with per zone limits. | null | Optional | | name | The name of the node pool | | Required | -| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | Optional | +| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | | Optional | | pod_range | The name of the secondary range for pod IPs. | | Optional | | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required | | node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 2e79946dd3..fd3606e19f 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -876,13 +876,6 @@ resource "google_container_node_pool" "pools" { } } - dynamic "sandbox_config" { - for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value - } - } - dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), @@ -897,6 +890,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], @@ -1162,13 +1162,6 @@ resource "google_container_node_pool" "windows_pools" { } } - dynamic "sandbox_config" { - for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value - } - } - dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), @@ -1183,6 +1176,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index b56788608b..509e399a97 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -370,7 +370,7 @@ The node_pools variable takes the following parameters: | min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with total limits. | 1 | Optional | | total_min_count | Total minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with per zone limits. | null | Optional | | name | The name of the node pool | | Required | -| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | Optional | +| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | | Optional | | pod_range | The name of the secondary range for pod IPs. | | Optional | | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required | | node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 9e25b40547..d93c6e7b5c 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -797,13 +797,6 @@ resource "google_container_node_pool" "pools" { } } - dynamic "sandbox_config" { - for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value - } - } - dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), @@ -818,6 +811,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], @@ -1082,13 +1082,6 @@ resource "google_container_node_pool" "windows_pools" { } } - dynamic "sandbox_config" { - for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value - } - } - dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), @@ -1103,6 +1096,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 666df46159..e3c7edb87e 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -379,7 +379,7 @@ The node_pools variable takes the following parameters: | min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with total limits. | 1 | Optional | | total_min_count | Total minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with per zone limits. | null | Optional | | name | The name of the node pool | | Required | -| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | Optional | +| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | | Optional | | pod_range | The name of the secondary range for pod IPs. | | Optional | | enable_private_nodes | Whether nodes have internal IP addresses only. | | Optional | | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index c0db8debc1..9d48543804 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -857,13 +857,6 @@ resource "google_container_node_pool" "pools" { } } - dynamic "sandbox_config" { - for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value - } - } - dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), @@ -878,6 +871,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], @@ -1143,13 +1143,6 @@ resource "google_container_node_pool" "windows_pools" { } } - dynamic "sandbox_config" { - for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value - } - } - dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), @@ -1164,6 +1157,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7c23ef23de..be951c213d 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -357,7 +357,7 @@ The node_pools variable takes the following parameters: | min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with total limits. | 1 | Optional | | total_min_count | Total minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with per zone limits. | null | Optional | | name | The name of the node pool | | Required | -| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | Optional | +| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | | Optional | | pod_range | The name of the secondary range for pod IPs. | | Optional | | enable_private_nodes | Whether nodes have internal IP addresses only. | | Optional | | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 13d35fac17..d57ef15329 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -778,13 +778,6 @@ resource "google_container_node_pool" "pools" { } } - dynamic "sandbox_config" { - for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value - } - } - dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), @@ -799,6 +792,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], @@ -1063,13 +1063,6 @@ resource "google_container_node_pool" "windows_pools" { } } - dynamic "sandbox_config" { - for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] - content { - sandbox_type = sandbox_config.value - } - } - dynamic "kubelet_config" { for_each = length(setintersection( keys(each.value), @@ -1084,6 +1077,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "sandbox_config" { + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] + content { + sandbox_type = sandbox_config.value + } + } + boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index cb64b72928..030e13b3c0 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -333,6 +333,10 @@ The node_pools variable takes the following parameters: | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | | boot_disk_kms_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. | " " | Optional | +| cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional | +| cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | +| cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | +| pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -365,6 +369,8 @@ The node_pools variable takes the following parameters: | min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with total limits. | 1 | Optional | | total_min_count | Total minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with per zone limits. | null | Optional | | name | The name of the node pool | | Required | +| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | | Optional | +| pod_range | The name of the secondary range for pod IPs. | | Optional | | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required | | node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional | | node_metadata | Options to expose the node metadata to the workload running on the node | | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 4d0622639b..f980d096e5 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -807,6 +807,19 @@ resource "google_container_node_pool" "pools" { } } + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(each.value), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + )) != 0 ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + } + } dynamic "linux_node_config" { for_each = length(merge( @@ -1067,6 +1080,19 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(each.value), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + )) != 0 ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + } + } boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 419120b95f..c6ed02ec12 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -311,6 +311,10 @@ The node_pools variable takes the following parameters: | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | | boot_disk_kms_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. | " " | Optional | +| cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional | +| cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | +| cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | +| pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -343,6 +347,8 @@ The node_pools variable takes the following parameters: | min_count | Minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with total limits. | 1 | Optional | | total_min_count | Total minimum number of nodes in the NodePool. Must be >=0 and <= max_count. Should be used when autoscaling is true. Cannot be used with per zone limits. | null | Optional | | name | The name of the node pool | | Required | +| placement_policy | Placement type to set for nodes in a node pool. Can be set as [COMPACT](https://cloud.google.com/kubernetes-engine/docs/how-to/compact-placement#overview) if desired | | Optional | +| pod_range | The name of the secondary range for pod IPs. | | Optional | | node_count | The number of nodes in the nodepool when autoscaling is false. Otherwise defaults to 1. Only valid for non-autoscaling clusters | | Required | | node_locations | The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. Defaults to cluster level node locations if nothing is specified | " " | Optional | | node_metadata | Options to expose the node metadata to the workload running on the node | | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 4f3296f4db..f15e1b02ba 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -728,6 +728,19 @@ resource "google_container_node_pool" "pools" { } } + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(each.value), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + )) != 0 ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + } + } dynamic "linux_node_config" { for_each = length(merge( @@ -987,6 +1000,19 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "kubelet_config" { + for_each = length(setintersection( + keys(each.value), + ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"] + )) != 0 ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static") + cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null) + cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null) + pod_pids_limit = lookup(each.value, "pod_pids_limit", null) + } + } boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") From b54b7ba89b47df5692d17ed41a898f4bffbcd5b5 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Fri, 19 Jul 2024 13:19:35 -0400 Subject: [PATCH 106/176] feat: add support for additive_vpc_scope_dns_domain (#1998) Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 9 ++++++--- autogen/main/variables.tf.tmpl | 7 +++++++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 7 ++++--- modules/beta-private-cluster-update-variant/variables.tf | 5 +++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 7 ++++--- modules/beta-private-cluster/variables.tf | 5 +++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 7 ++++--- modules/beta-public-cluster-update-variant/variables.tf | 5 +++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 7 ++++--- modules/beta-public-cluster/variables.tf | 5 +++++ 14 files changed, 53 insertions(+), 15 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 88780e48c3..40fdfd8bc4 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -466,9 +466,12 @@ resource "google_container_cluster" "primary" { dynamic "dns_config" { for_each = var.cluster_dns_provider == "CLOUD_DNS" ? [1] : [] content { - cluster_dns = var.cluster_dns_provider - cluster_dns_scope = var.cluster_dns_scope - cluster_dns_domain = var.cluster_dns_domain + {% if beta_cluster %} + additive_vpc_scope_dns_domain = var.additive_vpc_scope_dns_domain + {% endif %} + cluster_dns = var.cluster_dns_provider + cluster_dns_scope = var.cluster_dns_scope + cluster_dns_domain = var.cluster_dns_domain } } diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index a9da55d219..97f70d29d8 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -741,6 +741,13 @@ variable "cluster_dns_domain" { default = "" } +{% if beta_cluster %} +variable "additive_vpc_scope_dns_domain" { + type = string + description = "(Beta) This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well." + default = "" +} +{% endif %} variable "gce_pd_csi_driver" { type = bool description = "Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 55578df95b..0c57bd6510 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -173,6 +173,7 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | +| additive\_vpc\_scope\_dns\_domain | (Beta) This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index fd3606e19f..68dd47ddb2 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -395,9 +395,10 @@ resource "google_container_cluster" "primary" { dynamic "dns_config" { for_each = var.cluster_dns_provider == "CLOUD_DNS" ? [1] : [] content { - cluster_dns = var.cluster_dns_provider - cluster_dns_scope = var.cluster_dns_scope - cluster_dns_domain = var.cluster_dns_domain + additive_vpc_scope_dns_domain = var.additive_vpc_scope_dns_domain + cluster_dns = var.cluster_dns_provider + cluster_dns_scope = var.cluster_dns_scope + cluster_dns_domain = var.cluster_dns_domain } } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 62717aff0d..4881ff8ea3 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -710,6 +710,11 @@ variable "cluster_dns_domain" { default = "" } +variable "additive_vpc_scope_dns_domain" { + type = string + description = "(Beta) This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well." + default = "" +} variable "gce_pd_csi_driver" { type = bool description = "Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 509e399a97..73f0c2c699 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -151,6 +151,7 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | +| additive\_vpc\_scope\_dns\_domain | (Beta) This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index d93c6e7b5c..7fc6d951a0 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -395,9 +395,10 @@ resource "google_container_cluster" "primary" { dynamic "dns_config" { for_each = var.cluster_dns_provider == "CLOUD_DNS" ? [1] : [] content { - cluster_dns = var.cluster_dns_provider - cluster_dns_scope = var.cluster_dns_scope - cluster_dns_domain = var.cluster_dns_domain + additive_vpc_scope_dns_domain = var.additive_vpc_scope_dns_domain + cluster_dns = var.cluster_dns_provider + cluster_dns_scope = var.cluster_dns_scope + cluster_dns_domain = var.cluster_dns_domain } } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 62717aff0d..4881ff8ea3 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -710,6 +710,11 @@ variable "cluster_dns_domain" { default = "" } +variable "additive_vpc_scope_dns_domain" { + type = string + description = "(Beta) This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well." + default = "" +} variable "gce_pd_csi_driver" { type = bool description = "Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index e3c7edb87e..1c5b226316 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -167,6 +167,7 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | +| additive\_vpc\_scope\_dns\_domain | (Beta) This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 9d48543804..b5ebb43cae 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -395,9 +395,10 @@ resource "google_container_cluster" "primary" { dynamic "dns_config" { for_each = var.cluster_dns_provider == "CLOUD_DNS" ? [1] : [] content { - cluster_dns = var.cluster_dns_provider - cluster_dns_scope = var.cluster_dns_scope - cluster_dns_domain = var.cluster_dns_domain + additive_vpc_scope_dns_domain = var.additive_vpc_scope_dns_domain + cluster_dns = var.cluster_dns_provider + cluster_dns_scope = var.cluster_dns_scope + cluster_dns_domain = var.cluster_dns_domain } } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 71c4561b65..7d3a2924e3 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -680,6 +680,11 @@ variable "cluster_dns_domain" { default = "" } +variable "additive_vpc_scope_dns_domain" { + type = string + description = "(Beta) This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well." + default = "" +} variable "gce_pd_csi_driver" { type = bool description = "Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index be951c213d..3daac41037 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -145,6 +145,7 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | +| additive\_vpc\_scope\_dns\_domain | (Beta) This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster\_dns = `CLOUD_DNS` and cluster\_dns\_scope = `CLUSTER_SCOPE` must both be set as well. | `string` | `""` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no | | cloudrun | (Beta) Enable CloudRun addon | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index d57ef15329..c543d08410 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -395,9 +395,10 @@ resource "google_container_cluster" "primary" { dynamic "dns_config" { for_each = var.cluster_dns_provider == "CLOUD_DNS" ? [1] : [] content { - cluster_dns = var.cluster_dns_provider - cluster_dns_scope = var.cluster_dns_scope - cluster_dns_domain = var.cluster_dns_domain + additive_vpc_scope_dns_domain = var.additive_vpc_scope_dns_domain + cluster_dns = var.cluster_dns_provider + cluster_dns_scope = var.cluster_dns_scope + cluster_dns_domain = var.cluster_dns_domain } } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 71c4561b65..7d3a2924e3 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -680,6 +680,11 @@ variable "cluster_dns_domain" { default = "" } +variable "additive_vpc_scope_dns_domain" { + type = string + description = "(Beta) This will enable Cloud DNS additive VPC scope. Must provide a domain name that is unique within the VPC. For this to work cluster_dns = `CLOUD_DNS` and cluster_dns_scope = `CLUSTER_SCOPE` must both be set as well." + default = "" +} variable "gce_pd_csi_driver" { type = bool description = "Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver." From 2834461a0ed05d37cd4ae0396f50d83545a1273a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 19 Jul 2024 18:32:16 +0000 Subject: [PATCH 107/176] chore(deps): Update module github.com/gruntwork-io/terratest to v0.47.0 (#2000) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 2 +- test/integration/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 4224097241..1aea1894ab 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -6,7 +6,7 @@ toolchain go1.22.5 require ( github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.0 - github.com/gruntwork-io/terratest v0.46.16 + github.com/gruntwork-io/terratest v0.47.0 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.1 ) diff --git a/test/integration/go.sum b/test/integration/go.sum index 66a92cb291..de2010ae10 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -378,8 +378,8 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0= github.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk= -github.com/gruntwork-io/terratest v0.46.16 h1:l+HHuU7lNLwoAl2sP8zkYJy0uoE2Mwha2nw+rim+OhQ= -github.com/gruntwork-io/terratest v0.46.16/go.mod h1:oywHw1cFKXSYvKPm27U7quZVzDUlA22H2xUrKCe26xM= +github.com/gruntwork-io/terratest v0.47.0 h1:xIy1pT7NbGVlMLDZEHl3+3iSnvffh8tN2pL6idn448c= +github.com/gruntwork-io/terratest v0.47.0/go.mod h1:oywHw1cFKXSYvKPm27U7quZVzDUlA22H2xUrKCe26xM= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= From e0fd03ac22212f2c1895f2651e263f36409937c4 Mon Sep 17 00:00:00 2001 From: Hossein Golestani Date: Fri, 19 Jul 2024 14:39:40 -0700 Subject: [PATCH 108/176] feat: Fleet app operator permissions (#1986) Co-authored-by: Andrew Peabody --- build/int.cloudbuild.yaml | 20 ++++ .../README.md | 26 +++++ .../main.tf | 50 ++++++++++ .../outputs.tf | 26 +++++ .../variables.tf | 21 ++++ .../versions.tf | 31 ++++++ .../fleet-app-operator-permissions/README.md | 44 +++++++++ .../fleet-app-operator-permissions/main.tf | 97 +++++++++++++++++++ .../fleet-app-operator-permissions/outputs.tf | 28 ++++++ .../variables.tf | 45 +++++++++ .../versions.tf | 39 ++++++++ .../main.tf | 26 +++++ .../outputs.tf | 20 ++++ .../variables.tf | 21 ++++ ...ple_fleet_app_operator_permissions_test.go | 61 ++++++++++++ test/setup/iam.tf | 8 ++ test/setup/main.tf | 16 +++ test/setup/outputs.tf | 2 +- 18 files changed, 580 insertions(+), 1 deletion(-) create mode 100644 examples/simple_fleet_app_operator_permissions/README.md create mode 100644 examples/simple_fleet_app_operator_permissions/main.tf create mode 100644 examples/simple_fleet_app_operator_permissions/outputs.tf create mode 100644 examples/simple_fleet_app_operator_permissions/variables.tf create mode 100644 examples/simple_fleet_app_operator_permissions/versions.tf create mode 100644 modules/fleet-app-operator-permissions/README.md create mode 100644 modules/fleet-app-operator-permissions/main.tf create mode 100644 modules/fleet-app-operator-permissions/outputs.tf create mode 100644 modules/fleet-app-operator-permissions/variables.tf create mode 100644 modules/fleet-app-operator-permissions/versions.tf create mode 100644 test/fixtures/simple_fleet_app_operator_permissions/main.tf create mode 100644 test/fixtures/simple_fleet_app_operator_permissions/outputs.tf create mode 100644 test/fixtures/simple_fleet_app_operator_permissions/variables.tf create mode 100644 test/integration/simple_fleet_app_operator_permissions/simple_fleet_app_operator_permissions_test.go diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 13306c87b8..47ece2199e 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -535,6 +535,26 @@ steps: - verify simple-autopilot-private-non-default-sa name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestSimpleAutopilotPrivateNonDefaultSA --stage teardown --verbose'] +- id: init simple-fleet-app-operator-permissions + waitFor: + - create-all + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage init --verbose'] +- id: apply simple-fleet-app-operator-permissions + waitFor: + - init simple-fleet-app-operator-permissions + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage apply --verbose'] +- id: verify simple-fleet-app-operator-permissions + waitFor: + - apply simple-fleet-app-operator-permissions + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage verify --verbose'] +- id: teardown simple-fleet-app-operator-permissions + waitFor: + - verify simple-fleet-app-operator-permissions + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestSimpleFleetAppOperatorPermissions --stage teardown --verbose'] tags: - 'ci' - 'integration' diff --git a/examples/simple_fleet_app_operator_permissions/README.md b/examples/simple_fleet_app_operator_permissions/README.md new file mode 100644 index 0000000000..6de1c4e59d --- /dev/null +++ b/examples/simple_fleet_app_operator_permissions/README.md @@ -0,0 +1,26 @@ +# Simple App Operator Permissions Setup for a Fleet Scope + +This example illustrates how to create a Fleet Scope for a [team](https://cloud.google.com/kubernetes-engine/fleet-management/docs/team-management) and set up permissions for an app operator in the team. + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| fleet\_project\_id | The project to which the Fleet belongs. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| fleet\_project\_id | The project to which the Fleet belongs. | +| wait | An output (Fleet Scope RBAC Role Binding IDs) to use when you want to depend on granting permissions finishing. | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure + diff --git a/examples/simple_fleet_app_operator_permissions/main.tf b/examples/simple_fleet_app_operator_permissions/main.tf new file mode 100644 index 0000000000..e905f8bc2e --- /dev/null +++ b/examples/simple_fleet_app_operator_permissions/main.tf @@ -0,0 +1,50 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + app_operator_id = "app-operator-id" + app_operator_team = "app-operator-team" + app_operator_role = "VIEW" +} + +# Create a Service Account, which can be used as an app operator. +resource "google_service_account" "service_account" { + project = var.fleet_project_id + account_id = local.app_operator_id + display_name = "Test App Operator Service Account" +} + +# Create a Fleet Scope for the app operator's team. +resource "google_gke_hub_scope" "scope" { + project = var.fleet_project_id + scope_id = local.app_operator_team +} + +# Grant permissions to the app operator to work with the Fleet Scope. +module "permissions" { + source = "../../modules/fleet-app-operator-permissions" + + fleet_project_id = var.fleet_project_id + scope_id = google_gke_hub_scope.scope.scope_id + users = ["${local.app_operator_id}@${var.fleet_project_id}.iam.gserviceaccount.com"] + groups = [] + role = local.app_operator_role + + depends_on = [ + google_service_account.service_account + ] +} + diff --git a/examples/simple_fleet_app_operator_permissions/outputs.tf b/examples/simple_fleet_app_operator_permissions/outputs.tf new file mode 100644 index 0000000000..d0e55d96eb --- /dev/null +++ b/examples/simple_fleet_app_operator_permissions/outputs.tf @@ -0,0 +1,26 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "fleet_project_id" { + description = "The project to which the Fleet belongs." + value = var.fleet_project_id +} + +output "wait" { + description = "An output (Fleet Scope RBAC Role Binding IDs) to use when you want to depend on granting permissions finishing." + value = module.permissions.wait +} + diff --git a/examples/simple_fleet_app_operator_permissions/variables.tf b/examples/simple_fleet_app_operator_permissions/variables.tf new file mode 100644 index 0000000000..93185b8300 --- /dev/null +++ b/examples/simple_fleet_app_operator_permissions/variables.tf @@ -0,0 +1,21 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "fleet_project_id" { + description = "The project to which the Fleet belongs." + type = string +} + diff --git a/examples/simple_fleet_app_operator_permissions/versions.tf b/examples/simple_fleet_app_operator_permissions/versions.tf new file mode 100644 index 0000000000..fe82a4e387 --- /dev/null +++ b/examples/simple_fleet_app_operator_permissions/versions.tf @@ -0,0 +1,31 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.2.0" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.81.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 4.81.0" + } + } +} + diff --git a/modules/fleet-app-operator-permissions/README.md b/modules/fleet-app-operator-permissions/README.md new file mode 100644 index 0000000000..085fcb4c9c --- /dev/null +++ b/modules/fleet-app-operator-permissions/README.md @@ -0,0 +1,44 @@ +# Terrafrom Module for Fleet App Operator Permissions + +This module bundles different permissions (IAM and RBAC Role Bindings) required for [Fleet team management](https://cloud.google.com/kubernetes-engine/fleet-management/docs/team-management). A platform admin can use this module to set up permissions for an app operator (user or group) in a team--including usage of Fleet Scopes, Connect Gateway, logging, and metrics--based on predefined roles (VIEW, EDIT, ADMIN). + +## Usage +```tf +Example: +module "fleet_app_operator_permissions" { + source = "terraform-google-modules/kubernetes-engine/google//modules/fleet-app-operator-permissions" + + fleet_project_id = "my-project-id" + scope_id = "frontend-team" + users = ["person1@company.com", "person2@company.com"] + groups = ["people@company.com"] + role = "EDIT" +} +``` + +To deploy this config, run: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure + + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| fleet\_project\_id | The project to which the Fleet belongs. | `string` | n/a | yes | +| groups | The list of app operator group principals, e.g., `people@google.com`, `principalSet://iam.googleapis.com/locations/global/workforcePools/my-pool/group/people`. | `list(string)` | n/a | yes | +| role | The principals role for the Fleet Scope (`VIEW`/`EDIT`/`ADMIN`). | `string` | n/a | yes | +| scope\_id | The scope for which IAM and RBAC role bindings are created. | `string` | n/a | yes | +| users | The list of app operator user principals, e.g., `person@google.com`, `principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/person`, `serviceAccount:my-service-account@my-project.iam.gserviceaccount.com`. | `list(string)` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| fleet\_project\_id | The project to which the Fleet belongs. | +| wait | An output to use when you want to depend on Scope RBAC Role Binding creation finishing. | + + diff --git a/modules/fleet-app-operator-permissions/main.tf b/modules/fleet-app-operator-permissions/main.tf new file mode 100644 index 0000000000..81fc13a96c --- /dev/null +++ b/modules/fleet-app-operator-permissions/main.tf @@ -0,0 +1,97 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + user_principals = [for name in var.users : ( + startswith(name, "principal://") ? name : ( + endswith(name, "gserviceaccount.com") ? "serviceAccount:${name}" : ( + "user:${name}" + )))] + + group_principals = [for name in var.groups : ( + startswith(name, "principalSet://") ? name : ( + "group:${name}" + ))] + + project_level_scope_role = { + "VIEW" = "roles/gkehub.scopeViewerProjectLevel" + "EDIT" = "roles/gkehub.scopeEditorProjectLevel" + "ADMIN" = "roles/gkehub.scopeEditorProjectLevel" # Same as EDIT + } + + resource_level_scope_role = { + "VIEW" = "roles/gkehub.scopeViewer" + "EDIT" = "roles/gkehub.scopeEditor" + "ADMIN" = "roles/gkehub.scopeAdmin" + } +} + +resource "google_project_iam_binding" "log_view_permissions" { + project = var.fleet_project_id + role = "roles/logging.viewAccessor" + members = concat(local.user_principals, local.group_principals) + condition { + title = "conditional log view access" + description = "log view access for scope ${var.scope_id}" + expression = "resource.name == \"projects/${var.fleet_project_id}/locations/global/buckets/fleet-o11y-scope-${var.scope_id}/views/fleet-o11y-scope-${var.scope_id}-k8s_container\" || resource.name == \"projects/${var.fleet_project_id}/locations/global/buckets/fleet-o11y-scope-${var.scope_id}/views/fleet-o11y-scope-${var.scope_id}-k8s_pod\"" + } +} + +resource "google_project_iam_binding" "project_level_scope_permissions" { + project = var.fleet_project_id + role = local.project_level_scope_role[var.role] + members = concat(local.user_principals, local.group_principals) +} + +resource "google_gke_hub_scope_iam_binding" "resource_level_scope_permissions" { + project = var.fleet_project_id + scope_id = var.scope_id + role = local.resource_level_scope_role[var.role] + members = concat(local.user_principals, local.group_principals) +} + +resource "random_id" "user_rand_suffix" { + for_each = toset(var.users) + byte_length = 4 +} + +resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_user_role_bindings" { + for_each = toset(var.users) + project = var.fleet_project_id + scope_rbac_role_binding_id = "tf-${substr(join("", regexall("[a-z0-9]+", each.key)), 0, 16)}-${random_id.user_rand_suffix[each.key].hex}" + scope_id = var.scope_id + user = each.key + role { + predefined_role = var.role + } +} + +resource "random_id" "group_rand_suffix" { + for_each = toset(var.groups) + byte_length = 4 +} + +resource "google_gke_hub_scope_rbac_role_binding" "scope_rbac_group_role_bindings" { + for_each = toset(var.groups) + project = var.fleet_project_id + scope_rbac_role_binding_id = "tf-${substr(join("", regexall("[a-z0-9]+", each.key)), 0, 16)}-${random_id.group_rand_suffix[each.key].hex}" + scope_id = var.scope_id + group = each.key + role { + predefined_role = var.role + } +} + diff --git a/modules/fleet-app-operator-permissions/outputs.tf b/modules/fleet-app-operator-permissions/outputs.tf new file mode 100644 index 0000000000..8b4fbfa5fd --- /dev/null +++ b/modules/fleet-app-operator-permissions/outputs.tf @@ -0,0 +1,28 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "fleet_project_id" { + description = "The project to which the Fleet belongs." + value = var.fleet_project_id +} + +output "wait" { + description = "An output to use when you want to depend on Scope RBAC Role Binding creation finishing." + value = { + for k, v in merge(google_gke_hub_scope_rbac_role_binding.scope_rbac_user_role_bindings, google_gke_hub_scope_rbac_role_binding.scope_rbac_group_role_bindings) : k => v.scope_rbac_role_binding_id + } +} + diff --git a/modules/fleet-app-operator-permissions/variables.tf b/modules/fleet-app-operator-permissions/variables.tf new file mode 100644 index 0000000000..88f27d376f --- /dev/null +++ b/modules/fleet-app-operator-permissions/variables.tf @@ -0,0 +1,45 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "fleet_project_id" { + description = "The project to which the Fleet belongs." + type = string +} + +variable "scope_id" { + description = "The scope for which IAM and RBAC role bindings are created." + type = string +} + +variable "users" { + description = "The list of app operator user principals, e.g., `person@google.com`, `principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/person`, `serviceAccount:my-service-account@my-project.iam.gserviceaccount.com`." + type = list(string) +} + +variable "groups" { + description = "The list of app operator group principals, e.g., `people@google.com`, `principalSet://iam.googleapis.com/locations/global/workforcePools/my-pool/group/people`." + type = list(string) +} + +variable "role" { + description = "The principals role for the Fleet Scope (`VIEW`/`EDIT`/`ADMIN`)." + type = string + validation { + condition = contains(["VIEW", "EDIT", "ADMIN"], var.role) + error_message = "Allowed values for role are VIEW, EDIT, or ADMIN." + } +} + diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf new file mode 100644 index 0000000000..8903345713 --- /dev/null +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -0,0 +1,39 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.2.0" + + required_providers { + google = { + source = "hashicorp/google" + version = ">= 4.81.0" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 4.81.0" + } + random = { + source = "hashicorp/random" + version = ">= 2.0.0" + } + } + + provider_meta "google" { + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v30.1.0" + } +} + diff --git a/test/fixtures/simple_fleet_app_operator_permissions/main.tf b/test/fixtures/simple_fleet_app_operator_permissions/main.tf new file mode 100644 index 0000000000..e0f036feea --- /dev/null +++ b/test/fixtures/simple_fleet_app_operator_permissions/main.tf @@ -0,0 +1,26 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + project_id = var.project_ids[3] # gke-project-fleet +} + +module "example" { + source = "../../../examples/simple_fleet_app_operator_permissions" + + fleet_project_id = local.project_id +} + diff --git a/test/fixtures/simple_fleet_app_operator_permissions/outputs.tf b/test/fixtures/simple_fleet_app_operator_permissions/outputs.tf new file mode 100644 index 0000000000..eb65499ec3 --- /dev/null +++ b/test/fixtures/simple_fleet_app_operator_permissions/outputs.tf @@ -0,0 +1,20 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "project_id" { + value = local.project_id +} + diff --git a/test/fixtures/simple_fleet_app_operator_permissions/variables.tf b/test/fixtures/simple_fleet_app_operator_permissions/variables.tf new file mode 100644 index 0000000000..27b7df966e --- /dev/null +++ b/test/fixtures/simple_fleet_app_operator_permissions/variables.tf @@ -0,0 +1,21 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_ids" { + type = list(string) + description = "The GCP projects to use for integration tests" +} + diff --git a/test/integration/simple_fleet_app_operator_permissions/simple_fleet_app_operator_permissions_test.go b/test/integration/simple_fleet_app_operator_permissions/simple_fleet_app_operator_permissions_test.go new file mode 100644 index 0000000000..23d9b46ec7 --- /dev/null +++ b/test/integration/simple_fleet_app_operator_permissions/simple_fleet_app_operator_permissions_test.go @@ -0,0 +1,61 @@ +// Copyright 2024 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package simple_fleet_app_operator_permissions + +import ( + "fmt" + "strings" + "testing" + "time" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/stretchr/testify/assert" + "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" + ) + +func TestSimpleFleetAppOperatorPermissions(t *testing.T) { + appOppT := tft.NewTFBlueprintTest(t, + tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), + ) + appOppT.DefineVerify(func(assert *assert.Assertions) { + projectId := appOppT.GetStringOutput("project_id") + scopeId := "app-operator-team" + appOperatorEmail := fmt.Sprintf("app-operator-id@%s.iam.gserviceaccount.com", projectId) + appOperatorPrincipal := fmt.Sprintf("serviceAccount:%s", appOperatorEmail) + scopeLevelRole := "roles/gkehub.scopeViewer" + projectLevelRole := "roles/gkehub.scopeViewerProjectLevel" + logViewRole := "roles/logging.viewAccessor" + logViewContainerBucket := fmt.Sprintf("projects/%s/locations/global/buckets/fleet-o11y-scope-%s/views/fleet-o11y-scope-%s-k8s_container", projectId, scopeId, scopeId) + logViewPodBucket := fmt.Sprintf("projects/%s/locations/global/buckets/fleet-o11y-scope-%s/views/fleet-o11y-scope-%s-k8s_pod", projectId, scopeId, scopeId) + + scopeRrbList := gcloud.Runf(t, "container fleet scopes rbacrolebindings list --scope %s --project %s", scopeId, projectId).String() + assert.Equal(strings.Contains(scopeRrbList, appOperatorEmail), true, "app operator email should be in the list of Scope RBAC Role Bindings") + + scopeIam := gcloud.Runf(t, "container fleet scopes get-iam-policy %s --project %s", scopeId, projectId).String() + assert.Equal(strings.Contains(scopeIam, appOperatorPrincipal), true, "app operator principal should be in the Scope IAM policy") + assert.Equal(strings.Contains(scopeIam, scopeLevelRole), true, "app operator Scope role should be in the Scope IAM policy") + + projectIam := gcloud.Runf(t, "projects get-iam-policy %s", projectId).String() + assert.Equal(strings.Contains(projectIam, appOperatorPrincipal), true, "app operator principal should be in the project IAM policy") + assert.Equal(strings.Contains(projectIam, projectLevelRole), true, "app operator Scope role should be in the project IAM policy") + assert.Equal(strings.Contains(projectIam, logViewRole), true, "app operator log view role should be in the project IAM policy") + assert.Equal(strings.Contains(projectIam, logViewContainerBucket), true, "app operator log view container bucket should be in the project IAM policy") + assert.Equal(strings.Contains(projectIam, logViewPodBucket), true, "app operator log view pod bucket should be in the project IAM policy") + }) + + appOppT.Test() +} + diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 45c4268327..fe97685dd8 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -104,6 +104,14 @@ resource "google_project_iam_member" "int_test_asm" { member = "serviceAccount:${google_service_account.int_test.email}" } +resource "google_project_iam_member" "int_test_fleet" { + for_each = toset(local.int_required_roles) + + project = module.gke-project-fleet.project_id + role = each.value + member = "serviceAccount:${google_service_account.int_test.email}" +} + resource "google_service_account_key" "int_test" { service_account_id = google_service_account.int_test.id } diff --git a/test/setup/main.tf b/test/setup/main.tf index f0b3e278a6..fb10513a64 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -103,3 +103,19 @@ module "gke-project-asm" { activate_apis = local.apis } + +module "gke-project-fleet" { + source = "terraform-google-modules/project-factory/google" + version = "~> 15.0" + + name = "ci-gke-fleet-${random_id.random_project_id_suffix.hex}" + random_project_id = true + org_id = var.org_id + folder_id = var.folder_id + billing_account = var.billing_account + # due to https://github.com/hashicorp/terraform-provider-google/issues/9505 for AP + default_service_account = "keep" + + activate_apis = local.apis +} + diff --git a/test/setup/outputs.tf b/test/setup/outputs.tf index b14d5daac6..54c01df2e7 100644 --- a/test/setup/outputs.tf +++ b/test/setup/outputs.tf @@ -15,7 +15,7 @@ */ output "project_ids" { - value = [module.gke-project-1.project_id, module.gke-project-2.project_id, module.gke-project-asm.project_id] + value = [module.gke-project-1.project_id, module.gke-project-2.project_id, module.gke-project-asm.project_id, module.gke-project-fleet.project_id] } output "sa_key" { From 270a5c7380dd9fe9c41779143ddbfd5bf32c8fff Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Mon, 22 Jul 2024 15:02:49 -0400 Subject: [PATCH 109/176] feat: add support for confidential storage + docs fixes (#2003) --- README.md | 10 +++++---- autogen/main/README.md | 5 ++--- autogen/main/cluster.tf.tmpl | 15 ++++++++----- autogen/main/variables.tf.tmpl | 12 +++++----- cluster.tf | 21 ++++++++++-------- .../beta-autopilot-private-cluster/README.md | 8 +++---- .../variables.tf | 8 +++---- .../beta-autopilot-public-cluster/README.md | 8 +++---- .../variables.tf | 8 +++---- .../README.md | 15 +++++++------ .../cluster.tf | 22 +++++++++++-------- .../variables.tf | 12 +++++----- modules/beta-private-cluster/README.md | 15 +++++++------ modules/beta-private-cluster/cluster.tf | 21 ++++++++++-------- modules/beta-private-cluster/variables.tf | 12 +++++----- .../README.md | 15 +++++++------ .../cluster.tf | 22 +++++++++++-------- .../variables.tf | 12 +++++----- modules/beta-public-cluster/README.md | 15 +++++++------ modules/beta-public-cluster/cluster.tf | 21 ++++++++++-------- modules/beta-public-cluster/variables.tf | 12 +++++----- .../private-cluster-update-variant/README.md | 10 +++++---- .../private-cluster-update-variant/cluster.tf | 22 +++++++++++-------- .../variables.tf | 8 +++---- modules/private-cluster/README.md | 10 +++++---- modules/private-cluster/cluster.tf | 21 ++++++++++-------- modules/private-cluster/variables.tf | 8 +++---- variables.tf | 8 +++---- 28 files changed, 206 insertions(+), 170 deletions(-) diff --git a/README.md b/README.md index aba792c6d4..ff954ab309 100644 --- a/README.md +++ b/README.md @@ -194,7 +194,7 @@ Then perform the following commands on the root folder: | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | @@ -203,7 +203,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | @@ -231,8 +231,8 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | @@ -302,6 +302,7 @@ The node_pools variable takes the following parameters: | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | +| enable_confidential_nodes | An optional flag to enable confidential node config. | false | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -320,6 +321,7 @@ The node_pools variable takes the following parameters: | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | +| enable_confidential_storage | Enabling Confidential Storage will create boot disk with confidential mode. | false | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index 7a3960f1a1..0d4c6feefc 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -201,9 +201,7 @@ The node_pools variable takes the following parameters: | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | -{% if beta_cluster %} -| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | -{% endif %} +| enable_confidential_nodes | An optional flag to enable confidential node config. | false | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -225,6 +223,7 @@ The node_pools variable takes the following parameters: | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | +| enable_confidential_storage | Enabling Confidential Storage will create boot disk with confidential mode. | false | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 40fdfd8bc4..75ce3a1f6a 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -492,9 +492,10 @@ resource "google_container_cluster" "primary" { } node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] content { @@ -695,6 +696,7 @@ locals { "enable_secure_boot", "boot_disk_kms_key", "queued_provisioning", + "enable_confidential_storage", ] } @@ -856,9 +858,10 @@ resource "google_container_node_pool" "windows_pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 97f70d29d8..86e576c9f5 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -576,13 +576,13 @@ variable "enable_confidential_nodes" { {% if beta_cluster %} variable "workload_vulnerability_mode" { - description = "(beta) Vulnerability mode." + description = "(beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC." type = string default = "" } variable "workload_config_audit_mode" { - description = "(beta) Workload config audit mode." + description = "(beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC." type = string default = "DISABLED" } @@ -602,13 +602,13 @@ variable "enable_cilium_clusterwide_network_policy" { } variable "security_posture_mode" { - description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } @@ -808,13 +808,13 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." default = [] } variable "logging_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/cluster.tf b/cluster.tf index ec7f020cc4..3ea59eddca 100644 --- a/cluster.tf +++ b/cluster.tf @@ -371,9 +371,10 @@ resource "google_container_cluster" "primary" { } node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] content { @@ -570,9 +571,10 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -842,9 +844,10 @@ resource "google_container_node_pool" "windows_pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index ab7c564231..7ee5aebd0c 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -137,8 +137,8 @@ Then perform the following commands on the root folder: | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | @@ -150,8 +150,8 @@ Then perform the following commands on the root folder: | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | -| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | +| workload\_config\_audit\_mode | (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 7d9fd4262e..93212a7de1 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -382,13 +382,13 @@ variable "enable_confidential_nodes" { } variable "workload_vulnerability_mode" { - description = "(beta) Vulnerability mode." + description = "(beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC." type = string default = "" } variable "workload_config_audit_mode" { - description = "(beta) Workload config audit mode." + description = "(beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC." type = string default = "DISABLED" } @@ -407,13 +407,13 @@ variable "enable_cilium_clusterwide_network_policy" { } variable "security_posture_mode" { - description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 52b472a7ac..17d495b60c 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -126,8 +126,8 @@ Then perform the following commands on the root folder: | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | @@ -139,8 +139,8 @@ Then perform the following commands on the root folder: | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | -| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | +| workload\_config\_audit\_mode | (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index fc60d9c42e..f3cf4f094e 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -352,13 +352,13 @@ variable "enable_confidential_nodes" { } variable "workload_vulnerability_mode" { - description = "(beta) Vulnerability mode." + description = "(beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC." type = string default = "" } variable "workload_config_audit_mode" { - description = "(beta) Workload config audit mode." + description = "(beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC." type = string default = "DISABLED" } @@ -377,13 +377,13 @@ variable "enable_cilium_clusterwide_network_policy" { } variable "security_posture_mode" { - description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 0c57bd6510..9c39988304 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -240,7 +240,7 @@ Then perform the following commands on the root folder: | istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | | kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | @@ -251,7 +251,7 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | @@ -280,8 +280,8 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | @@ -294,8 +294,8 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | -| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | +| workload\_config\_audit\_mode | (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -359,7 +359,7 @@ The node_pools variable takes the following parameters: | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | -| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | +| enable_confidential_nodes | An optional flag to enable confidential node config. | false | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -379,6 +379,7 @@ The node_pools variable takes the following parameters: | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | +| enable_confidential_storage | Enabling Confidential Storage will create boot disk with confidential mode. | false | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 68dd47ddb2..cd3158132c 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -417,9 +417,10 @@ resource "google_container_cluster" "primary" { } node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] content { @@ -594,6 +595,7 @@ locals { "enable_secure_boot", "boot_disk_kms_key", "queued_provisioning", + "enable_confidential_storage", ] } @@ -732,9 +734,10 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -1018,9 +1021,10 @@ resource "google_container_node_pool" "windows_pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 4881ff8ea3..cf55ef1360 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -551,13 +551,13 @@ variable "enable_confidential_nodes" { } variable "workload_vulnerability_mode" { - description = "(beta) Vulnerability mode." + description = "(beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC." type = string default = "" } variable "workload_config_audit_mode" { - description = "(beta) Workload config audit mode." + description = "(beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC." type = string default = "DISABLED" } @@ -576,13 +576,13 @@ variable "enable_cilium_clusterwide_network_policy" { } variable "security_posture_mode" { - description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } @@ -773,13 +773,13 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." default = [] } variable "logging_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 73f0c2c699..3e239a08ea 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -218,7 +218,7 @@ Then perform the following commands on the root folder: | istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | | kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | @@ -229,7 +229,7 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | @@ -258,8 +258,8 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | @@ -272,8 +272,8 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | -| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | +| workload\_config\_audit\_mode | (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -337,7 +337,7 @@ The node_pools variable takes the following parameters: | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | -| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | +| enable_confidential_nodes | An optional flag to enable confidential node config. | false | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -357,6 +357,7 @@ The node_pools variable takes the following parameters: | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | +| enable_confidential_storage | Enabling Confidential Storage will create boot disk with confidential mode. | false | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 7fc6d951a0..5154693a3a 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -417,9 +417,10 @@ resource "google_container_cluster" "primary" { } node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] content { @@ -653,9 +654,10 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -938,9 +940,10 @@ resource "google_container_node_pool" "windows_pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 4881ff8ea3..cf55ef1360 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -551,13 +551,13 @@ variable "enable_confidential_nodes" { } variable "workload_vulnerability_mode" { - description = "(beta) Vulnerability mode." + description = "(beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC." type = string default = "" } variable "workload_config_audit_mode" { - description = "(beta) Workload config audit mode." + description = "(beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC." type = string default = "DISABLED" } @@ -576,13 +576,13 @@ variable "enable_cilium_clusterwide_network_policy" { } variable "security_posture_mode" { - description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } @@ -773,13 +773,13 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." default = [] } variable "logging_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 1c5b226316..3c728f9282 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -231,7 +231,7 @@ Then perform the following commands on the root folder: | istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | | kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | @@ -240,7 +240,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | @@ -269,8 +269,8 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | @@ -283,8 +283,8 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | -| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | +| workload\_config\_audit\_mode | (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -346,7 +346,7 @@ The node_pools variable takes the following parameters: | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | -| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | +| enable_confidential_nodes | An optional flag to enable confidential node config. | false | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -366,6 +366,7 @@ The node_pools variable takes the following parameters: | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | +| enable_confidential_storage | Enabling Confidential Storage will create boot disk with confidential mode. | false | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index b5ebb43cae..93339ad6e2 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -417,9 +417,10 @@ resource "google_container_cluster" "primary" { } node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] content { @@ -575,6 +576,7 @@ locals { "enable_secure_boot", "boot_disk_kms_key", "queued_provisioning", + "enable_confidential_storage", ] } @@ -713,9 +715,10 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -999,9 +1002,10 @@ resource "google_container_node_pool" "windows_pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 7d3a2924e3..b14af0abbd 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -521,13 +521,13 @@ variable "enable_confidential_nodes" { } variable "workload_vulnerability_mode" { - description = "(beta) Vulnerability mode." + description = "(beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC." type = string default = "" } variable "workload_config_audit_mode" { - description = "(beta) Workload config audit mode." + description = "(beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC." type = string default = "DISABLED" } @@ -546,13 +546,13 @@ variable "enable_cilium_clusterwide_network_policy" { } variable "security_posture_mode" { - description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } @@ -743,13 +743,13 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." default = [] } variable "logging_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 3daac41037..92f328b9bb 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -209,7 +209,7 @@ Then perform the following commands on the root folder: | istio\_auth | (Beta) The authentication type between services in Istio. | `string` | `"AUTH_MUTUAL_TLS"` | no | | kalm\_config | (Beta) Whether KALM is enabled for this cluster. | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | @@ -218,7 +218,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | @@ -247,8 +247,8 @@ Then perform the following commands on the root folder: | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | | sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | @@ -261,8 +261,8 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | -| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | +| workload\_config\_audit\_mode | (beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | ## Outputs @@ -324,7 +324,7 @@ The node_pools variable takes the following parameters: | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | -| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | +| enable_confidential_nodes | An optional flag to enable confidential node config. | false | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -344,6 +344,7 @@ The node_pools variable takes the following parameters: | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | +| enable_confidential_storage | Enabling Confidential Storage will create boot disk with confidential mode. | false | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index c543d08410..bd8672dde9 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -417,9 +417,10 @@ resource "google_container_cluster" "primary" { } node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] content { @@ -634,9 +635,10 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -919,9 +921,10 @@ resource "google_container_node_pool" "windows_pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 7d3a2924e3..b14af0abbd 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -521,13 +521,13 @@ variable "enable_confidential_nodes" { } variable "workload_vulnerability_mode" { - description = "(beta) Vulnerability mode." + description = "(beta) Sets which mode to use for Protect workload vulnerability scanning feature. Accepted values are DISABLED, BASIC." type = string default = "" } variable "workload_config_audit_mode" { - description = "(beta) Workload config audit mode." + description = "(beta) Sets which mode of auditing should be used for the cluster's workloads. Accepted values are DISABLED, BASIC." type = string default = "DISABLED" } @@ -546,13 +546,13 @@ variable "enable_cilium_clusterwide_network_policy" { } variable "security_posture_mode" { - description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } @@ -743,13 +743,13 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." default = [] } variable "logging_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 030e13b3c0..711905001c 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -225,7 +225,7 @@ Then perform the following commands on the root folder: | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | @@ -236,7 +236,7 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | @@ -264,8 +264,8 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | @@ -337,6 +337,7 @@ The node_pools variable takes the following parameters: | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | +| enable_confidential_nodes | An optional flag to enable confidential node config. | false | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -355,6 +356,7 @@ The node_pools variable takes the following parameters: | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | +| enable_confidential_storage | Enabling Confidential Storage will create boot disk with confidential mode. | false | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index f980d096e5..e028ca6e19 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -371,9 +371,10 @@ resource "google_container_cluster" "primary" { } node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] content { @@ -530,6 +531,7 @@ locals { "enable_secure_boot", "boot_disk_kms_key", "queued_provisioning", + "enable_confidential_storage", ] } @@ -668,9 +670,10 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -941,9 +944,10 @@ resource "google_container_node_pool" "windows_pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index abf2a688ff..5ab8307468 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -551,13 +551,13 @@ variable "enable_cilium_clusterwide_network_policy" { } variable "security_posture_mode" { - description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } @@ -743,13 +743,13 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." default = [] } variable "logging_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index c6ed02ec12..693bae3bc0 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -203,7 +203,7 @@ Then perform the following commands on the root folder: | ip\_range\_services | The _name_ of the secondary subnet range to use for services | `string` | n/a | yes | | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | -| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| logging\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, CONTROLLER\_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string, exclusion_scope = string }))` | `[]` | no | @@ -214,7 +214,7 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | -| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS. Empty list is default GKE configuration. | `list(string)` | `[]` | no | +| monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | | monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | @@ -242,8 +242,8 @@ Then perform the following commands on the root folder: | release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no | | resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no | -| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | -| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | +| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no | +| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no | | service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no | | service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no | @@ -315,6 +315,7 @@ The node_pools variable takes the following parameters: | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional | | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional | | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional | +| enable_confidential_nodes | An optional flag to enable confidential node config. | false | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | @@ -333,6 +334,7 @@ The node_pools variable takes the following parameters: | local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | +| enable_confidential_storage | Enabling Confidential Storage will create boot disk with confidential mode. | false | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | | total_max_count | Total maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with per zone limits. | null | Optional | | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index f15e1b02ba..234ece4b0e 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -371,9 +371,10 @@ resource "google_container_cluster" "primary" { } node_config { - image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") - machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") - min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") + machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") + min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] content { @@ -589,9 +590,10 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -861,9 +863,10 @@ resource "google_container_node_pool" "windows_pools" { } node_config { - image_type = lookup(each.value, "image_type", "COS_CONTAINERD") - machine_type = lookup(each.value, "machine_type", "e2-medium") - min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + image_type = lookup(each.value, "image_type", "COS_CONTAINERD") + machine_type = lookup(each.value, "machine_type", "e2-medium") + min_cpu_platform = lookup(each.value, "min_cpu_platform", "") + enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index abf2a688ff..5ab8307468 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -551,13 +551,13 @@ variable "enable_cilium_clusterwide_network_policy" { } variable "security_posture_mode" { - description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } @@ -743,13 +743,13 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." default = [] } variable "logging_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." default = [] } diff --git a/variables.tf b/variables.tf index 338f0c4f3a..8c37d4e4fd 100644 --- a/variables.tf +++ b/variables.tf @@ -521,13 +521,13 @@ variable "enable_cilium_clusterwide_network_policy" { } variable "security_posture_mode" { - description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." + description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string default = "DISABLED" } variable "security_posture_vulnerability_mode" { - description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." + description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED`, `VULNERABILITY_BASIC`, and `VULNERABILITY_ENTERPRISE`. Defaults to `VULNERABILITY_DISABLED`." type = string default = "VULNERABILITY_DISABLED" } @@ -713,13 +713,13 @@ variable "monitoring_observability_metrics_relay_mode" { variable "monitoring_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration." default = [] } variable "logging_enabled_components" { type = list(string) - description = "List of services to monitor: SYSTEM_COMPONENTS, WORKLOADS. Empty list is default GKE configuration." + description = "List of services to monitor: SYSTEM_COMPONENTS, APISERVER, CONTROLLER_MANAGER, SCHEDULER, and WORKLOADS. Empty list is default GKE configuration." default = [] } From 674f77210a0a2b5236b53e0183393e34bd7a1dd2 Mon Sep 17 00:00:00 2001 From: CPL Markus <106060626+CPL-markus@users.noreply.github.com> Date: Wed, 24 Jul 2024 20:00:44 +0200 Subject: [PATCH 110/176] feat: anthos modules remote fleet project (#1995) --- modules/acm/README.md | 1 + modules/acm/feature.tf | 4 ++-- modules/acm/main.tf | 1 + modules/acm/variables.tf | 6 ++++++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/acm/README.md b/modules/acm/README.md index f9207a51bc..9258f2c837 100644 --- a/modules/acm/README.md +++ b/modules/acm/README.md @@ -86,6 +86,7 @@ data "google_client_config" "default" {} | enable\_mutation | Whether to enable mutations for ACM Policy Controller. | `bool` | `false` | no | | enable\_policy\_controller | Whether to enable the ACM Policy Controller on the cluster | `bool` | `true` | no | | enable\_referential\_rules | Enables referential constraints which reference another object in it definition and are therefore eventually consistent. | `bool` | `true` | no | +| fleet\_project\_id | The project in which the GKE fleet is located. Defaults to GKE cluster project\_id. | `string` | `""` | no | | gcp\_service\_account\_email | The service account email for authentication when `secret_type` is `gcpServiceAccount`. | `string` | `null` | no | | hierarchy\_controller | Configurations for Hierarchy Controller. See [Hierarchy Controller docs](https://cloud.google.com/anthos-config-management/docs/how-to/installing-hierarchy-controller) for more details | `map(any)` | `null` | no | | https\_proxy | URL for the HTTPS proxy to be used when communicating with the Git repo. | `string` | `null` | no | diff --git a/modules/acm/feature.tf b/modules/acm/feature.tf index a4bc58de9d..7a2d06d863 100644 --- a/modules/acm/feature.tf +++ b/modules/acm/feature.tf @@ -19,7 +19,7 @@ resource "google_gke_hub_feature" "acm" { provider = google-beta name = "configmanagement" - project = var.project_id + project = coalesce(var.fleet_project_id, var.project_id) location = "global" } @@ -33,7 +33,7 @@ resource "google_gke_hub_feature_membership" "main" { feature = "configmanagement" membership = module.registration.cluster_membership_id - project = var.project_id + project = coalesce(var.fleet_project_id, var.project_id) configmanagement { version = var.configmanagement_version diff --git a/modules/acm/main.tf b/modules/acm/main.tf index 6ffe06f166..fcfd194137 100644 --- a/modules/acm/main.tf +++ b/modules/acm/main.tf @@ -24,6 +24,7 @@ module "registration" { cluster_name = var.cluster_name project_id = var.project_id + hub_project_id = var.fleet_project_id location = var.location enable_fleet_registration = var.enable_fleet_registration membership_name = var.cluster_membership_id diff --git a/modules/acm/variables.tf b/modules/acm/variables.tf index b1baa093fc..404c92f339 100644 --- a/modules/acm/variables.tf +++ b/modules/acm/variables.tf @@ -24,6 +24,12 @@ variable "project_id" { type = string } +variable "fleet_project_id" { + description = "The project in which the GKE fleet is located. Defaults to GKE cluster project_id." + type = string + default = "" +} + variable "location" { description = "GCP location used to reach cluster." type = string From 318f38fba30068761ad6bf61ec34cdbf9a09cab9 Mon Sep 17 00:00:00 2001 From: Caue Santos <46695526+caueasantos@users.noreply.github.com> Date: Fri, 26 Jul 2024 12:57:32 -0600 Subject: [PATCH 111/176] feat: allow default node pools metadata key-value pairs to be disabled (#2005) Co-authored-by: Andrew Peabody --- README.md | 1 + autogen/main/cluster.tf.tmpl | 4 ++-- autogen/main/variables.tf.tmpl | 8 ++++++++ cluster.tf | 8 ++++---- modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 8 ++++---- modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 8 ++++---- modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 8 ++++---- modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 8 ++++---- modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 8 ++++---- modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 8 ++++---- modules/private-cluster/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 23 files changed, 87 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index ff954ab309..6d2779c8d6 100644 --- a/README.md +++ b/README.md @@ -165,6 +165,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 75ce3a1f6a..5f511641a3 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -891,8 +891,8 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 86e576c9f5..2affa9c1fb 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -619,6 +619,14 @@ variable "disable_default_snat" { default = false } +{% if autopilot_cluster != true %} +variable "enable_default_node_pools_metadata" { + type = bool + description = "Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool`" + default = true +} + +{% endif %} variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/cluster.tf b/cluster.tf index 3ea59eddca..d39305af0b 100644 --- a/cluster.tf +++ b/cluster.tf @@ -604,8 +604,8 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { @@ -877,8 +877,8 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 9c39988304..67f67570fb 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -201,6 +201,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index cd3158132c..f974c472d0 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -767,8 +767,8 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { @@ -1054,8 +1054,8 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index cf55ef1360..54a4c1e365 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -593,6 +593,12 @@ variable "disable_default_snat" { default = false } +variable "enable_default_node_pools_metadata" { + type = bool + description = "Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool`" + default = true +} + variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 3e239a08ea..657aeeab2b 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -179,6 +179,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 5154693a3a..4c925fe88b 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -687,8 +687,8 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { @@ -973,8 +973,8 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index cf55ef1360..54a4c1e365 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -593,6 +593,12 @@ variable "disable_default_snat" { default = false } +variable "enable_default_node_pools_metadata" { + type = bool + description = "Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool`" + default = true +} + variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 3c728f9282..201d31846c 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -194,6 +194,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 93339ad6e2..a94ff555d0 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -748,8 +748,8 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { @@ -1035,8 +1035,8 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index b14af0abbd..8458e313b4 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -563,6 +563,12 @@ variable "disable_default_snat" { default = false } +variable "enable_default_node_pools_metadata" { + type = bool + description = "Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool`" + default = true +} + variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 92f328b9bb..31dbe3d9a7 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -172,6 +172,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index bd8672dde9..a829d40236 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -668,8 +668,8 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { @@ -954,8 +954,8 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index b14af0abbd..8458e313b4 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -563,6 +563,12 @@ variable "disable_default_snat" { default = false } +variable "enable_default_node_pools_metadata" { + type = bool + description = "Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool`" + default = true +} + variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 711905001c..f4cce9271f 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -194,6 +194,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index e028ca6e19..6dd1b7ead9 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -703,8 +703,8 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { @@ -977,8 +977,8 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 5ab8307468..f1cff54bdd 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -568,6 +568,12 @@ variable "disable_default_snat" { default = false } +variable "enable_default_node_pools_metadata" { + type = bool + description = "Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool`" + default = true +} + variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 693bae3bc0..3e4b65d152 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -172,6 +172,7 @@ Then perform the following commands on the root folder: | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 234ece4b0e..b34f512081 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -623,8 +623,8 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { @@ -896,8 +896,8 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels[each.value["name"]], ) metadata = merge( - lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, - lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, + lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, local.node_pools_metadata["all"], local.node_pools_metadata[each.value["name"]], { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 5ab8307468..f1cff54bdd 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -568,6 +568,12 @@ variable "disable_default_snat" { default = false } +variable "enable_default_node_pools_metadata" { + type = bool + description = "Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool`" + default = true +} + variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." diff --git a/variables.tf b/variables.tf index 8c37d4e4fd..9bfc3f451b 100644 --- a/variables.tf +++ b/variables.tf @@ -538,6 +538,12 @@ variable "disable_default_snat" { default = false } +variable "enable_default_node_pools_metadata" { + type = bool + description = "Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool`" + default = true +} + variable "notification_config_topic" { type = string description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}." From 12cfe5e4d3c668117649cb346e49b0d2e598f4ed Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Wed, 31 Jul 2024 17:17:10 -0400 Subject: [PATCH 112/176] fix: enable_confidential_storage fix (#2018) --- autogen/main/cluster.tf.tmpl | 2 +- cluster.tf | 4 ++-- modules/beta-private-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/beta-public-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-public-cluster/cluster.tf | 4 ++-- modules/private-cluster-update-variant/cluster.tf | 4 ++-- modules/private-cluster/cluster.tf | 4 ++-- 8 files changed, 15 insertions(+), 15 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 5f511641a3..f1c0d104f2 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -861,7 +861,7 @@ resource "google_container_node_pool" "windows_pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/cluster.tf b/cluster.tf index d39305af0b..8d2d83198e 100644 --- a/cluster.tf +++ b/cluster.tf @@ -574,7 +574,7 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -847,7 +847,7 @@ resource "google_container_node_pool" "windows_pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index f974c472d0..5b35e79efa 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -737,7 +737,7 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -1024,7 +1024,7 @@ resource "google_container_node_pool" "windows_pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4c925fe88b..d430b2f90c 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -657,7 +657,7 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -943,7 +943,7 @@ resource "google_container_node_pool" "windows_pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index a94ff555d0..a61f0f88b6 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -718,7 +718,7 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -1005,7 +1005,7 @@ resource "google_container_node_pool" "windows_pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index a829d40236..0261482a09 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -638,7 +638,7 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -924,7 +924,7 @@ resource "google_container_node_pool" "windows_pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 6dd1b7ead9..7a6a74556f 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -673,7 +673,7 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -947,7 +947,7 @@ resource "google_container_node_pool" "windows_pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index b34f512081..334bcc2e8d 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -593,7 +593,7 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { @@ -866,7 +866,7 @@ resource "google_container_node_pool" "windows_pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(each.value, "min_cpu_platform", "") - enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) + enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] content { From 24458dcf200ed1e05e72bdf9b1427a89237dddd9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 31 Jul 2024 16:29:59 -0700 Subject: [PATCH 113/176] chore(deps): Update cft/developer-tools Docker tag to v1.22 (#2019) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Makefile | 2 +- build/int.cloudbuild.yaml | 2 +- build/lint.cloudbuild.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 942ff8cb78..d7e7e3bd72 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.21 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.22 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd DOCKER_BIN ?= docker diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 47ece2199e..1b66772fb6 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -560,6 +560,6 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.21' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.22' options: machineType: 'N1_HIGHCPU_8' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index 8a067a2f7f..be1f1587dd 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -22,7 +22,7 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.21' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.22' options: machineType: 'N1_HIGHCPU_8' env: From c0f05fbbaf0c42a2a3330695ed7a852c8a6c4378 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 1 Aug 2024 00:37:53 +0000 Subject: [PATCH 114/176] chore(deps): Update module github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test to v0.16.1 (#2020) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 8 ++++---- test/integration/go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 1aea1894ab..34f750adcd 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -5,7 +5,7 @@ go 1.22 toolchain go1.22.5 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.0 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1 github.com/gruntwork-io/terratest v0.47.0 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.1 @@ -51,7 +51,7 @@ require ( github.com/hashicorp/go-version v1.6.0 // indirect github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f // indirect github.com/hashicorp/hcl/v2 v2.20.1 // indirect - github.com/hashicorp/terraform-config-inspect v0.0.0-20240607080351-271db412dbcb // indirect + github.com/hashicorp/terraform-config-inspect v0.0.0-20240701073647-9fc3669f7553 // indirect github.com/hashicorp/terraform-json v0.22.1 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/jinzhu/copier v0.4.0 // indirect @@ -82,7 +82,7 @@ require ( github.com/zclconf/go-cty v1.14.4 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.21.0 // indirect - golang.org/x/mod v0.18.0 // indirect + golang.org/x/mod v0.19.0 // indirect golang.org/x/net v0.23.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.4.0 // indirect @@ -109,7 +109,7 @@ require ( k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect + sigs.k8s.io/kustomize/kyaml v0.17.2 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/test/integration/go.sum b/test/integration/go.sum index de2010ae10..6e12dea816 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.0 h1:1rjUGjXuTnVp/RANDMfCRnDsUi0lIFJUQf4K1aPf5YE= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.0/go.mod h1:EJ+GwRNr/M3wZmmsaBpoUYgQ31+IO+y3sOtKIxw48PI= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1 h1:IfsF5yta+pslEAWF1QYFSP/3obWsjLQzFyEKJYAhzos= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1/go.mod h1:Bop47HzdH60K1rPgNRNqBHrBWhhmqCBG9Y4Y5PEn9fE= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -399,8 +399,8 @@ github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f h1:UdxlrJz4JOnY8W+Db github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f/go.mod h1:oZtUIOe8dh44I2q6ScRibXws4Ajl+d+nod3AaR9vL5w= github.com/hashicorp/hcl/v2 v2.20.1 h1:M6hgdyz7HYt1UN9e61j+qKJBqR3orTWbI1HKBJEdxtc= github.com/hashicorp/hcl/v2 v2.20.1/go.mod h1:TZDqQ4kNKCbh1iJp99FdPiUaVDDUPivbqxZulxDYqL4= -github.com/hashicorp/terraform-config-inspect v0.0.0-20240607080351-271db412dbcb h1:6gCfY5aQdQgRr0G5VDjnV5ENpd+hTamWaZfVz+lJ724= -github.com/hashicorp/terraform-config-inspect v0.0.0-20240607080351-271db412dbcb/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI= +github.com/hashicorp/terraform-config-inspect v0.0.0-20240701073647-9fc3669f7553 h1:ApSEBSu6EhcJWCdwSMd1VbQUeJDtB1jAOHfIxjZyMTc= +github.com/hashicorp/terraform-config-inspect v0.0.0-20240701073647-9fc3669f7553/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI= github.com/hashicorp/terraform-json v0.22.1 h1:xft84GZR0QzjPVWs4lRUwvTcPnegqlyS7orfb5Ltvec= github.com/hashicorp/terraform-json v0.22.1/go.mod h1:JbWSQCLFSXFFhg42T7l9iJwdGXBYV8fmmD6o/ML4p3A= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -571,8 +571,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= +golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1080,8 +1080,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= -sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= +sigs.k8s.io/kustomize/kyaml v0.17.2 h1:+AzvoJUY0kq4QAhH/ydPHHMRLijtUKiyVyh7fOSshr0= +sigs.k8s.io/kustomize/kyaml v0.17.2/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= From 7f31e96141308f8c00c178b1dd6d525ca233eddc Mon Sep 17 00:00:00 2001 From: arthurpang Date: Thu, 1 Aug 2024 10:14:34 -0700 Subject: [PATCH 115/176] feat: extend enable_secret_manager_addon to beta-autopilot clusters (#2017) Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 14 +++++++------- autogen/main/variables.tf.tmpl | 11 +++++------ modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 7 +++++++ .../beta-autopilot-private-cluster/variables.tf | 5 +++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-public-cluster/variables.tf | 5 +++++ .../beta-private-cluster-update-variant/cluster.tf | 14 +++++++------- .../variables.tf | 11 +++++------ modules/beta-private-cluster/cluster.tf | 14 +++++++------- modules/beta-private-cluster/variables.tf | 11 +++++------ .../beta-public-cluster-update-variant/cluster.tf | 14 +++++++------- .../variables.tf | 11 +++++------ modules/beta-public-cluster/cluster.tf | 14 +++++++------- modules/beta-public-cluster/variables.tf | 11 +++++------ 16 files changed, 86 insertions(+), 65 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index f1c0d104f2..def77a3011 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -228,13 +228,6 @@ resource "google_container_cluster" "primary" { enable_intranode_visibility = var.enable_intranode_visibility {% if beta_cluster %} - dynamic "secret_manager_config" { - for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] - content { - enabled = secret_manager_config.value - } - } - dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { @@ -249,6 +242,13 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy {% if beta_cluster %} + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + enable_fqdn_network_policy = var.enable_fqdn_network_policy {% endif %} {% if autopilot_cluster %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 2affa9c1fb..79f0381a7b 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -593,6 +593,11 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} {% endif %} variable "enable_cilium_clusterwide_network_policy" { @@ -889,12 +894,6 @@ variable "enable_pod_security_policy" { default = false } -variable "enable_secret_manager_addon" { - description = "(Beta) Enable the Secret Manager add-on for this cluster" - type = bool - default = false -} - variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 7ee5aebd0c..cf9f3b1eff 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -97,6 +97,7 @@ Then perform the following commands on the root folder: | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | +| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index a7283e1e35..dde13721b3 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -89,6 +89,13 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 93212a7de1..3b2be13fc7 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -399,6 +399,11 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} variable "enable_cilium_clusterwide_network_policy" { type = bool diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 17d495b60c..0c5d037049 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -88,6 +88,7 @@ Then perform the following commands on the root folder: | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | +| enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index ff4c88b6f2..b94e730990 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -89,6 +89,13 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index f3cf4f094e..e5d50f44f7 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -369,6 +369,11 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} variable "enable_cilium_clusterwide_network_policy" { type = bool diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 5b35e79efa..05d10baefa 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -191,13 +191,6 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility - dynamic "secret_manager_config" { - for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] - content { - enabled = secret_manager_config.value - } - } - dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { @@ -209,6 +202,13 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 54a4c1e365..89cc5ec60b 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -568,6 +568,11 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} variable "enable_cilium_clusterwide_network_policy" { type = bool @@ -849,12 +854,6 @@ variable "enable_pod_security_policy" { default = false } -variable "enable_secret_manager_addon" { - description = "(Beta) Enable the Secret Manager add-on for this cluster" - type = bool - default = false -} - variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index d430b2f90c..0dcb07caf4 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -191,13 +191,6 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility - dynamic "secret_manager_config" { - for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] - content { - enabled = secret_manager_config.value - } - } - dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { @@ -209,6 +202,13 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 54a4c1e365..89cc5ec60b 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -568,6 +568,11 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} variable "enable_cilium_clusterwide_network_policy" { type = bool @@ -849,12 +854,6 @@ variable "enable_pod_security_policy" { default = false } -variable "enable_secret_manager_addon" { - description = "(Beta) Enable the Secret Manager add-on for this cluster" - type = bool - default = false -} - variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index a61f0f88b6..f86da1000f 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -191,13 +191,6 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility - dynamic "secret_manager_config" { - for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] - content { - enabled = secret_manager_config.value - } - } - dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { @@ -209,6 +202,13 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 8458e313b4..08394e52fa 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -538,6 +538,11 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} variable "enable_cilium_clusterwide_network_policy" { type = bool @@ -819,12 +824,6 @@ variable "enable_pod_security_policy" { default = false } -variable "enable_secret_manager_addon" { - description = "(Beta) Enable the Secret Manager add-on for this cluster" - type = bool - default = false -} - variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 0261482a09..29f4d951ed 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -191,13 +191,6 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_intranode_visibility = var.enable_intranode_visibility - dynamic "secret_manager_config" { - for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] - content { - enabled = secret_manager_config.value - } - } - dynamic "pod_security_policy_config" { for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { @@ -209,6 +202,13 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "secret_manager_config" { + for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : [] + content { + enabled = secret_manager_config.value + } + } + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 8458e313b4..08394e52fa 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -538,6 +538,11 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_secret_manager_addon" { + description = "(Beta) Enable the Secret Manager add-on for this cluster" + type = bool + default = false +} variable "enable_cilium_clusterwide_network_policy" { type = bool @@ -819,12 +824,6 @@ variable "enable_pod_security_policy" { default = false } -variable "enable_secret_manager_addon" { - description = "(Beta) Enable the Secret Manager add-on for this cluster" - type = bool - default = false -} - variable "sandbox_enabled" { type = bool description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." From b4f2e14a39140451f420ea259dc29da4f34129f9 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Thu, 1 Aug 2024 15:57:47 -0400 Subject: [PATCH 116/176] feat: support workload_identity_config on autopilot (#2011) Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 2 -- modules/beta-autopilot-private-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-public-cluster/cluster.tf | 7 +++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index def77a3011..c62a16365f 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -601,7 +601,6 @@ resource "google_container_cluster" "primary" { } } - {% if autopilot_cluster != true %} dynamic "workload_identity_config" { for_each = local.cluster_workload_identity_config @@ -609,7 +608,6 @@ resource "google_container_cluster" "primary" { workload_pool = workload_identity_config.value.workload_pool } } - {% endif %} {% if autopilot_cluster != true %} dynamic "mesh_certificates" { diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index dde13721b3..e31caa28ff 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -290,6 +290,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "workload_identity_config" { + for_each = local.cluster_workload_identity_config + + content { + workload_pool = workload_identity_config.value.workload_pool + } + } dynamic "authenticator_groups_config" { diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index b94e730990..63b92d253e 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -271,6 +271,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "workload_identity_config" { + for_each = local.cluster_workload_identity_config + + content { + workload_pool = workload_identity_config.value.workload_pool + } + } dynamic "authenticator_groups_config" { From 7a2e9b8e6d7fbb6c4986cce2c8484be58ec1c82e Mon Sep 17 00:00:00 2001 From: Paul Bonser Date: Fri, 2 Aug 2024 15:26:06 -0500 Subject: [PATCH 117/176] feat: add optional private_endpoint_subnetwork variable in private submodules (#2009) --- autogen/main/cluster.tf.tmpl | 14 ++++++++------ autogen/main/variables.tf.tmpl | 6 ++++++ modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 14 ++++++++------ .../beta-autopilot-private-cluster/variables.tf | 6 ++++++ .../beta-private-cluster-update-variant/README.md | 1 + .../beta-private-cluster-update-variant/cluster.tf | 14 ++++++++------ .../variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 14 ++++++++------ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 14 ++++++++------ .../private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 14 ++++++++------ modules/private-cluster/variables.tf | 6 ++++++ 17 files changed, 89 insertions(+), 36 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index c62a16365f..0d2a75192d 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -569,15 +569,17 @@ resource "google_container_cluster" "primary" { {% if private_cluster %} dynamic "private_cluster_config" { for_each = var.enable_private_nodes ? [{ - enable_private_nodes = var.enable_private_nodes, - enable_private_endpoint = var.enable_private_endpoint - master_ipv4_cidr_block = var.master_ipv4_cidr_block + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + private_endpoint_subnetwork = var.private_endpoint_subnetwork }] : [] content { - enable_private_endpoint = private_cluster_config.value.enable_private_endpoint - enable_private_nodes = private_cluster_config.value.enable_private_nodes - master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + private_endpoint_subnetwork = private_cluster_config.value.private_endpoint_subnetwork dynamic "master_global_access_config" { for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] content { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 79f0381a7b..196d4065f5 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -469,6 +469,12 @@ variable "master_ipv4_cidr_block" { {% endif %} } +variable "private_endpoint_subnetwork" { + type = string + description = "The subnetwork to use for the hosted master network." + default = null +} + variable "master_global_access_enabled" { type = bool description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index cf9f3b1eff..2f6b48b146 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -132,6 +132,7 @@ Then perform the following commands on the root folder: | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | +| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index e31caa28ff..0a8fd598b6 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -262,15 +262,17 @@ resource "google_container_cluster" "primary" { dynamic "private_cluster_config" { for_each = var.enable_private_nodes ? [{ - enable_private_nodes = var.enable_private_nodes, - enable_private_endpoint = var.enable_private_endpoint - master_ipv4_cidr_block = var.master_ipv4_cidr_block + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + private_endpoint_subnetwork = var.private_endpoint_subnetwork }] : [] content { - enable_private_endpoint = private_cluster_config.value.enable_private_endpoint - enable_private_nodes = private_cluster_config.value.enable_private_nodes - master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + private_endpoint_subnetwork = private_cluster_config.value.private_endpoint_subnetwork dynamic "master_global_access_config" { for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] content { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 3b2be13fc7..c39bf7b18a 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -288,6 +288,12 @@ variable "master_ipv4_cidr_block" { default = null } +variable "private_endpoint_subnetwork" { + type = string + description = "The subnetwork to use for the hosted master network." + default = null +} + variable "master_global_access_enabled" { type = bool description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 67f67570fb..9cb57ee6dc 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -273,6 +273,7 @@ Then perform the following commands on the root folder: | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | +| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 05d10baefa..08f0929170 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -490,15 +490,17 @@ resource "google_container_cluster" "primary" { dynamic "private_cluster_config" { for_each = var.enable_private_nodes ? [{ - enable_private_nodes = var.enable_private_nodes, - enable_private_endpoint = var.enable_private_endpoint - master_ipv4_cidr_block = var.master_ipv4_cidr_block + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + private_endpoint_subnetwork = var.private_endpoint_subnetwork }] : [] content { - enable_private_endpoint = private_cluster_config.value.enable_private_endpoint - enable_private_nodes = private_cluster_config.value.enable_private_nodes - master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + private_endpoint_subnetwork = private_cluster_config.value.private_endpoint_subnetwork dynamic "master_global_access_config" { for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] content { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 89cc5ec60b..6f7addac77 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -452,6 +452,12 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } +variable "private_endpoint_subnetwork" { + type = string + description = "The subnetwork to use for the hosted master network." + default = null +} + variable "master_global_access_enabled" { type = bool description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 657aeeab2b..ce5f9edebb 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -251,6 +251,7 @@ Then perform the following commands on the root folder: | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | +| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 0dcb07caf4..4293081a77 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -490,15 +490,17 @@ resource "google_container_cluster" "primary" { dynamic "private_cluster_config" { for_each = var.enable_private_nodes ? [{ - enable_private_nodes = var.enable_private_nodes, - enable_private_endpoint = var.enable_private_endpoint - master_ipv4_cidr_block = var.master_ipv4_cidr_block + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + private_endpoint_subnetwork = var.private_endpoint_subnetwork }] : [] content { - enable_private_endpoint = private_cluster_config.value.enable_private_endpoint - enable_private_nodes = private_cluster_config.value.enable_private_nodes - master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + private_endpoint_subnetwork = private_cluster_config.value.private_endpoint_subnetwork dynamic "master_global_access_config" { for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] content { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 89cc5ec60b..6f7addac77 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -452,6 +452,12 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } +variable "private_endpoint_subnetwork" { + type = string + description = "The subnetwork to use for the hosted master network." + default = null +} + variable "master_global_access_enabled" { type = bool description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index f4cce9271f..d081dc81b1 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -258,6 +258,7 @@ Then perform the following commands on the root folder: | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | +| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 7a6a74556f..12705fc437 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -436,15 +436,17 @@ resource "google_container_cluster" "primary" { dynamic "private_cluster_config" { for_each = var.enable_private_nodes ? [{ - enable_private_nodes = var.enable_private_nodes, - enable_private_endpoint = var.enable_private_endpoint - master_ipv4_cidr_block = var.master_ipv4_cidr_block + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + private_endpoint_subnetwork = var.private_endpoint_subnetwork }] : [] content { - enable_private_endpoint = private_cluster_config.value.enable_private_endpoint - enable_private_nodes = private_cluster_config.value.enable_private_nodes - master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + private_endpoint_subnetwork = private_cluster_config.value.private_endpoint_subnetwork dynamic "master_global_access_config" { for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] content { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index f1cff54bdd..9620249913 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -446,6 +446,12 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } +variable "private_endpoint_subnetwork" { + type = string + description = "The subnetwork to use for the hosted master network." + default = null +} + variable "master_global_access_enabled" { type = bool description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 3e4b65d152..9aee5725fa 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -236,6 +236,7 @@ Then perform the following commands on the root folder: | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | +| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 334bcc2e8d..907ac71839 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -436,15 +436,17 @@ resource "google_container_cluster" "primary" { dynamic "private_cluster_config" { for_each = var.enable_private_nodes ? [{ - enable_private_nodes = var.enable_private_nodes, - enable_private_endpoint = var.enable_private_endpoint - master_ipv4_cidr_block = var.master_ipv4_cidr_block + enable_private_nodes = var.enable_private_nodes, + enable_private_endpoint = var.enable_private_endpoint + master_ipv4_cidr_block = var.master_ipv4_cidr_block + private_endpoint_subnetwork = var.private_endpoint_subnetwork }] : [] content { - enable_private_endpoint = private_cluster_config.value.enable_private_endpoint - enable_private_nodes = private_cluster_config.value.enable_private_nodes - master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + enable_private_endpoint = private_cluster_config.value.enable_private_endpoint + enable_private_nodes = private_cluster_config.value.enable_private_nodes + master_ipv4_cidr_block = private_cluster_config.value.master_ipv4_cidr_block + private_endpoint_subnetwork = private_cluster_config.value.private_endpoint_subnetwork dynamic "master_global_access_config" { for_each = var.master_global_access_enabled ? [var.master_global_access_enabled] : [] content { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index f1cff54bdd..9620249913 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -446,6 +446,12 @@ variable "master_ipv4_cidr_block" { default = "10.0.0.0/28" } +variable "private_endpoint_subnetwork" { + type = string + description = "The subnetwork to use for the hosted master network." + default = null +} + variable "master_global_access_enabled" { type = bool description = "Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint." From ac76d4d50d1fb17e7430facd06f22fe66a5c08ee Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Mon, 5 Aug 2024 14:34:05 -0400 Subject: [PATCH 118/176] fix: add missing gpu node pool param docs (#2023) --- README.md | 2 ++ autogen/main/README.md | 2 ++ autogen/main/cluster.tf.tmpl | 2 +- modules/beta-private-cluster-update-variant/README.md | 2 ++ modules/beta-private-cluster/README.md | 2 ++ modules/beta-public-cluster-update-variant/README.md | 2 ++ modules/beta-public-cluster/README.md | 2 ++ modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster/README.md | 2 ++ 9 files changed, 17 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6d2779c8d6..c613c058f1 100644 --- a/README.md +++ b/README.md @@ -352,6 +352,8 @@ The node_pools variable takes the following parameters: | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | +| gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | +| max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/autogen/main/README.md b/autogen/main/README.md index 0d4c6feefc..9ac2b3e48f 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -258,6 +258,8 @@ The node_pools variable takes the following parameters: | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | +| gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | +| max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 0d2a75192d..54fe2bd5c1 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -984,7 +984,7 @@ resource "google_container_node_pool" "windows_pools" { dynamic "gpu_sharing_config" { for_each = lookup(each.value, "gpu_sharing_strategy", "") != "" ? [1] : [] content { - gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") + gpu_sharing_strategy = lookup(each.value, "gpu_sharing_strategy", "") max_shared_clients_per_gpu = lookup(each.value, "max_shared_clients_per_gpu", 2) } } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 9cb57ee6dc..ca27dee35c 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -411,6 +411,8 @@ The node_pools variable takes the following parameters: | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | +| gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | +| max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index ce5f9edebb..aad2316a01 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -389,6 +389,8 @@ The node_pools variable takes the following parameters: | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | +| gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | +| max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 201d31846c..b93d287d4f 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -398,6 +398,8 @@ The node_pools variable takes the following parameters: | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | +| gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | +| max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 31dbe3d9a7..0b058af246 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -376,6 +376,8 @@ The node_pools variable takes the following parameters: | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | +| gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | +| max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index d081dc81b1..65b6115096 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -387,6 +387,8 @@ The node_pools variable takes the following parameters: | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | +| gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | +| max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 9aee5725fa..7b0f85eac3 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -365,6 +365,8 @@ The node_pools variable takes the following parameters: | location_policy | [Location policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#location_policy) specifies the algorithm used when scaling-up the node pool. Location policy is supported only in 1.24.1+ clusters. | " " | Optional | | secondary_boot_disk | Image of a secondary boot disk to preload container images and data on new nodes. For detail see [documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_secondary_boot_disks). `gcfs_config` must be `enabled=true` for this feature to work. | | Optional | | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | +| gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | +| max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. From 177166af9a5cd5953734d00c45bb7c51d04e149c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 11:34:52 -0700 Subject: [PATCH 119/176] chore(deps): Update module github.com/tidwall/gjson to v1.17.2 (#2025) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 2 +- test/integration/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 34f750adcd..73af9213ee 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -8,7 +8,7 @@ require ( github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1 github.com/gruntwork-io/terratest v0.47.0 github.com/stretchr/testify v1.9.0 - github.com/tidwall/gjson v1.17.1 + github.com/tidwall/gjson v1.17.2 ) require ( diff --git a/test/integration/go.sum b/test/integration/go.sum index 6e12dea816..0bf392458a 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -489,8 +489,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= -github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U= -github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.17.2 h1:YlBFFaxZdSXKP8zhqh5CRbk0wL7oCAU3D+JJLU5pE7U= +github.com/tidwall/gjson v1.17.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= From be88d197d1d560cf508ddf1f4d026e9d2b91bbc9 Mon Sep 17 00:00:00 2001 From: Bo Anderson Date: Mon, 5 Aug 2024 21:40:59 +0100 Subject: [PATCH 120/176] fix: skip service account `random_string` when not needed (#2024) Co-authored-by: Andrew Peabody --- autogen/main/sa.tf.tmpl | 3 ++- modules/beta-autopilot-private-cluster/sa.tf | 3 ++- modules/beta-autopilot-public-cluster/sa.tf | 3 ++- modules/beta-private-cluster-update-variant/sa.tf | 3 ++- modules/beta-private-cluster/sa.tf | 3 ++- modules/beta-public-cluster-update-variant/sa.tf | 3 ++- modules/beta-public-cluster/sa.tf | 3 ++- modules/private-cluster-update-variant/sa.tf | 3 ++- modules/private-cluster/sa.tf | 3 ++- sa.tf | 3 ++- 10 files changed, 20 insertions(+), 10 deletions(-) diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index f38e3a8687..f0cfb0b19d 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + service_account_default_name = var.create_service_account && var.service_account_name == "" ? "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix[0].result}" : null // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account @@ -32,6 +32,7 @@ locals { } resource "random_string" "cluster_service_account_suffix" { + count = var.create_service_account && var.service_account_name == "" ? 1 : 0 upper = false lower = true special = false diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf index fe36dadd32..34106c5e62 100644 --- a/modules/beta-autopilot-private-cluster/sa.tf +++ b/modules/beta-autopilot-private-cluster/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + service_account_default_name = var.create_service_account && var.service_account_name == "" ? "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix[0].result}" : null // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account @@ -32,6 +32,7 @@ locals { } resource "random_string" "cluster_service_account_suffix" { + count = var.create_service_account && var.service_account_name == "" ? 1 : 0 upper = false lower = true special = false diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf index fe36dadd32..34106c5e62 100644 --- a/modules/beta-autopilot-public-cluster/sa.tf +++ b/modules/beta-autopilot-public-cluster/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + service_account_default_name = var.create_service_account && var.service_account_name == "" ? "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix[0].result}" : null // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account @@ -32,6 +32,7 @@ locals { } resource "random_string" "cluster_service_account_suffix" { + count = var.create_service_account && var.service_account_name == "" ? 1 : 0 upper = false lower = true special = false diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index fe36dadd32..34106c5e62 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + service_account_default_name = var.create_service_account && var.service_account_name == "" ? "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix[0].result}" : null // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account @@ -32,6 +32,7 @@ locals { } resource "random_string" "cluster_service_account_suffix" { + count = var.create_service_account && var.service_account_name == "" ? 1 : 0 upper = false lower = true special = false diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index fe36dadd32..34106c5e62 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + service_account_default_name = var.create_service_account && var.service_account_name == "" ? "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix[0].result}" : null // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account @@ -32,6 +32,7 @@ locals { } resource "random_string" "cluster_service_account_suffix" { + count = var.create_service_account && var.service_account_name == "" ? 1 : 0 upper = false lower = true special = false diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index fe36dadd32..34106c5e62 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + service_account_default_name = var.create_service_account && var.service_account_name == "" ? "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix[0].result}" : null // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account @@ -32,6 +32,7 @@ locals { } resource "random_string" "cluster_service_account_suffix" { + count = var.create_service_account && var.service_account_name == "" ? 1 : 0 upper = false lower = true special = false diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index fe36dadd32..34106c5e62 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + service_account_default_name = var.create_service_account && var.service_account_name == "" ? "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix[0].result}" : null // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account @@ -32,6 +32,7 @@ locals { } resource "random_string" "cluster_service_account_suffix" { + count = var.create_service_account && var.service_account_name == "" ? 1 : 0 upper = false lower = true special = false diff --git a/modules/private-cluster-update-variant/sa.tf b/modules/private-cluster-update-variant/sa.tf index da1930c7b3..72d044a4c9 100644 --- a/modules/private-cluster-update-variant/sa.tf +++ b/modules/private-cluster-update-variant/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + service_account_default_name = var.create_service_account && var.service_account_name == "" ? "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix[0].result}" : null // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account @@ -32,6 +32,7 @@ locals { } resource "random_string" "cluster_service_account_suffix" { + count = var.create_service_account && var.service_account_name == "" ? 1 : 0 upper = false lower = true special = false diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index da1930c7b3..72d044a4c9 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + service_account_default_name = var.create_service_account && var.service_account_name == "" ? "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix[0].result}" : null // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account @@ -32,6 +32,7 @@ locals { } resource "random_string" "cluster_service_account_suffix" { + count = var.create_service_account && var.service_account_name == "" ? 1 : 0 upper = false lower = true special = false diff --git a/sa.tf b/sa.tf index da1930c7b3..72d044a4c9 100644 --- a/sa.tf +++ b/sa.tf @@ -23,7 +23,7 @@ locals { ["dummy"], ), ) - service_account_default_name = "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix.result}" + service_account_default_name = var.create_service_account && var.service_account_name == "" ? "tf-gke-${substr(var.name, 0, min(15, length(var.name)))}-${random_string.cluster_service_account_suffix[0].result}" : null // if user set var.service_account it will be used even if var.create_service_account==true, so service account will be created but not used service_account = (var.service_account == "" || var.service_account == "create") && var.create_service_account ? local.service_account_list[0] : var.service_account @@ -32,6 +32,7 @@ locals { } resource "random_string" "cluster_service_account_suffix" { + count = var.create_service_account && var.service_account_name == "" ? 1 : 0 upper = false lower = true special = false From e298e7492c32d61a1387912c3525cd610434912d Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Mon, 5 Aug 2024 19:40:40 -0400 Subject: [PATCH 121/176] feat: support enable_nested_virtualization (#2012) Co-authored-by: Andrew Peabody --- README.md | 1 + autogen/main/README.md | 1 + autogen/main/cluster.tf.tmpl | 5 ++-- cluster.tf | 10 +++++--- examples/node_pool/main.tf | 6 +++++ .../README.md | 1 + .../cluster.tf | 10 +++++--- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 10 +++++--- .../README.md | 1 + .../cluster.tf | 10 +++++--- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 10 +++++--- .../private-cluster-update-variant/README.md | 1 + .../private-cluster-update-variant/cluster.tf | 10 +++++--- modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 10 +++++--- test/integration/node_pool/controls/gcloud.rb | 25 +++++++++++++++++-- 18 files changed, 82 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index c613c058f1..fb7c7d10c0 100644 --- a/README.md +++ b/README.md @@ -328,6 +328,7 @@ The node_pools variable takes the following parameters: | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | | threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | +| enable_nested_virtualization | Whether the node should have nested virtualization | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index 9ac2b3e48f..89b4864b62 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -229,6 +229,7 @@ The node_pools variable takes the following parameters: | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | | threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | +| enable_nested_virtualization | Whether the node should have nested virtualization | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 54fe2bd5c1..f6ce8f76c4 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -992,9 +992,10 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } diff --git a/cluster.tf b/cluster.tf index 8d2d83198e..adbe5b64a5 100644 --- a/cluster.tf +++ b/cluster.tf @@ -697,9 +697,10 @@ resource "google_container_node_pool" "pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } @@ -970,9 +971,10 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 8da1827934..1bb3bdba37 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -87,6 +87,12 @@ module "gke" { service_account = var.compute_engine_service_account queued_provisioning = true }, + { + name = "pool-05" + machine_type = "n1-standard-2" + node_count = 1 + enable_nested_virtualization = true + }, ] node_pools_metadata = { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index ca27dee35c..cc7b787385 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -387,6 +387,7 @@ The node_pools variable takes the following parameters: | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | | threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | +| enable_nested_virtualization | Whether the node should have nested virtualization | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 08f0929170..16c11ede8a 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -868,9 +868,10 @@ resource "google_container_node_pool" "pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } @@ -1155,9 +1156,10 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index aad2316a01..aba9715309 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -365,6 +365,7 @@ The node_pools variable takes the following parameters: | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | | threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | +| enable_nested_virtualization | Whether the node should have nested virtualization | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4293081a77..4b2f5e73c8 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -788,9 +788,10 @@ resource "google_container_node_pool" "pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } @@ -1074,9 +1075,10 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index b93d287d4f..6266e63997 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -373,6 +373,7 @@ The node_pools variable takes the following parameters: | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | | threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | +| enable_nested_virtualization | Whether the node should have nested virtualization | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index f86da1000f..1e15c7cff5 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -847,9 +847,10 @@ resource "google_container_node_pool" "pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } @@ -1134,9 +1135,10 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 0b058af246..b7b11e85bd 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -351,6 +351,7 @@ The node_pools variable takes the following parameters: | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | | threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | +| enable_nested_virtualization | Whether the node should have nested virtualization | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 29f4d951ed..5bb1c0ce50 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -767,9 +767,10 @@ resource "google_container_node_pool" "pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } @@ -1053,9 +1054,10 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 65b6115096..c2579846a7 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -364,6 +364,7 @@ The node_pools variable takes the following parameters: | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | | threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | +| enable_nested_virtualization | Whether the node should have nested virtualization | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 12705fc437..07b47d971b 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -798,9 +798,10 @@ resource "google_container_node_pool" "pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } @@ -1072,9 +1073,10 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 7b0f85eac3..911ad288f9 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -342,6 +342,7 @@ The node_pools variable takes the following parameters: | max_pods_per_node | The maximum number of pods per node in this cluster | null | Optional | | strategy | The upgrade stragey to be used for upgrading the nodes. Valid values of state are: `SURGE` or `BLUE_GREEN` | "SURGE" | Optional | | threads_per_core | Optional The number of threads per physical core. To disable simultaneous multithreading (SMT) set this to 1. If unset, the maximum number of threads supported per core by the underlying processor is assumed | null | Optional | +| enable_nested_virtualization | Whether the node should have nested virtualization | null | Optional | | max_surge | The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater. Only works with `SURGE` strategy. | 1 | Optional | | max_unavailable | The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater. Only works with `SURGE` strategy. | 0 | Optional | | node_pool_soak_duration | Time needed after draining the entire blue pool. After this period, the blue pool will be cleaned up. By default, it is set to one hour (3600 seconds). The maximum length of the soak time is 7 days (604,800 seconds). Only works with `BLUE_GREEN` strategy. | "3600s" | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 907ac71839..dda05ae038 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -718,9 +718,10 @@ resource "google_container_node_pool" "pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } @@ -991,9 +992,10 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "advanced_machine_features" { - for_each = lookup(each.value, "threads_per_core", 0) > 0 ? [1] : [] + for_each = lookup(each.value, "threads_per_core", 0) > 0 || lookup(each.value, "enable_nested_virtualization", false) ? [1] : [] content { - threads_per_core = lookup(each.value, "threads_per_core", 0) + threads_per_core = lookup(each.value, "threads_per_core", 0) + enable_nested_virtualization = lookup(each.value, "enable_nested_virtualization", null) } } diff --git a/test/integration/node_pool/controls/gcloud.rb b/test/integration/node_pool/controls/gcloud.rb index e3da9d06b2..1d4437a127 100644 --- a/test/integration/node_pool/controls/gcloud.rb +++ b/test/integration/node_pool/controls/gcloud.rb @@ -62,8 +62,8 @@ describe "node pools" do let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" || p['name'] =~ %r{^nap-.*} } } - it "has 4" do - expect(node_pools.count).to eq 4 + it "has 5" do + expect(node_pools.count).to eq 5 end describe "pool-01" do @@ -514,6 +514,27 @@ ) end end + + describe "pool-05" do + it "exists" do + expect(data['nodePools']).to include( + including( + "name" => "pool-05", + ) + ) + end + + it "has enable_nested_virtualization enabled" do + expect(data['nodePools']).not_to include( + including( + "name" => "pool-05", + "advanced_machine_features" => including( + "enable_nested_virtualization" => true, + ), + ) + ) + end + end end end From 84baaf6fe697c69ce201a831056aef5111c5384e Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Tue, 6 Aug 2024 12:34:43 -0400 Subject: [PATCH 122/176] feate: add resource_manager_tags (#2022) Co-authored-by: Andrew Peabody --- README.md | 1 + autogen/main/cluster.tf.tmpl | 4 ++++ autogen/main/variables.tf.tmpl | 10 ++++++++++ autogen/main/variables_defaults.tf.tmpl | 14 ++++++++++++++ cluster.tf | 8 ++++++++ .../beta-private-cluster-update-variant/README.md | 1 + .../beta-private-cluster-update-variant/cluster.tf | 8 ++++++++ .../variables.tf | 10 ++++++++++ .../variables_defaults.tf | 14 ++++++++++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 8 ++++++++ modules/beta-private-cluster/variables.tf | 10 ++++++++++ modules/beta-private-cluster/variables_defaults.tf | 14 ++++++++++++++ .../beta-public-cluster-update-variant/README.md | 1 + .../beta-public-cluster-update-variant/cluster.tf | 8 ++++++++ .../variables.tf | 10 ++++++++++ .../variables_defaults.tf | 14 ++++++++++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 8 ++++++++ modules/beta-public-cluster/variables.tf | 10 ++++++++++ modules/beta-public-cluster/variables_defaults.tf | 14 ++++++++++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 8 ++++++++ .../private-cluster-update-variant/variables.tf | 10 ++++++++++ .../variables_defaults.tf | 14 ++++++++++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 8 ++++++++ modules/private-cluster/variables.tf | 10 ++++++++++ modules/private-cluster/variables_defaults.tf | 14 ++++++++++++++ variables.tf | 10 ++++++++++ variables_defaults.tf | 14 ++++++++++++++ 31 files changed, 259 insertions(+) diff --git a/README.md b/README.md index fb7c7d10c0..f5c28f6e8a 100644 --- a/README.md +++ b/README.md @@ -220,6 +220,7 @@ Then perform the following commands on the root folder: | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index f6ce8f76c4..899e27d7ef 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -890,6 +890,10 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 196d4065f5..25f8599b74 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -195,6 +195,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" diff --git a/autogen/main/variables_defaults.tf.tmpl b/autogen/main/variables_defaults.tf.tmpl index 3aa635a362..60e7e9051d 100644 --- a/autogen/main/variables_defaults.tf.tmpl +++ b/autogen/main/variables_defaults.tf.tmpl @@ -49,6 +49,20 @@ locals { var.node_pools_resource_labels ) + node_pools_resource_manager_tags = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_resource_manager_tags + ) + node_pools_metadata = merge( { all = {} }, { default-node-pool = {} }, diff --git a/cluster.tf b/cluster.tf index adbe5b64a5..47882590b9 100644 --- a/cluster.tf +++ b/cluster.tf @@ -603,6 +603,10 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, @@ -877,6 +881,10 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index cc7b787385..8434c562ba 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -268,6 +268,7 @@ Then perform the following commands on the root folder: | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 16c11ede8a..8b79fa7781 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -768,6 +768,10 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, @@ -1056,6 +1060,10 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 6f7addac77..daee991273 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -192,6 +192,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" diff --git a/modules/beta-private-cluster-update-variant/variables_defaults.tf b/modules/beta-private-cluster-update-variant/variables_defaults.tf index e4f3004771..435730c988 100644 --- a/modules/beta-private-cluster-update-variant/variables_defaults.tf +++ b/modules/beta-private-cluster-update-variant/variables_defaults.tf @@ -48,6 +48,20 @@ locals { var.node_pools_resource_labels ) + node_pools_resource_manager_tags = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_resource_manager_tags + ) + node_pools_metadata = merge( { all = {} }, { default-node-pool = {} }, diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index aba9715309..5135f38fef 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -246,6 +246,7 @@ Then perform the following commands on the root folder: | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4b2f5e73c8..10087107e8 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -688,6 +688,10 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, @@ -975,6 +979,10 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 6f7addac77..daee991273 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -192,6 +192,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" diff --git a/modules/beta-private-cluster/variables_defaults.tf b/modules/beta-private-cluster/variables_defaults.tf index e4f3004771..435730c988 100644 --- a/modules/beta-private-cluster/variables_defaults.tf +++ b/modules/beta-private-cluster/variables_defaults.tf @@ -48,6 +48,20 @@ locals { var.node_pools_resource_labels ) + node_pools_resource_manager_tags = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_resource_manager_tags + ) + node_pools_metadata = merge( { all = {} }, { default-node-pool = {} }, diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 6266e63997..7e8205deaa 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -257,6 +257,7 @@ Then perform the following commands on the root folder: | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 1e15c7cff5..6f4f8336c1 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -747,6 +747,10 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, @@ -1035,6 +1039,10 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 08394e52fa..75ae0a9c24 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -192,6 +192,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" diff --git a/modules/beta-public-cluster-update-variant/variables_defaults.tf b/modules/beta-public-cluster-update-variant/variables_defaults.tf index e4f3004771..435730c988 100644 --- a/modules/beta-public-cluster-update-variant/variables_defaults.tf +++ b/modules/beta-public-cluster-update-variant/variables_defaults.tf @@ -48,6 +48,20 @@ locals { var.node_pools_resource_labels ) + node_pools_resource_manager_tags = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_resource_manager_tags + ) + node_pools_metadata = merge( { all = {} }, { default-node-pool = {} }, diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index b7b11e85bd..021926d454 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -235,6 +235,7 @@ Then perform the following commands on the root folder: | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 5bb1c0ce50..1884061b71 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -667,6 +667,10 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, @@ -954,6 +958,10 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 08394e52fa..75ae0a9c24 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -192,6 +192,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" diff --git a/modules/beta-public-cluster/variables_defaults.tf b/modules/beta-public-cluster/variables_defaults.tf index e4f3004771..435730c988 100644 --- a/modules/beta-public-cluster/variables_defaults.tf +++ b/modules/beta-public-cluster/variables_defaults.tf @@ -48,6 +48,20 @@ locals { var.node_pools_resource_labels ) + node_pools_resource_manager_tags = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_resource_manager_tags + ) + node_pools_metadata = merge( { all = {} }, { default-node-pool = {} }, diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index c2579846a7..af556a6c95 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -253,6 +253,7 @@ Then perform the following commands on the root folder: | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 07b47d971b..3eb0608fbf 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -704,6 +704,10 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, @@ -979,6 +983,10 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 9620249913..877572d818 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -192,6 +192,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" diff --git a/modules/private-cluster-update-variant/variables_defaults.tf b/modules/private-cluster-update-variant/variables_defaults.tf index e4f3004771..435730c988 100644 --- a/modules/private-cluster-update-variant/variables_defaults.tf +++ b/modules/private-cluster-update-variant/variables_defaults.tf @@ -48,6 +48,20 @@ locals { var.node_pools_resource_labels ) + node_pools_resource_manager_tags = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_resource_manager_tags + ) + node_pools_metadata = merge( { all = {} }, { default-node-pool = {} }, diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 911ad288f9..345ddc9185 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -231,6 +231,7 @@ Then perform the following commands on the root folder: | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | `map(list(string))` | 
{
  "all": [
    "https://www.googleapis.com/auth/cloud-platform"
  ],
  "default-node-pool": []
}
| no | | node\_pools\_resource\_labels | Map of maps containing resource labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | +| node\_pools\_resource\_manager\_tags | Map of maps containing resource manager tags by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | `map(list(string))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | `map(list(object({ key = string, value = string, effect = string })))` | 
{
  "all": [],
  "default-node-pool": []
}
| no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | 
[
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16"
]
| no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index dda05ae038..1fc49a4cda 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -624,6 +624,10 @@ resource "google_container_node_pool" "pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, @@ -898,6 +902,10 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_resource_labels["all"], local.node_pools_resource_labels[each.value["name"]], ) + resource_manager_tags = merge( + local.node_pools_resource_manager_tags["all"], + local.node_pools_resource_manager_tags[each.value["name"]], + ) metadata = merge( lookup(lookup(local.node_pools_metadata, "default_values", {}), "cluster_name", var.enable_default_node_pools_metadata) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_metadata, "default_values", {}), "node_pool", var.enable_default_node_pools_metadata) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 9620249913..877572d818 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -192,6 +192,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" diff --git a/modules/private-cluster/variables_defaults.tf b/modules/private-cluster/variables_defaults.tf index e4f3004771..435730c988 100644 --- a/modules/private-cluster/variables_defaults.tf +++ b/modules/private-cluster/variables_defaults.tf @@ -48,6 +48,20 @@ locals { var.node_pools_resource_labels ) + node_pools_resource_manager_tags = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_resource_manager_tags + ) + node_pools_metadata = merge( { all = {} }, { default-node-pool = {} }, diff --git a/variables.tf b/variables.tf index 9bfc3f451b..eeda637180 100644 --- a/variables.tf +++ b/variables.tf @@ -192,6 +192,16 @@ variable "node_pools_resource_labels" { } } +variable "node_pools_resource_manager_tags" { + type = map(map(string)) + description = "Map of maps containing resource manager tags by node-pool name" + + default = { + all = {} + default-node-pool = {} + } +} + variable "node_pools_metadata" { type = map(map(string)) description = "Map of maps containing node metadata by node-pool name" diff --git a/variables_defaults.tf b/variables_defaults.tf index e4f3004771..435730c988 100644 --- a/variables_defaults.tf +++ b/variables_defaults.tf @@ -48,6 +48,20 @@ locals { var.node_pools_resource_labels ) + node_pools_resource_manager_tags = merge( + { all = {} }, + { default-node-pool = {} }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : {}] + ), + zipmap( + [for node_pool in var.windows_node_pools : node_pool["name"]], + [for node_pool in var.windows_node_pools : {}] + ), + var.node_pools_resource_manager_tags + ) + node_pools_metadata = merge( { all = {} }, { default-node-pool = {} }, From 65ccfa0c3b3908579f671bded9df334731f1cc2a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 6 Aug 2024 10:47:57 -0700 Subject: [PATCH 123/176] chore(deps): Update module github.com/tidwall/gjson to v1.17.3 (#2028) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 2 +- test/integration/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 73af9213ee..536f1b6851 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -8,7 +8,7 @@ require ( github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1 github.com/gruntwork-io/terratest v0.47.0 github.com/stretchr/testify v1.9.0 - github.com/tidwall/gjson v1.17.2 + github.com/tidwall/gjson v1.17.3 ) require ( diff --git a/test/integration/go.sum b/test/integration/go.sum index 0bf392458a..6a0fadba47 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -489,8 +489,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= -github.com/tidwall/gjson v1.17.2 h1:YlBFFaxZdSXKP8zhqh5CRbk0wL7oCAU3D+JJLU5pE7U= -github.com/tidwall/gjson v1.17.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.17.3 h1:bwWLZU7icoKRG+C+0PNwIKC6FCJO/Q3p2pZvuP0jN94= +github.com/tidwall/gjson v1.17.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= From 3fc4db4323187d350582a2915b24954ada6c792e Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Tue, 6 Aug 2024 18:49:04 -0400 Subject: [PATCH 124/176] feat(cluster.tf): add support for setting cgroup mode (#2001) Co-authored-by: Chico Venancio Co-authored-by: Andrew Peabody --- README.md | 1 + autogen/main/cluster.tf.tmpl | 4 +++- autogen/main/variables.tf.tmpl | 10 ++++++++++ autogen/main/variables_defaults.tf.tmpl | 9 +++++++++ cluster.tf | 4 +++- modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 4 +++- .../beta-private-cluster-update-variant/variables.tf | 10 ++++++++++ .../variables_defaults.tf | 9 +++++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 4 +++- modules/beta-private-cluster/variables.tf | 10 ++++++++++ modules/beta-private-cluster/variables_defaults.tf | 9 +++++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 4 +++- .../beta-public-cluster-update-variant/variables.tf | 10 ++++++++++ .../variables_defaults.tf | 9 +++++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 4 +++- modules/beta-public-cluster/variables.tf | 10 ++++++++++ modules/beta-public-cluster/variables_defaults.tf | 9 +++++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 4 +++- modules/private-cluster-update-variant/variables.tf | 10 ++++++++++ .../variables_defaults.tf | 9 +++++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 4 +++- modules/private-cluster/variables.tf | 10 ++++++++++ modules/private-cluster/variables_defaults.tf | 9 +++++++++ variables.tf | 10 ++++++++++ variables_defaults.tf | 9 +++++++++ 31 files changed, 183 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index f5c28f6e8a..e8ebc58119 100644 --- a/README.md +++ b/README.md @@ -215,6 +215,7 @@ Then perform the following commands on the root folder: | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 899e27d7ef..747d2ab574 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -1038,7 +1038,8 @@ resource "google_container_node_pool" "windows_pools" { dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], - local.node_pools_linux_node_configs_sysctls[each.value["name"]] + local.node_pools_linux_node_configs_sysctls[each.value["name"]], + local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : {cgroup = local.node_pools_cgroup_mode[each.value["name"]]} )) != 0 ? [1] : [] content { @@ -1046,6 +1047,7 @@ resource "google_container_node_pool" "windows_pools" { local.node_pools_linux_node_configs_sysctls["all"], local.node_pools_linux_node_configs_sysctls[each.value["name"]] ) + cgroup_mode = local.node_pools_cgroup_mode[each.value["name"]] == "" ? null : local.node_pools_cgroup_mode[each.value["name"]] } } {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 25f8599b74..56c493825d 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -226,6 +226,16 @@ variable "node_pools_linux_node_configs_sysctls" { default-node-pool = {} } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} {% endif %} variable "enable_cost_allocation" { diff --git a/autogen/main/variables_defaults.tf.tmpl b/autogen/main/variables_defaults.tf.tmpl index 60e7e9051d..8d771e2dc5 100644 --- a/autogen/main/variables_defaults.tf.tmpl +++ b/autogen/main/variables_defaults.tf.tmpl @@ -128,5 +128,14 @@ locals { ), var.node_pools_linux_node_configs_sysctls ) + node_pools_cgroup_mode = merge( + { all = "" }, + { default-node-pool = "" }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : ""] + ), + var.node_pools_cgroup_mode + ) } {% endif %} diff --git a/cluster.tf b/cluster.tf index 47882590b9..69536aaba6 100644 --- a/cluster.tf +++ b/cluster.tf @@ -733,7 +733,8 @@ resource "google_container_node_pool" "pools" { dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], - local.node_pools_linux_node_configs_sysctls[each.value["name"]] + local.node_pools_linux_node_configs_sysctls[each.value["name"]], + local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : { cgroup = local.node_pools_cgroup_mode[each.value["name"]] } )) != 0 ? [1] : [] content { @@ -741,6 +742,7 @@ resource "google_container_node_pool" "pools" { local.node_pools_linux_node_configs_sysctls["all"], local.node_pools_linux_node_configs_sysctls[each.value["name"]] ) + cgroup_mode = local.node_pools_cgroup_mode[each.value["name"]] == "" ? null : local.node_pools_cgroup_mode[each.value["name"]] } } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 8434c562ba..376c5d84cc 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -263,6 +263,7 @@ Then perform the following commands on the root folder: | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 8b79fa7781..b81df91645 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -911,7 +911,8 @@ resource "google_container_node_pool" "pools" { dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], - local.node_pools_linux_node_configs_sysctls[each.value["name"]] + local.node_pools_linux_node_configs_sysctls[each.value["name"]], + local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : { cgroup = local.node_pools_cgroup_mode[each.value["name"]] } )) != 0 ? [1] : [] content { @@ -919,6 +920,7 @@ resource "google_container_node_pool" "pools" { local.node_pools_linux_node_configs_sysctls["all"], local.node_pools_linux_node_configs_sysctls[each.value["name"]] ) + cgroup_mode = local.node_pools_cgroup_mode[each.value["name"]] == "" ? null : local.node_pools_cgroup_mode[each.value["name"]] } } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index daee991273..99e5b11e34 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -223,6 +223,16 @@ variable "node_pools_linux_node_configs_sysctls" { default-node-pool = {} } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} variable "enable_cost_allocation" { type = bool diff --git a/modules/beta-private-cluster-update-variant/variables_defaults.tf b/modules/beta-private-cluster-update-variant/variables_defaults.tf index 435730c988..c33f3828e7 100644 --- a/modules/beta-private-cluster-update-variant/variables_defaults.tf +++ b/modules/beta-private-cluster-update-variant/variables_defaults.tf @@ -127,4 +127,13 @@ locals { ), var.node_pools_linux_node_configs_sysctls ) + node_pools_cgroup_mode = merge( + { all = "" }, + { default-node-pool = "" }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : ""] + ), + var.node_pools_cgroup_mode + ) } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 5135f38fef..68565f113e 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -241,6 +241,7 @@ Then perform the following commands on the root folder: | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 10087107e8..57a8ec20fa 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -831,7 +831,8 @@ resource "google_container_node_pool" "pools" { dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], - local.node_pools_linux_node_configs_sysctls[each.value["name"]] + local.node_pools_linux_node_configs_sysctls[each.value["name"]], + local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : { cgroup = local.node_pools_cgroup_mode[each.value["name"]] } )) != 0 ? [1] : [] content { @@ -839,6 +840,7 @@ resource "google_container_node_pool" "pools" { local.node_pools_linux_node_configs_sysctls["all"], local.node_pools_linux_node_configs_sysctls[each.value["name"]] ) + cgroup_mode = local.node_pools_cgroup_mode[each.value["name"]] == "" ? null : local.node_pools_cgroup_mode[each.value["name"]] } } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index daee991273..99e5b11e34 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -223,6 +223,16 @@ variable "node_pools_linux_node_configs_sysctls" { default-node-pool = {} } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} variable "enable_cost_allocation" { type = bool diff --git a/modules/beta-private-cluster/variables_defaults.tf b/modules/beta-private-cluster/variables_defaults.tf index 435730c988..c33f3828e7 100644 --- a/modules/beta-private-cluster/variables_defaults.tf +++ b/modules/beta-private-cluster/variables_defaults.tf @@ -127,4 +127,13 @@ locals { ), var.node_pools_linux_node_configs_sysctls ) + node_pools_cgroup_mode = merge( + { all = "" }, + { default-node-pool = "" }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : ""] + ), + var.node_pools_cgroup_mode + ) } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 7e8205deaa..a4d5f6a0d7 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -252,6 +252,7 @@ Then perform the following commands on the root folder: | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 6f4f8336c1..a7331ab071 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -890,7 +890,8 @@ resource "google_container_node_pool" "pools" { dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], - local.node_pools_linux_node_configs_sysctls[each.value["name"]] + local.node_pools_linux_node_configs_sysctls[each.value["name"]], + local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : { cgroup = local.node_pools_cgroup_mode[each.value["name"]] } )) != 0 ? [1] : [] content { @@ -898,6 +899,7 @@ resource "google_container_node_pool" "pools" { local.node_pools_linux_node_configs_sysctls["all"], local.node_pools_linux_node_configs_sysctls[each.value["name"]] ) + cgroup_mode = local.node_pools_cgroup_mode[each.value["name"]] == "" ? null : local.node_pools_cgroup_mode[each.value["name"]] } } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 75ae0a9c24..0a953d0429 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -223,6 +223,16 @@ variable "node_pools_linux_node_configs_sysctls" { default-node-pool = {} } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} variable "enable_cost_allocation" { type = bool diff --git a/modules/beta-public-cluster-update-variant/variables_defaults.tf b/modules/beta-public-cluster-update-variant/variables_defaults.tf index 435730c988..c33f3828e7 100644 --- a/modules/beta-public-cluster-update-variant/variables_defaults.tf +++ b/modules/beta-public-cluster-update-variant/variables_defaults.tf @@ -127,4 +127,13 @@ locals { ), var.node_pools_linux_node_configs_sysctls ) + node_pools_cgroup_mode = merge( + { all = "" }, + { default-node-pool = "" }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : ""] + ), + var.node_pools_cgroup_mode + ) } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 021926d454..15e9e37b27 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -230,6 +230,7 @@ Then perform the following commands on the root folder: | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 1884061b71..adb74c3968 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -810,7 +810,8 @@ resource "google_container_node_pool" "pools" { dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], - local.node_pools_linux_node_configs_sysctls[each.value["name"]] + local.node_pools_linux_node_configs_sysctls[each.value["name"]], + local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : { cgroup = local.node_pools_cgroup_mode[each.value["name"]] } )) != 0 ? [1] : [] content { @@ -818,6 +819,7 @@ resource "google_container_node_pool" "pools" { local.node_pools_linux_node_configs_sysctls["all"], local.node_pools_linux_node_configs_sysctls[each.value["name"]] ) + cgroup_mode = local.node_pools_cgroup_mode[each.value["name"]] == "" ? null : local.node_pools_cgroup_mode[each.value["name"]] } } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 75ae0a9c24..0a953d0429 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -223,6 +223,16 @@ variable "node_pools_linux_node_configs_sysctls" { default-node-pool = {} } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} variable "enable_cost_allocation" { type = bool diff --git a/modules/beta-public-cluster/variables_defaults.tf b/modules/beta-public-cluster/variables_defaults.tf index 435730c988..c33f3828e7 100644 --- a/modules/beta-public-cluster/variables_defaults.tf +++ b/modules/beta-public-cluster/variables_defaults.tf @@ -127,4 +127,13 @@ locals { ), var.node_pools_linux_node_configs_sysctls ) + node_pools_cgroup_mode = merge( + { all = "" }, + { default-node-pool = "" }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : ""] + ), + var.node_pools_cgroup_mode + ) } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index af556a6c95..002bc3b69c 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -248,6 +248,7 @@ Then perform the following commands on the root folder: | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 3eb0608fbf..77d4572f87 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -834,7 +834,8 @@ resource "google_container_node_pool" "pools" { dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], - local.node_pools_linux_node_configs_sysctls[each.value["name"]] + local.node_pools_linux_node_configs_sysctls[each.value["name"]], + local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : { cgroup = local.node_pools_cgroup_mode[each.value["name"]] } )) != 0 ? [1] : [] content { @@ -842,6 +843,7 @@ resource "google_container_node_pool" "pools" { local.node_pools_linux_node_configs_sysctls["all"], local.node_pools_linux_node_configs_sysctls[each.value["name"]] ) + cgroup_mode = local.node_pools_cgroup_mode[each.value["name"]] == "" ? null : local.node_pools_cgroup_mode[each.value["name"]] } } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 877572d818..0805b10e78 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -223,6 +223,16 @@ variable "node_pools_linux_node_configs_sysctls" { default-node-pool = {} } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} variable "enable_cost_allocation" { type = bool diff --git a/modules/private-cluster-update-variant/variables_defaults.tf b/modules/private-cluster-update-variant/variables_defaults.tf index 435730c988..c33f3828e7 100644 --- a/modules/private-cluster-update-variant/variables_defaults.tf +++ b/modules/private-cluster-update-variant/variables_defaults.tf @@ -127,4 +127,13 @@ locals { ), var.node_pools_linux_node_configs_sysctls ) + node_pools_cgroup_mode = merge( + { all = "" }, + { default-node-pool = "" }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : ""] + ), + var.node_pools_cgroup_mode + ) } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 345ddc9185..717cedb06e 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -226,6 +226,7 @@ Then perform the following commands on the root folder: | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA"` | no | | node\_pools | List of maps containing node pools | `list(map(any))` | 
[
  {
    "name": "default-node-pool"
  }
]
| no | +| node\_pools\_cgroup\_mode | Map of strings containing cgroup node config by node-pool name | `map(string)` | 
{
  "all": "",
  "default-node-pool": ""
}
| no | | node\_pools\_labels | Map of maps containing node labels by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_linux\_node\_configs\_sysctls | Map of maps containing linux node config sysctls by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | `map(map(string))` | 
{
  "all": {},
  "default-node-pool": {}
}
| no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 1fc49a4cda..7886ea9aec 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -754,7 +754,8 @@ resource "google_container_node_pool" "pools" { dynamic "linux_node_config" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], - local.node_pools_linux_node_configs_sysctls[each.value["name"]] + local.node_pools_linux_node_configs_sysctls[each.value["name"]], + local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : { cgroup = local.node_pools_cgroup_mode[each.value["name"]] } )) != 0 ? [1] : [] content { @@ -762,6 +763,7 @@ resource "google_container_node_pool" "pools" { local.node_pools_linux_node_configs_sysctls["all"], local.node_pools_linux_node_configs_sysctls[each.value["name"]] ) + cgroup_mode = local.node_pools_cgroup_mode[each.value["name"]] == "" ? null : local.node_pools_cgroup_mode[each.value["name"]] } } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 877572d818..0805b10e78 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -223,6 +223,16 @@ variable "node_pools_linux_node_configs_sysctls" { default-node-pool = {} } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} variable "enable_cost_allocation" { type = bool diff --git a/modules/private-cluster/variables_defaults.tf b/modules/private-cluster/variables_defaults.tf index 435730c988..c33f3828e7 100644 --- a/modules/private-cluster/variables_defaults.tf +++ b/modules/private-cluster/variables_defaults.tf @@ -127,4 +127,13 @@ locals { ), var.node_pools_linux_node_configs_sysctls ) + node_pools_cgroup_mode = merge( + { all = "" }, + { default-node-pool = "" }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : ""] + ), + var.node_pools_cgroup_mode + ) } diff --git a/variables.tf b/variables.tf index eeda637180..fac473f833 100644 --- a/variables.tf +++ b/variables.tf @@ -223,6 +223,16 @@ variable "node_pools_linux_node_configs_sysctls" { default-node-pool = {} } } +variable "node_pools_cgroup_mode" { + type = map(string) + description = "Map of strings containing cgroup node config by node-pool name" + + # Default is being set in variables_defaults.tf + default = { + all = "" + default-node-pool = "" + } +} variable "enable_cost_allocation" { type = bool diff --git a/variables_defaults.tf b/variables_defaults.tf index 435730c988..c33f3828e7 100644 --- a/variables_defaults.tf +++ b/variables_defaults.tf @@ -127,4 +127,13 @@ locals { ), var.node_pools_linux_node_configs_sysctls ) + node_pools_cgroup_mode = merge( + { all = "" }, + { default-node-pool = "" }, + zipmap( + [for node_pool in var.node_pools : node_pool["name"]], + [for node_pool in var.node_pools : ""] + ), + var.node_pools_cgroup_mode + ) } From 3ebf04a3ce27d6d251bedd98fdbb67ed47e88819 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 8 Aug 2024 13:53:51 -0700 Subject: [PATCH 125/176] feat: enable binauthz for autopilot (#2030) --- autogen/main/cluster.tf.tmpl | 6 ++++-- autogen/main/variables.tf.tmpl | 2 ++ examples/autopilot_private_firewalls/main.tf | 1 + modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-public-cluster/variables.tf | 6 ++++++ 9 files changed, 35 insertions(+), 2 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 747d2ab574..ab87a61aae 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -208,6 +208,7 @@ resource "google_container_cluster" "primary" { {% if autopilot_cluster != true %} default_max_pods_per_node = var.default_max_pods_per_node enable_shielded_nodes = var.enable_shielded_nodes + {% endif %} dynamic "binary_authorization" { for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] @@ -215,6 +216,7 @@ resource "google_container_cluster" "primary" { evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" } } + {% if autopilot_cluster != true %} dynamic "identity_service_config" { for_each = var.enable_identity_service ? [var.enable_identity_service] : [] @@ -248,7 +250,7 @@ resource "google_container_cluster" "primary" { enabled = secret_manager_config.value } } - + enable_fqdn_network_policy = var.enable_fqdn_network_policy {% endif %} {% if autopilot_cluster %} @@ -1039,7 +1041,7 @@ resource "google_container_node_pool" "windows_pools" { for_each = length(merge( local.node_pools_linux_node_configs_sysctls["all"], local.node_pools_linux_node_configs_sysctls[each.value["name"]], - local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : {cgroup = local.node_pools_cgroup_mode[each.value["name"]]} + local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : {cgroup = local.node_pools_cgroup_mode[each.value["name"]]} )) != 0 ? [1] : [] content { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 56c493825d..46f93dc6f9 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -743,12 +743,14 @@ variable "enable_shielded_nodes" { default = true } +{% endif %} variable "enable_binary_authorization" { type = bool description = "Enable BinAuthZ Admission controller" default = false } +{% if autopilot_cluster != true %} variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "GKE_METADATA" diff --git a/examples/autopilot_private_firewalls/main.tf b/examples/autopilot_private_firewalls/main.tf index 979261c992..556816d370 100644 --- a/examples/autopilot_private_firewalls/main.tf +++ b/examples/autopilot_private_firewalls/main.tf @@ -52,6 +52,7 @@ module "gke" { add_shadow_firewall_rules = true network_tags = ["allow-google-apis"] deletion_protection = false + enable_binary_authorization = true master_authorized_networks = [ { diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 2f6b48b146..bddbd67667 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -88,6 +88,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 0a8fd598b6..80555c69d4 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -85,6 +85,13 @@ resource "google_container_cluster" "primary" { enabled = var.enable_vertical_pod_autoscaling } + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index c39bf7b18a..9b177106af 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -469,6 +469,12 @@ variable "database_encryption" { }] } +variable "enable_binary_authorization" { + type = bool + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "gke_backup_agent_config" { type = bool diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 0c5d037049..4de1900468 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -81,6 +81,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 63b92d253e..bcdd82fdc8 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -85,6 +85,13 @@ resource "google_container_cluster" "primary" { enabled = var.enable_vertical_pod_autoscaling } + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index e5d50f44f7..aabe1e2667 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -433,6 +433,12 @@ variable "database_encryption" { }] } +variable "enable_binary_authorization" { + type = bool + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "gke_backup_agent_config" { type = bool From f3dc2aac2ecda2edf0baed526e8db6a9565b994f Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Fri, 9 Aug 2024 13:12:00 -0700 Subject: [PATCH 126/176] chore(CI): fix autoscaling test (#2035) --- test/integration/beta_cluster/beta_cluster_test.go | 2 +- .../private_zonal_with_networking_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/integration/beta_cluster/beta_cluster_test.go b/test/integration/beta_cluster/beta_cluster_test.go index 7fb0bf0357..c5429eaee5 100755 --- a/test/integration/beta_cluster/beta_cluster_test.go +++ b/test/integration/beta_cluster/beta_cluster_test.go @@ -75,7 +75,7 @@ func TestBetaCluster(t *testing.T) { switch npName { case "default-pool": assert.False(np.Get("initialNodeCount").Exists(), "has no initial node count") - assert.False(np.Get("autoscaling").Exists(), "does not have autoscaling enabled") + assert.False(np.Get("autoscaling.enabled").Exists(), "does not have autoscaling enabled") case "default-node-pool": assert.JSONEq(gNp.Get("config").String(), np.Get("config").String()) assert.JSONEq(gNp.Get("autoscaling").String(), np.Get("autoscaling").String()) diff --git a/test/integration/private_zonal_with_networking/private_zonal_with_networking_test.go b/test/integration/private_zonal_with_networking/private_zonal_with_networking_test.go index e6ce0c0473..b8e6994cff 100755 --- a/test/integration/private_zonal_with_networking/private_zonal_with_networking_test.go +++ b/test/integration/private_zonal_with_networking/private_zonal_with_networking_test.go @@ -76,7 +76,7 @@ func TestPrivateZonalWithNetworking(t *testing.T) { switch npName { case "default-pool": assert.False(np.Get("initialNodeCount").Exists(), "has no initial node count") - assert.False(np.Get("autoscaling").Exists(), "does not have autoscaling enabled") + assert.False(np.Get("autoscaling.enabled").Exists(), "does not have autoscaling enabled") case "default-node-pool": assert.JSONEq(gNp.Get("config").String(), np.Get("config").String()) } From c046af17aa9da70b3a639aaf025e3c4084dcb692 Mon Sep 17 00:00:00 2001 From: genlu2011 Date: Fri, 9 Aug 2024 17:41:55 -0700 Subject: [PATCH 127/176] feat(TPG>=5.40.0)!: Add support for RayOperator Addon (#2032) Co-authored-by: Gen Lu Co-authored-by: Andrew Peabody --- README.md | 1 + autogen/main/cluster.tf.tmpl | 17 +++++++++++++++++ autogen/main/main.tf.tmpl | 1 + autogen/main/variables.tf.tmpl | 14 ++++++++++++++ autogen/main/versions.tf.tmpl | 6 +++--- cluster.tf | 17 +++++++++++++++++ examples/simple_autopilot_public/main.tf | 7 ++++++- main.tf | 1 + .../beta-autopilot-private-cluster/README.md | 1 + .../beta-autopilot-private-cluster/cluster.tf | 17 +++++++++++++++++ modules/beta-autopilot-private-cluster/main.tf | 1 + .../beta-autopilot-private-cluster/variables.tf | 14 ++++++++++++++ .../beta-autopilot-private-cluster/versions.tf | 4 ++-- modules/beta-autopilot-public-cluster/README.md | 1 + .../beta-autopilot-public-cluster/cluster.tf | 17 +++++++++++++++++ modules/beta-autopilot-public-cluster/main.tf | 1 + .../beta-autopilot-public-cluster/variables.tf | 14 ++++++++++++++ .../beta-autopilot-public-cluster/versions.tf | 4 ++-- .../README.md | 1 + .../cluster.tf | 17 +++++++++++++++++ .../beta-private-cluster-update-variant/main.tf | 1 + .../variables.tf | 14 ++++++++++++++ .../versions.tf | 4 ++-- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 17 +++++++++++++++++ modules/beta-private-cluster/main.tf | 1 + modules/beta-private-cluster/variables.tf | 14 ++++++++++++++ modules/beta-private-cluster/versions.tf | 4 ++-- .../README.md | 1 + .../cluster.tf | 17 +++++++++++++++++ .../beta-public-cluster-update-variant/main.tf | 1 + .../variables.tf | 14 ++++++++++++++ .../versions.tf | 4 ++-- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 17 +++++++++++++++++ modules/beta-public-cluster/main.tf | 1 + modules/beta-public-cluster/variables.tf | 14 ++++++++++++++ modules/beta-public-cluster/versions.tf | 4 ++-- .../private-cluster-update-variant/README.md | 1 + .../private-cluster-update-variant/cluster.tf | 17 +++++++++++++++++ modules/private-cluster-update-variant/main.tf | 1 + .../private-cluster-update-variant/variables.tf | 14 ++++++++++++++ .../private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 17 +++++++++++++++++ modules/private-cluster/main.tf | 1 + modules/private-cluster/variables.tf | 14 ++++++++++++++ modules/private-cluster/versions.tf | 2 +- .../simple_autopiliot_public_test.go | 3 +++ .../testdata/TestSimpleAutopilotPublic.json | 9 +++++++++ variables.tf | 14 ++++++++++++++ versions.tf | 2 +- 52 files changed, 365 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index e8ebc58119..53b69a88b9 100644 --- a/README.md +++ b/README.md @@ -228,6 +228,7 @@ Then perform the following commands on the root folder: | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index ab87a61aae..fcf57318b5 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -361,6 +361,23 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } + + dynamic "ray_operator_config" { + for_each = local.ray_operator_config + + content { + + enabled = ray_operator_config.value.enabled + + ray_cluster_logging_config { + enabled = ray_operator_config.value.logging_enabled + } + ray_cluster_monitoring_config { + enabled = ray_operator_config.value.monitoring_enabled + } + } + } + {% if beta_cluster and autopilot_cluster != true %} istio_config { disabled = !var.istio diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 5356f7dd69..8872676a67 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -111,6 +111,7 @@ locals { gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] + ray_operator_config = length(var.ray_operator_config) > 0 && lookup(var.ray_operator_config, "enabled", false)? [var.ray_operator_config]: [] {% if beta_cluster and autopilot_cluster != true %} cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 46f93dc6f9..da6fb485b3 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -814,6 +814,20 @@ variable "stateful_ha" { default = false } +variable "ray_operator_config" { + type = object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + description = "The Ray Operator Addon configuration for this cluster." + default = { + enabled = false + logging_enabled = false + monitoring_enabled = false + } +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 059774ef6c..2d7999f3fd 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" @@ -46,7 +46,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/cluster.tf b/cluster.tf index 69536aaba6..edc2d074df 100644 --- a/cluster.tf +++ b/cluster.tf @@ -280,6 +280,23 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } + + dynamic "ray_operator_config" { + for_each = local.ray_operator_config + + content { + + enabled = ray_operator_config.value.enabled + + ray_cluster_logging_config { + enabled = ray_operator_config.value.logging_enabled + } + ray_cluster_monitoring_config { + enabled = ray_operator_config.value.monitoring_enabled + } + } + } + } datapath_provider = var.datapath_provider diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index 38741490cb..7a760bc60c 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -44,7 +44,7 @@ module "gke" { subnetwork = local.subnet_names[index(module.gcp-network.subnets_names, local.subnet_name)] ip_range_pods = local.pods_range_name ip_range_services = local.svc_range_name - release_channel = "REGULAR" + release_channel = "RAPID" enable_vertical_pod_autoscaling = true network_tags = [local.cluster_type] deletion_protection = false @@ -52,4 +52,9 @@ module "gke" { gcs_fuse_csi_driver = true stateful_ha = false gke_backup_agent_config = false + ray_operator_config = { + enabled = true + logging_enabled = true + monitoring_enabled = true + } } diff --git a/main.tf b/main.tf index f7bb8b486b..4f91f356d6 100644 --- a/main.tf +++ b/main.tf @@ -95,6 +95,7 @@ locals { gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] + ray_operator_config = length(var.ray_operator_config) > 0 && lookup(var.ray_operator_config, "enabled", false) ? [var.ray_operator_config] : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index bddbd67667..f2cfe4a8d4 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -135,6 +135,7 @@ Then perform the following commands on the root folder: | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 80555c69d4..20604496ec 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -173,6 +173,23 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } + + dynamic "ray_operator_config" { + for_each = local.ray_operator_config + + content { + + enabled = ray_operator_config.value.enabled + + ray_cluster_logging_config { + enabled = ray_operator_config.value.logging_enabled + } + ray_cluster_monitoring_config { + enabled = ray_operator_config.value.monitoring_enabled + } + } + } + } allow_net_admin = var.allow_net_admin diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 836c151bc1..9c23b42d05 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -69,6 +69,7 @@ locals { gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] + ray_operator_config = length(var.ray_operator_config) > 0 && lookup(var.ray_operator_config, "enabled", false) ? [var.ray_operator_config] : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 9b177106af..6c815c5a3a 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -494,6 +494,20 @@ variable "stateful_ha" { default = false } +variable "ray_operator_config" { + type = object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + description = "The Ray Operator Addon configuration for this cluster." + default = { + enabled = false + logging_enabled = false + monitoring_enabled = false + } +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index f873195a97..3ae0d3b8e4 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 4de1900468..0eb3696956 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -123,6 +123,7 @@ Then perform the following commands on the root folder: | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index bcdd82fdc8..7af63a96d9 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -173,6 +173,23 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } + + dynamic "ray_operator_config" { + for_each = local.ray_operator_config + + content { + + enabled = ray_operator_config.value.enabled + + ray_cluster_logging_config { + enabled = ray_operator_config.value.logging_enabled + } + ray_cluster_monitoring_config { + enabled = ray_operator_config.value.monitoring_enabled + } + } + } + } allow_net_admin = var.allow_net_admin diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index fb8af5bef8..b4956bb6a3 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -69,6 +69,7 @@ locals { gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] + ray_operator_config = length(var.ray_operator_config) > 0 && lookup(var.ray_operator_config, "enabled", false) ? [var.ray_operator_config] : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index aabe1e2667..744b16b551 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -458,6 +458,20 @@ variable "stateful_ha" { default = false } +variable "ray_operator_config" { + type = object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + description = "The Ray Operator Addon configuration for this cluster." + default = { + enabled = false + logging_enabled = false + monitoring_enabled = false + } +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 6bba2e28b8..fd29a13f71 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 376c5d84cc..640a04de16 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -277,6 +277,7 @@ Then perform the following commands on the root folder: | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index b81df91645..6e722667ce 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -301,6 +301,23 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } + + dynamic "ray_operator_config" { + for_each = local.ray_operator_config + + content { + + enabled = ray_operator_config.value.enabled + + ray_cluster_logging_config { + enabled = ray_operator_config.value.logging_enabled + } + ray_cluster_monitoring_config { + enabled = ray_operator_config.value.monitoring_enabled + } + } + } + istio_config { disabled = !var.istio auth = var.istio_auth diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 1bfa3658a5..4ee56aaacd 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -95,6 +95,7 @@ locals { gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] + ray_operator_config = length(var.ray_operator_config) > 0 && lookup(var.ray_operator_config, "enabled", false) ? [var.ray_operator_config] : [] cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type } : {} diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 99e5b11e34..c721313d9a 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -776,6 +776,20 @@ variable "stateful_ha" { default = false } +variable "ray_operator_config" { + type = object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + description = "The Ray Operator Addon configuration for this cluster." + default = { + enabled = false + logging_enabled = false + monitoring_enabled = false + } +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index df9b26ca58..de52e81b1b 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 68565f113e..6c3bb8a4d5 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -255,6 +255,7 @@ Then perform the following commands on the root folder: | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 57a8ec20fa..0578d91001 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -301,6 +301,23 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } + + dynamic "ray_operator_config" { + for_each = local.ray_operator_config + + content { + + enabled = ray_operator_config.value.enabled + + ray_cluster_logging_config { + enabled = ray_operator_config.value.logging_enabled + } + ray_cluster_monitoring_config { + enabled = ray_operator_config.value.monitoring_enabled + } + } + } + istio_config { disabled = !var.istio auth = var.istio_auth diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 1bfa3658a5..4ee56aaacd 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -95,6 +95,7 @@ locals { gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] + ray_operator_config = length(var.ray_operator_config) > 0 && lookup(var.ray_operator_config, "enabled", false) ? [var.ray_operator_config] : [] cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type } : {} diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 99e5b11e34..c721313d9a 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -776,6 +776,20 @@ variable "stateful_ha" { default = false } +variable "ray_operator_config" { + type = object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + description = "The Ray Operator Addon configuration for this cluster." + default = { + enabled = false + logging_enabled = false + monitoring_enabled = false + } +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 102e899572..a042535325 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index a4d5f6a0d7..1b30408a6a 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -265,6 +265,7 @@ Then perform the following commands on the root folder: | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index a7331ab071..a30562d7ed 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -301,6 +301,23 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } + + dynamic "ray_operator_config" { + for_each = local.ray_operator_config + + content { + + enabled = ray_operator_config.value.enabled + + ray_cluster_logging_config { + enabled = ray_operator_config.value.logging_enabled + } + ray_cluster_monitoring_config { + enabled = ray_operator_config.value.monitoring_enabled + } + } + } + istio_config { disabled = !var.istio auth = var.istio_auth diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 0039ec882f..58d2dce97c 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -95,6 +95,7 @@ locals { gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] + ray_operator_config = length(var.ray_operator_config) > 0 && lookup(var.ray_operator_config, "enabled", false) ? [var.ray_operator_config] : [] cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type } : {} diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 0a953d0429..86afb87da3 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -740,6 +740,20 @@ variable "stateful_ha" { default = false } +variable "ray_operator_config" { + type = object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + description = "The Ray Operator Addon configuration for this cluster." + default = { + enabled = false + logging_enabled = false + monitoring_enabled = false + } +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index a72a0b13ac..2a9ee2978d 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 15e9e37b27..d72c116ac4 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -243,6 +243,7 @@ Then perform the following commands on the root folder: | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no | | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index adb74c3968..174b33c6be 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -301,6 +301,23 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } + + dynamic "ray_operator_config" { + for_each = local.ray_operator_config + + content { + + enabled = ray_operator_config.value.enabled + + ray_cluster_logging_config { + enabled = ray_operator_config.value.logging_enabled + } + ray_cluster_monitoring_config { + enabled = ray_operator_config.value.monitoring_enabled + } + } + } + istio_config { disabled = !var.istio auth = var.istio_auth diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 0039ec882f..58d2dce97c 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -95,6 +95,7 @@ locals { gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] + ray_operator_config = length(var.ray_operator_config) > 0 && lookup(var.ray_operator_config, "enabled", false) ? [var.ray_operator_config] : [] cluster_cloudrun_config_load_balancer_config = (var.cloudrun && var.cloudrun_load_balancer_type != "") ? { load_balancer_type = var.cloudrun_load_balancer_type } : {} diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 0a953d0429..86afb87da3 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -740,6 +740,20 @@ variable "stateful_ha" { default = false } +variable "ray_operator_config" { + type = object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + description = "The Ray Operator Addon configuration for this cluster." + default = { + enabled = false + logging_enabled = false + monitoring_enabled = false + } +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 193dad6b2f..861e2407f9 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.33.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 002bc3b69c..db5fb5784f 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -262,6 +262,7 @@ Then perform the following commands on the root folder: | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 77d4572f87..8518b0e52a 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -280,6 +280,23 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } + + dynamic "ray_operator_config" { + for_each = local.ray_operator_config + + content { + + enabled = ray_operator_config.value.enabled + + ray_cluster_logging_config { + enabled = ray_operator_config.value.logging_enabled + } + ray_cluster_monitoring_config { + enabled = ray_operator_config.value.monitoring_enabled + } + } + } + } datapath_provider = var.datapath_provider diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 90702177dd..884ea93033 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -95,6 +95,7 @@ locals { gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] + ray_operator_config = length(var.ray_operator_config) > 0 && lookup(var.ray_operator_config, "enabled", false) ? [var.ray_operator_config] : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 0805b10e78..ea5dc1a700 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -741,6 +741,20 @@ variable "stateful_ha" { default = false } +variable "ray_operator_config" { + type = object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + description = "The Ray Operator Addon configuration for this cluster." + default = { + enabled = false + logging_enabled = false + monitoring_enabled = false + } +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index b36073ae8d..19d8df6feb 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 717cedb06e..590004ace3 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -240,6 +240,7 @@ Then perform the following commands on the root folder: | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no | | private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no | | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes | +| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | 
object({
    enabled            = bool
    logging_enabled    = optional(bool, false)
    monitoring_enabled = optional(bool, false)
  })
| 
{
  "enabled": false,
  "logging_enabled": false,
  "monitoring_enabled": false
}
| no | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no | | registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 7886ea9aec..1ed3bdb20b 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -280,6 +280,23 @@ resource "google_container_cluster" "primary" { enabled = stateful_ha_config.value.enabled } } + + dynamic "ray_operator_config" { + for_each = local.ray_operator_config + + content { + + enabled = ray_operator_config.value.enabled + + ray_cluster_logging_config { + enabled = ray_operator_config.value.logging_enabled + } + ray_cluster_monitoring_config { + enabled = ray_operator_config.value.monitoring_enabled + } + } + } + } datapath_provider = var.datapath_provider diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 90702177dd..884ea93033 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -95,6 +95,7 @@ locals { gke_backup_agent_config = var.gke_backup_agent_config ? [{ enabled = true }] : [{ enabled = false }] gcs_fuse_csi_driver_config = var.gcs_fuse_csi_driver ? [{ enabled = true }] : [] stateful_ha_config = var.stateful_ha ? [{ enabled = true }] : [] + ray_operator_config = length(var.ray_operator_config) > 0 && lookup(var.ray_operator_config, "enabled", false) ? [var.ray_operator_config] : [] cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 0805b10e78..ea5dc1a700 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -741,6 +741,20 @@ variable "stateful_ha" { default = false } +variable "ray_operator_config" { + type = object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + description = "The Ray Operator Addon configuration for this cluster." + default = { + enabled = false + logging_enabled = false + monitoring_enabled = false + } +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index f13959f817..2d02269128 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go b/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go index 0479efe84d..dad92ca5f4 100644 --- a/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go +++ b/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go @@ -53,6 +53,9 @@ func TestSimpleAutopilotPublic(t *testing.T) { "addonsConfig.httpLoadBalancing", "addonsConfig.kubernetesDashboard.disabled", "addonsConfig.networkPolicyConfig.disabled", + "addonsConfig.rayOperatorConfig.enabled", + "addonsConfig.rayOperatorConfig.rayClusterLoggingConfig.enabled", + "addonsConfig.rayOperatorConfig.rayClusterMonitoringConfig.enabled", } for _, pth := range validateJSONPaths { g.JSONEq(assert, op, pth) diff --git a/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json b/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json index d014c325dc..76d70b63eb 100644 --- a/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json +++ b/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json @@ -6,6 +6,15 @@ "gcePersistentDiskCsiDriverConfig": { "enabled": true }, + "rayOperatorConfig": { + "enabled": true, + "rayClusterLoggingConfig": { + "enabled": true + }, + "rayClusterMonitoringConfig": { + "enabled": true + } + }, "gcpFilestoreCsiDriverConfig": { "enabled": true }, diff --git a/variables.tf b/variables.tf index fac473f833..8ab53f4cd8 100644 --- a/variables.tf +++ b/variables.tf @@ -705,6 +705,20 @@ variable "stateful_ha" { default = false } +variable "ray_operator_config" { + type = object({ + enabled = bool + logging_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) + }) + description = "The Ray Operator Addon configuration for this cluster." + default = { + enabled = false + logging_enabled = false + monitoring_enabled = false + } +} + variable "timeouts" { type = map(string) description = "Timeout for cluster operations." diff --git a/versions.tf b/versions.tf index 87a1e3ebee..d7a0dfb92d 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.25.0, < 6" + version = ">= 5.40.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" From 8c5ec627e4b0b6d18184a0fdbcc41de96b7987c4 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Tue, 13 Aug 2024 11:46:43 -0700 Subject: [PATCH 128/176] chore(master): release 32.0.0 (#1992) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 38 +++++++++++++++++++ autogen/main/versions.tf.tmpl | 4 +- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 +- modules/asm/versions.tf | 4 +- modules/auth/versions.tf | 2 +- .../versions.tf | 2 +- .../beta-autopilot-public-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- .../versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- .../versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- .../safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 63 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 820ef52609..0c7f17c467 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [32.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v31.1.0...v32.0.0) (2024-08-10) + + +### âš  BREAKING CHANGES + +* **TPG>=5.40.0:** Add support for RayOperator Addon ([#2032](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2032)) +* **TPG>=5.33:** add secret manager add-on config to beta modules ([#1977](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1977)) + +### Features + +* Add additional functionality for autopilot clusters ([#1985](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1985)) ([3b0bbe8](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/3b0bbe8a60532cc2a2b8b676db1dfb7f0d2d0054)) +* add notification event filter ([#1996](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1996)) ([9ff1b5e](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/9ff1b5e373a4aafa6199abbc07f8c07bf092ac2f)) +* add optional private_endpoint_subnetwork variable in private submodules ([#2009](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2009)) ([7a2e9b8](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/7a2e9b8e6d7fbb6c4986cce2c8484be58ec1c82e)) +* add support for `logging_variant` in Autopilot clusters ([#1962](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1962)) ([08028a8](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/08028a89d9ca812034f4b7d487e7f28131b41061)) +* add support for additive_vpc_scope_dns_domain ([#1998](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1998)) ([b54b7ba](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/b54b7ba89b47df5692d17ed41a898f4bffbcd5b5)) +* add support for confidential storage + docs fixes ([#2003](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2003)) ([270a5c7](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/270a5c7380dd9fe9c41779143ddbfd5bf32c8fff)) +* allow default node pools metadata key-value pairs to be disabled ([#2005](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2005)) ([318f38f](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/318f38fba30068761ad6bf61ec34cdbf9a09cab9)) +* anthos modules remote fleet project ([#1995](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1995)) ([674f772](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/674f77210a0a2b5236b53e0183393e34bd7a1dd2)) +* bump `enable_intranode_visibility` to GA ([#1956](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1956)) ([4274b0e](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/4274b0e286509103c25ae9b2d62f932e922f7659)) +* bump identity_service_config to ga ([#1997](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1997)) ([9d6a400](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/9d6a4005ea8601dc88ce2a64edcc5ce663765893)) +* bump kubelet config to ga + minor doc fixes ([#1994](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1994)) ([6bd1bc1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/6bd1bc103955fa4f4af8aca53e2afddd68a43a1c)) +* **cluster.tf:** add support for setting cgroup mode ([#2001](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2001)) ([3fc4db4](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/3fc4db4323187d350582a2915b24954ada6c792e)) +* enable binauthz for autopilot ([#2030](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2030)) ([3ebf04a](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/3ebf04a3ce27d6d251bedd98fdbb67ed47e88819)) +* extend enable_secret_manager_addon to beta-autopilot clusters ([#2017](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2017)) ([7f31e96](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/7f31e96141308f8c00c178b1dd6d525ca233eddc)) +* Fleet app operator permissions ([#1986](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1986)) ([e0fd03a](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/e0fd03ac22212f2c1895f2651e263f36409937c4)) +* support enable_nested_virtualization ([#2012](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2012)) ([e298e74](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/e298e7492c32d61a1387912c3525cd610434912d)) +* support workload_identity_config on autopilot ([#2011](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2011)) ([b4f2e14](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/b4f2e14a39140451f420ea259dc29da4f34129f9)) +* **TPG>=5.33:** add secret manager add-on config to beta modules ([#1977](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1977)) ([5c58d89](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/5c58d892cc52074c70032a73a9f7fc37d25738f5)) +* **TPG>=5.40.0:** Add support for RayOperator Addon ([#2032](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2032)) ([c046af1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/c046af17aa9da70b3a639aaf025e3c4084dcb692)) + + +### Bug Fixes + +* add missing gpu node pool param docs ([#2023](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2023)) ([ac76d4d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/ac76d4d50d1fb17e7430facd06f22fe66a5c08ee)) +* empty addons_config handling ([#1978](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1978)) ([9ae8b38](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/9ae8b385ce84d705cf3ac7722bad89a24d056302)) +* enable_confidential_storage fix ([#2018](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2018)) ([12cfe5e](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/12cfe5e4d3c668117649cb346e49b0d2e598f4ed)) +* skip service account `random_string` when not needed ([#2024](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2024)) ([be88d19](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/be88d197d1d560cf508ddf1f4d026e9d2b91bbc9)) + ## [31.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v31.0.0...v31.1.0) (2024-06-26) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 2d7999f3fd..ddbdd0889d 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.0" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.0" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 7ade294457..ae5e330a4b 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.0" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 39a6314c0d..2b6fcc7c76 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.0" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 4beacc5b5e..54c6c53155 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index c2fcca4bd9..d85a8b7f90 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v32.0.0" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 3ae0d3b8e4..93b0e5a59e 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v32.0.0" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index fd29a13f71..d7044f8213 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v32.0.0" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index de52e81b1b..44b0c9884e 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v32.0.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index a042535325..900e76742d 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v32.0.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 2a9ee2978d..13991fb040 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v32.0.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 861e2407f9..35b77b234b 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v32.0.0" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 4a30790141..d91632ecca 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v32.0.0" } } diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf index 8903345713..ae100c10e5 100644 --- a/modules/fleet-app-operator-permissions/versions.tf +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -33,7 +33,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v32.0.0" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 588e277364..55f26d6b04 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.0" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index 041d775143..c6871cef11 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.0" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 19d8df6feb..8e2bd3c5bb 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v32.0.0" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 2d02269128..93305d9f62 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v32.0.0" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index 3f31c69871..d00f5d08da 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v32.0.0" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index b6298aaf94..c49621e4f4 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v32.0.0" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 311c31a977..1d9892805e 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v32.0.0" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index b7b9a890dc..1ec239ef72 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v32.0.0" } } diff --git a/versions.tf b/versions.tf index d7a0dfb92d..4e32ce2fd7 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v31.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v32.0.0" } } From 2a22749516e91c1a908bccc21e23b9d36de4dd01 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 13 Aug 2024 14:32:07 -0700 Subject: [PATCH 129/176] chore(deps): Update dependency go to v1.22.6 (#2036) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 536f1b6851..bee0ee12b6 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -2,7 +2,7 @@ module github.com/terraform-google-modules/terraform-google-kubernetes-engine/te go 1.22 -toolchain go1.22.5 +toolchain go1.22.6 require ( github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1 From 55a406e7fba23fe030166b4f0a92e71cd2368d98 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 14 Aug 2024 13:05:57 -0700 Subject: [PATCH 130/176] chore(deps): Update Terraform terraform-google-modules/kubernetes-engine/google to v32 (#2038) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/acm-terraform-blog-part1/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part2/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part3/terraform/gke.tf | 4 ++-- examples/deploy_service/main.tf | 2 +- examples/disable_client_cert/main.tf | 2 +- examples/island_cluster_anywhere_in_gcp_design/main.tf | 2 +- examples/island_cluster_with_vm_router/main.tf | 2 +- examples/node_pool/main.tf | 2 +- examples/node_pool_update_variant/main.tf | 2 +- examples/node_pool_update_variant_beta/main.tf | 2 +- examples/node_pool_update_variant_public_beta/main.tf | 2 +- examples/private_zonal_with_networking/main.tf | 2 +- examples/regional_private_node_pool_oauth_scopes/main.tf | 2 +- examples/safer_cluster/main.tf | 2 +- examples/safer_cluster_iap_bastion/cluster.tf | 2 +- examples/shared_vpc/main.tf | 2 +- examples/simple_autopilot_private/main.tf | 2 +- examples/simple_autopilot_private_non_default_sa/main.tf | 2 +- examples/simple_autopilot_public/main.tf | 2 +- examples/simple_regional/main.tf | 2 +- examples/simple_regional_beta/main.tf | 2 +- examples/simple_regional_private/main.tf | 2 +- examples/simple_regional_private_beta/main.tf | 2 +- .../simple_regional_private_with_cluster_version/main.tf | 2 +- examples/simple_regional_with_gateway_api/main.tf | 2 +- examples/simple_regional_with_kubeconfig/main.tf | 4 ++-- examples/simple_regional_with_networking/main.tf | 2 +- examples/simple_windows_node_pool/main.tf | 2 +- examples/simple_zonal_private/main.tf | 2 +- examples/simple_zonal_with_acm/acm.tf | 2 +- examples/simple_zonal_with_acm/main.tf | 2 +- examples/simple_zonal_with_asm/main.tf | 4 ++-- examples/simple_zonal_with_hub/hub.tf | 2 +- examples/simple_zonal_with_hub/main.tf | 2 +- examples/simple_zonal_with_hub_kubeconfig/hub.tf | 2 +- examples/stub_domains/main.tf | 2 +- examples/stub_domains_private/main.tf | 2 +- examples/stub_domains_upstream_nameservers/main.tf | 2 +- examples/upstream_nameservers/main.tf | 2 +- examples/workload_identity/main.tf | 8 ++++---- examples/workload_metadata_config/main.tf | 2 +- 41 files changed, 47 insertions(+), 47 deletions(-) diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf index 7df2197cfe..4555c2556e 100644 --- a/examples/acm-terraform-blog-part1/terraform/gke.tf +++ b/examples/acm-terraform-blog-part1/terraform/gke.tf @@ -31,7 +31,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part1" region = var.region diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf index 527d2ef100..37e0f55eaf 100644 --- a/examples/acm-terraform-blog-part2/terraform/gke.tf +++ b/examples/acm-terraform-blog-part2/terraform/gke.tf @@ -31,7 +31,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part2" region = var.region diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf index ff4db070a5..d80df284bc 100644 --- a/examples/acm-terraform-blog-part3/terraform/gke.tf +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -33,7 +33,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part3" region = var.region @@ -48,7 +48,7 @@ module "gke" { module "wi" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 31.0" + version = "~> 32.0" gcp_sa_name = "cnrmsa" cluster_name = module.gke.name name = "cnrm-controller-manager" diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index 418cc61ed1..5cd745c8b0 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf index 535d5200a1..37053a3ae4 100644 --- a/examples/disable_client_cert/main.tf +++ b/examples/disable_client_cert/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/island_cluster_anywhere_in_gcp_design/main.tf b/examples/island_cluster_anywhere_in_gcp_design/main.tf index 8dbbe9894b..e3483bc1b7 100644 --- a/examples/island_cluster_anywhere_in_gcp_design/main.tf +++ b/examples/island_cluster_anywhere_in_gcp_design/main.tf @@ -27,7 +27,7 @@ resource "google_service_account" "gke-sa" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 31.0" + version = "~> 32.0" for_each = { for k, v in var.gke_spokes : k => v } diff --git a/examples/island_cluster_with_vm_router/main.tf b/examples/island_cluster_with_vm_router/main.tf index 5984412ee5..7f5803e69e 100644 --- a/examples/island_cluster_with_vm_router/main.tf +++ b/examples/island_cluster_with_vm_router/main.tf @@ -143,7 +143,7 @@ module "net" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 31.0" + version = "~> 32.0" depends_on = [google_compute_instance.vm] diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 1bb3bdba37..513941b1c6 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf index b526e656bd..7c35f3d921 100644 --- a/examples/node_pool_update_variant/main.tf +++ b/examples/node_pool_update_variant/main.tf @@ -34,7 +34,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster-update-variant" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf index 99e9134518..2e91e601ce 100644 --- a/examples/node_pool_update_variant_beta/main.tf +++ b/examples/node_pool_update_variant_beta/main.tf @@ -39,7 +39,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster-update-variant" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant_public_beta/main.tf b/examples/node_pool_update_variant_public_beta/main.tf index 4821df4ac6..f85cb9a091 100644 --- a/examples/node_pool_update_variant_public_beta/main.tf +++ b/examples/node_pool_update_variant_public_beta/main.tf @@ -39,7 +39,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster-update-variant" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/private_zonal_with_networking/main.tf b/examples/private_zonal_with_networking/main.tf index 692a7bd1fd..8f0180e0fe 100644 --- a/examples/private_zonal_with_networking/main.tf +++ b/examples/private_zonal_with_networking/main.tf @@ -61,7 +61,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = var.cluster_name diff --git a/examples/regional_private_node_pool_oauth_scopes/main.tf b/examples/regional_private_node_pool_oauth_scopes/main.tf index bf46331191..81302d0331 100644 --- a/examples/regional_private_node_pool_oauth_scopes/main.tf +++ b/examples/regional_private_node_pool_oauth_scopes/main.tf @@ -16,7 +16,7 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "random-test-cluster" diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index 5d6df90110..64551b16f4 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -52,7 +52,7 @@ resource "random_shuffle" "version" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster-${random_string.suffix.result}" diff --git a/examples/safer_cluster_iap_bastion/cluster.tf b/examples/safer_cluster_iap_bastion/cluster.tf index 8fbaa05646..c90667378b 100644 --- a/examples/safer_cluster_iap_bastion/cluster.tf +++ b/examples/safer_cluster_iap_bastion/cluster.tf @@ -16,7 +16,7 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = module.enabled_google_apis.project_id name = var.cluster_name diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf index 5803a64c6f..c7bed09ccc 100644 --- a/examples/shared_vpc/main.tf +++ b/examples/shared_vpc/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf index d98f7f00df..e81a983e73 100644 --- a/examples/simple_autopilot_private/main.tf +++ b/examples/simple_autopilot_private/main.tf @@ -35,7 +35,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_autopilot_private_non_default_sa/main.tf b/examples/simple_autopilot_private_non_default_sa/main.tf index 332e41f1cc..93ade48198 100644 --- a/examples/simple_autopilot_private_non_default_sa/main.tf +++ b/examples/simple_autopilot_private_non_default_sa/main.tf @@ -35,7 +35,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index 7a760bc60c..cf4deb5909 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -34,7 +34,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-public-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index 2127fa9eea..205557b3e2 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 2c1f082af9..c6a5401b4d 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf index 25cf124ef9..9f852323bb 100644 --- a/examples/simple_regional_private/main.tf +++ b/examples/simple_regional_private/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index 822c7946ce..6170d36574 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private_with_cluster_version/main.tf b/examples/simple_regional_private_with_cluster_version/main.tf index 23b5b83c99..cff361a8de 100644 --- a/examples/simple_regional_private_with_cluster_version/main.tf +++ b/examples/simple_regional_private_with_cluster_version/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_with_gateway_api/main.tf b/examples/simple_regional_with_gateway_api/main.tf index 34500ada3a..f6fef5026f 100644 --- a/examples/simple_regional_with_gateway_api/main.tf +++ b/examples/simple_regional_with_gateway_api/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf index 7387bb0c15..84f4e99ba9 100644 --- a/examples/simple_regional_with_kubeconfig/main.tf +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" @@ -45,7 +45,7 @@ module "gke" { module "gke_auth" { source = "terraform-google-modules/kubernetes-engine/google//modules/auth" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_regional_with_networking/main.tf b/examples/simple_regional_with_networking/main.tf index a37c1fb6e9..e072c50814 100644 --- a/examples/simple_regional_with_networking/main.tf +++ b/examples/simple_regional_with_networking/main.tf @@ -53,7 +53,7 @@ module "gcp-network" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = var.cluster_name diff --git a/examples/simple_windows_node_pool/main.tf b/examples/simple_windows_node_pool/main.tf index 0562eea5a4..e2ad5ac199 100644 --- a/examples/simple_windows_node_pool/main.tf +++ b/examples/simple_windows_node_pool/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf index 138bfcd314..a44b2d4c1a 100644 --- a/examples/simple_zonal_private/main.tf +++ b/examples/simple_zonal_private/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index 56d510cb89..c58eb4874c 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -16,7 +16,7 @@ module "acm" { source = "terraform-google-modules/kubernetes-engine/google//modules/acm" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_zonal_with_acm/main.tf b/examples/simple_zonal_with_acm/main.tf index c62dc3b26b..814118ffdb 100644 --- a/examples/simple_zonal_with_acm/main.tf +++ b/examples/simple_zonal_with_acm/main.tf @@ -32,7 +32,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index f54653b1ed..a5879d50cd 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -28,7 +28,7 @@ data "google_project" "project" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "test-prefix-cluster-test-suffix" @@ -57,7 +57,7 @@ module "gke" { module "asm" { source = "terraform-google-modules/kubernetes-engine/google//modules/asm" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id cluster_name = module.gke.name diff --git a/examples/simple_zonal_with_hub/hub.tf b/examples/simple_zonal_with_hub/hub.tf index 5b7171ab4c..94706e7c5a 100644 --- a/examples/simple_zonal_with_hub/hub.tf +++ b/examples/simple_zonal_with_hub/hub.tf @@ -16,7 +16,7 @@ module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_zonal_with_hub/main.tf b/examples/simple_zonal_with_hub/main.tf index 6c13cbdbbc..245c11d53e 100644 --- a/examples/simple_zonal_with_hub/main.tf +++ b/examples/simple_zonal_with_hub/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_with_hub_kubeconfig/hub.tf b/examples/simple_zonal_with_hub_kubeconfig/hub.tf index d904d87c6b..b987a3bd86 100644 --- a/examples/simple_zonal_with_hub_kubeconfig/hub.tf +++ b/examples/simple_zonal_with_hub_kubeconfig/hub.tf @@ -16,7 +16,7 @@ module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/hub-legacy" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id location = "remote" diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf index 82599a7534..c2f0afabb9 100644 --- a/examples/stub_domains/main.tf +++ b/examples/stub_domains/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf index 5bb6268ffc..dc0bb99f4c 100644 --- a/examples/stub_domains_private/main.tf +++ b/examples/stub_domains_private/main.tf @@ -30,7 +30,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 31.0" + version = "~> 32.0" ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf index 5a95ab8e69..cb8b748458 100644 --- a/examples/stub_domains_upstream_nameservers/main.tf +++ b/examples/stub_domains_upstream_nameservers/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf index 876152ad28..8e613ce7b1 100644 --- a/examples/upstream_nameservers/main.tf +++ b/examples/upstream_nameservers/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index 98b406e31b..01bf4977ce 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" @@ -54,7 +54,7 @@ module "gke" { # example without existing KSA module "workload_identity" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "iden-${module.gke.name}" @@ -74,7 +74,7 @@ resource "kubernetes_service_account" "test" { module "workload_identity_existing_ksa" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "existing-${module.gke.name}" @@ -93,7 +93,7 @@ resource "google_service_account" "custom" { module "workload_identity_existing_gsa" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = google_service_account.custom.account_id diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index 4ee285814d..110bd7d29e 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 31.0" + version = "~> 32.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" From d46997327a625cfcb5cb5fb0286d7cbfd5a28125 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Thu, 15 Aug 2024 19:02:36 -0400 Subject: [PATCH 131/176] fix: remove duplicte enable_secure_boot (#2040) Signed-off-by: drfaust92 --- autogen/main/cluster.tf.tmpl | 1 - modules/beta-private-cluster-update-variant/cluster.tf | 1 - modules/beta-public-cluster-update-variant/cluster.tf | 1 - modules/private-cluster-update-variant/cluster.tf | 1 - 4 files changed, 4 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index fcf57318b5..6fe68c5d26 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -712,7 +712,6 @@ locals { "service_account", "enable_gcfs", "enable_gvnic", - "enable_secure_boot", "boot_disk_kms_key", "queued_provisioning", "enable_confidential_storage", diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 6e722667ce..6242de6549 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -611,7 +611,6 @@ locals { "service_account", "enable_gcfs", "enable_gvnic", - "enable_secure_boot", "boot_disk_kms_key", "queued_provisioning", "enable_confidential_storage", diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index a30562d7ed..d63bbba197 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -590,7 +590,6 @@ locals { "service_account", "enable_gcfs", "enable_gvnic", - "enable_secure_boot", "boot_disk_kms_key", "queued_provisioning", "enable_confidential_storage", diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 8518b0e52a..65b66dc412 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -547,7 +547,6 @@ locals { "service_account", "enable_gcfs", "enable_gvnic", - "enable_secure_boot", "boot_disk_kms_key", "queued_provisioning", "enable_confidential_storage", From b1fb1b39cea355ee31cbe1088078d9713c55ac67 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 15 Aug 2024 17:36:50 -0700 Subject: [PATCH 132/176] chore(CI): remove assert so polling is honored (#2037) --- test/integration/deploy_service/deploy_service_test.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/test/integration/deploy_service/deploy_service_test.go b/test/integration/deploy_service/deploy_service_test.go index c87470d44b..8c51d52edc 100755 --- a/test/integration/deploy_service/deploy_service_test.go +++ b/test/integration/deploy_service/deploy_service_test.go @@ -50,10 +50,11 @@ func TestDeployService(t *testing.T) { pollHTTPEndPoint := func(cmd string) func() (bool, error) { return func() (bool, error) { _, err := http.Get(cmd) - if assert.NoError(err) { - return false, nil + if err != nil { + t.Logf("%s", err) + return true, err } - return true, nil + return false, nil } } From a5a67e56fd343b66a8ba5b02cd01c1dd2e27da8a Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 20 Aug 2024 10:40:01 -0700 Subject: [PATCH 133/176] fix(fleet_app_operator_permissions): optional groups and users (#2044) --- examples/simple_fleet_app_operator_permissions/main.tf | 1 - modules/fleet-app-operator-permissions/README.md | 4 ++-- modules/fleet-app-operator-permissions/variables.tf | 2 ++ 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/examples/simple_fleet_app_operator_permissions/main.tf b/examples/simple_fleet_app_operator_permissions/main.tf index e905f8bc2e..b9a2130f69 100644 --- a/examples/simple_fleet_app_operator_permissions/main.tf +++ b/examples/simple_fleet_app_operator_permissions/main.tf @@ -40,7 +40,6 @@ module "permissions" { fleet_project_id = var.fleet_project_id scope_id = google_gke_hub_scope.scope.scope_id users = ["${local.app_operator_id}@${var.fleet_project_id}.iam.gserviceaccount.com"] - groups = [] role = local.app_operator_role depends_on = [ diff --git a/modules/fleet-app-operator-permissions/README.md b/modules/fleet-app-operator-permissions/README.md index 085fcb4c9c..960c2fe410 100644 --- a/modules/fleet-app-operator-permissions/README.md +++ b/modules/fleet-app-operator-permissions/README.md @@ -29,10 +29,10 @@ To deploy this config, run: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | fleet\_project\_id | The project to which the Fleet belongs. | `string` | n/a | yes | -| groups | The list of app operator group principals, e.g., `people@google.com`, `principalSet://iam.googleapis.com/locations/global/workforcePools/my-pool/group/people`. | `list(string)` | n/a | yes | +| groups | The list of app operator group principals, e.g., `people@google.com`, `principalSet://iam.googleapis.com/locations/global/workforcePools/my-pool/group/people`. | `list(string)` | `[]` | no | | role | The principals role for the Fleet Scope (`VIEW`/`EDIT`/`ADMIN`). | `string` | n/a | yes | | scope\_id | The scope for which IAM and RBAC role bindings are created. | `string` | n/a | yes | -| users | The list of app operator user principals, e.g., `person@google.com`, `principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/person`, `serviceAccount:my-service-account@my-project.iam.gserviceaccount.com`. | `list(string)` | n/a | yes | +| users | The list of app operator user principals, e.g., `person@google.com`, `principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/person`, `serviceAccount:my-service-account@my-project.iam.gserviceaccount.com`. | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/fleet-app-operator-permissions/variables.tf b/modules/fleet-app-operator-permissions/variables.tf index 88f27d376f..400ed239af 100644 --- a/modules/fleet-app-operator-permissions/variables.tf +++ b/modules/fleet-app-operator-permissions/variables.tf @@ -27,11 +27,13 @@ variable "scope_id" { variable "users" { description = "The list of app operator user principals, e.g., `person@google.com`, `principal://iam.googleapis.com/locations/global/workforcePools/my-pool/subject/person`, `serviceAccount:my-service-account@my-project.iam.gserviceaccount.com`." type = list(string) + default = [] } variable "groups" { description = "The list of app operator group principals, e.g., `people@google.com`, `principalSet://iam.googleapis.com/locations/global/workforcePools/my-pool/group/people`." type = list(string) + default = [] } variable "role" { From a83100d6ef335e453fd91933ef8eaf7fe47a52b0 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 20 Aug 2024 13:49:43 -0700 Subject: [PATCH 134/176] fix(fleet_app_operator_permissions): enable multi use per project (#2045) --- modules/fleet-app-operator-permissions/main.tf | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/modules/fleet-app-operator-permissions/main.tf b/modules/fleet-app-operator-permissions/main.tf index 81fc13a96c..e7bd846ba1 100644 --- a/modules/fleet-app-operator-permissions/main.tf +++ b/modules/fleet-app-operator-permissions/main.tf @@ -39,10 +39,11 @@ locals { } } -resource "google_project_iam_binding" "log_view_permissions" { - project = var.fleet_project_id - role = "roles/logging.viewAccessor" - members = concat(local.user_principals, local.group_principals) +resource "google_project_iam_member" "log_view_permissions" { + project = var.fleet_project_id + for_each = toset(concat(local.user_principals, local.group_principals)) + role = "roles/logging.viewAccessor" + member = each.value condition { title = "conditional log view access" description = "log view access for scope ${var.scope_id}" @@ -50,10 +51,11 @@ resource "google_project_iam_binding" "log_view_permissions" { } } -resource "google_project_iam_binding" "project_level_scope_permissions" { - project = var.fleet_project_id - role = local.project_level_scope_role[var.role] - members = concat(local.user_principals, local.group_principals) +resource "google_project_iam_member" "project_level_scope_permissions" { + project = var.fleet_project_id + for_each = toset(concat(local.user_principals, local.group_principals)) + role = local.project_level_scope_role[var.role] + member = each.value } resource "google_gke_hub_scope_iam_binding" "resource_level_scope_permissions" { From ec42a18d307e7dd3d9b35ebae6440c51ab3bb1c4 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 20 Aug 2024 15:14:54 -0700 Subject: [PATCH 135/176] fix: gcfs AP diff and general cleanup (#2043) --- autogen/main/cluster.tf.tmpl | 24 ++++++++++--------- autogen/main/variables.tf.tmpl | 6 ++--- .../beta-autopilot-private-cluster/cluster.tf | 3 +++ .../beta-autopilot-public-cluster/cluster.tf | 3 +++ .../README.md | 2 +- .../variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 2 +- .../README.md | 2 +- .../variables.tf | 2 +- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/variables.tf | 2 +- .../simple_autopiliot_public_test.go | 1 + .../testdata/TestSimpleAutopilotPublic.json | 3 +++ 14 files changed, 34 insertions(+), 22 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 6fe68c5d26..7d0cafc076 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -364,9 +364,9 @@ resource "google_container_cluster" "primary" { dynamic "ray_operator_config" { for_each = local.ray_operator_config - + content { - + enabled = ray_operator_config.value.enabled ray_cluster_logging_config { @@ -480,6 +480,11 @@ resource "google_container_cluster" "primary" { ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } {% endif %} + {% if autopilot_cluster == true %} + lifecycle { + ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0].enabled] + } + {% endif %} {% if autopilot_cluster != true %} dynamic "dns_config" { @@ -660,21 +665,18 @@ resource "google_container_cluster" "primary" { } } } - {% if beta_cluster and autopilot_cluster != true %} + {% if beta_cluster %} node_pool_defaults { node_config_defaults { + {% if autopilot_cluster %} + logging_variant = var.logging_variant + {% endif %} + {% if autopilot_cluster != true %} gcfs_config { enabled = var.enable_gcfs } - } - } - {% endif %} - {% if beta_cluster and autopilot_cluster %} - - node_pool_defaults { - node_config_defaults { - logging_variant = var.logging_variant + {% endif %} } } {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index da6fb485b3..01a3142ce6 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -818,13 +818,13 @@ variable "ray_operator_config" { type = object({ enabled = bool logging_enabled = optional(bool, false) - monitoring_enabled = optional(bool, false) + monitoring_enabled = optional(bool, false) }) description = "The Ray Operator Addon configuration for this cluster." default = { enabled = false logging_enabled = false - monitoring_enabled = false + monitoring_enabled = false } } @@ -944,7 +944,7 @@ variable "sandbox_enabled" { variable "enable_gcfs" { type = bool - description = "Enable image streaming on cluster level." + description = "(Beta) Enable image streaming on cluster level." default = false } {% endif %} diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 20604496ec..06e7074659 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -261,6 +261,9 @@ resource "google_container_cluster" "primary" { } } + lifecycle { + ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0].enabled] + } timeouts { create = lookup(var.timeouts, "create", "45m") diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 7af63a96d9..d68eae0db8 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -261,6 +261,9 @@ resource "google_container_cluster" "primary" { } } + lifecycle { + ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0].enabled] + } timeouts { create = lookup(var.timeouts, "create", "45m") diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 640a04de16..291c5ac550 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -203,7 +203,7 @@ Then perform the following commands on the root folder: | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | -| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | +| enable\_gcfs | (Beta) Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index c721313d9a..fa7670edfa 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -902,7 +902,7 @@ variable "sandbox_enabled" { variable "enable_gcfs" { type = bool - description = "Enable image streaming on cluster level." + description = "(Beta) Enable image streaming on cluster level." default = false } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 6c3bb8a4d5..5db9fc0ddb 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -181,7 +181,7 @@ Then perform the following commands on the root folder: | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | -| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | +| enable\_gcfs | (Beta) Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index c721313d9a..fa7670edfa 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -902,7 +902,7 @@ variable "sandbox_enabled" { variable "enable_gcfs" { type = bool - description = "Enable image streaming on cluster level." + description = "(Beta) Enable image streaming on cluster level." default = false } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 1b30408a6a..a5417cdabc 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -196,7 +196,7 @@ Then perform the following commands on the root folder: | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | -| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | +| enable\_gcfs | (Beta) Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 86afb87da3..6f335b00fb 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -866,7 +866,7 @@ variable "sandbox_enabled" { variable "enable_gcfs" { type = bool - description = "Enable image streaming on cluster level." + description = "(Beta) Enable image streaming on cluster level." default = false } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index d72c116ac4..00654e1b3e 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -174,7 +174,7 @@ Then perform the following commands on the root folder: | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_default\_node\_pools\_metadata | Whether to enable the default node pools metadata key-value pairs such as `cluster_name` and `node_pool` | `bool` | `true` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | -| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | +| enable\_gcfs | (Beta) Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 86afb87da3..6f335b00fb 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -866,7 +866,7 @@ variable "sandbox_enabled" { variable "enable_gcfs" { type = bool - description = "Enable image streaming on cluster level." + description = "(Beta) Enable image streaming on cluster level." default = false } diff --git a/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go b/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go index dad92ca5f4..1e0221e0c2 100644 --- a/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go +++ b/test/integration/simple_autopilot_public/simple_autopiliot_public_test.go @@ -56,6 +56,7 @@ func TestSimpleAutopilotPublic(t *testing.T) { "addonsConfig.rayOperatorConfig.enabled", "addonsConfig.rayOperatorConfig.rayClusterLoggingConfig.enabled", "addonsConfig.rayOperatorConfig.rayClusterMonitoringConfig.enabled", + "nodePoolDefaults.nodeConfigDefaults.gcfsConfig.enabled", } for _, pth := range validateJSONPaths { g.JSONEq(assert, op, pth) diff --git a/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json b/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json index 76d70b63eb..e0a2794438 100644 --- a/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json +++ b/test/integration/simple_autopilot_public/testdata/TestSimpleAutopilotPublic.json @@ -188,6 +188,9 @@ "variantConfig": { "variant": "DEFAULT" } + }, + "gcfsConfig": { + "enabled": true } } }, From 352057c5392239d6269b41700f2aa0c907e0648a Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Wed, 21 Aug 2024 08:33:06 -0700 Subject: [PATCH 136/176] chore(master): release 32.0.1 (#2041) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 10 ++++++++++ autogen/main/versions.tf.tmpl | 4 ++-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- .../beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-app-operator-permissions/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 35 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c7f17c467..b25c37592c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [32.0.1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v32.0.0...v32.0.1) (2024-08-20) + + +### Bug Fixes + +* **fleet_app_operator_permissions:** enable multi use per project ([#2045](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2045)) ([a83100d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/a83100d6ef335e453fd91933ef8eaf7fe47a52b0)) +* **fleet_app_operator_permissions:** optional groups and users ([#2044](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2044)) ([a5a67e5](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/a5a67e56fd343b66a8ba5b02cd01c1dd2e27da8a)) +* gcfs AP diff and general cleanup ([#2043](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2043)) ([ec42a18](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/ec42a18d307e7dd3d9b35ebae6440c51ab3bb1c4)) +* remove duplicte enable_secure_boot ([#2040](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2040)) ([d469973](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/d46997327a625cfcb5cb5fb0286d7cbfd5a28125)) + ## [32.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v31.1.0...v32.0.0) (2024-08-10) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index ddbdd0889d..5c7ae89646 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.1" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.1" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index ae5e330a4b..c02ef48da0 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.1" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 2b6fcc7c76..a493e34def 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.1" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.1" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 54c6c53155..8adf85ed21 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.1" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.1" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index d85a8b7f90..8b53ab5cde 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v32.0.1" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 93b0e5a59e..22adb9d2c9 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v32.0.1" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index d7044f8213..0230f142c6 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v32.0.1" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 44b0c9884e..35d9737293 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v32.0.1" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 900e76742d..6d4e151db8 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v32.0.1" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 13991fb040..6727fca0f8 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v32.0.1" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 35b77b234b..3aca6a9cd3 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v32.0.1" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index d91632ecca..fcdcf71289 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v32.0.1" } } diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf index ae100c10e5..bf719d7f69 100644 --- a/modules/fleet-app-operator-permissions/versions.tf +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -33,7 +33,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v32.0.1" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 55f26d6b04..397840e900 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.1" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index c6871cef11..d68aa77082 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.1" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 8e2bd3c5bb..0883ecf3f7 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v32.0.1" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 93305d9f62..51f378cd87 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v32.0.1" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index d00f5d08da..3bc9ab7515 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v32.0.1" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index c49621e4f4..e528187462 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v32.0.1" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 1d9892805e..880e7ab667 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v32.0.1" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 1ec239ef72..3f5ab7da96 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v32.0.1" } } diff --git a/versions.tf b/versions.tf index 4e32ce2fd7..4786534f05 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v32.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v32.0.1" } } From 5e0de62f34b4adb96b136779fdf9491299f450db Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Wed, 21 Aug 2024 11:59:42 -0700 Subject: [PATCH 137/176] fix(autopilot): ignore gcfs null (#2049) --- autogen/main/cluster.tf.tmpl | 2 +- modules/beta-autopilot-private-cluster/cluster.tf | 2 +- modules/beta-autopilot-public-cluster/cluster.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 7d0cafc076..88fd2b5871 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -482,7 +482,7 @@ resource "google_container_cluster" "primary" { {% endif %} {% if autopilot_cluster == true %} lifecycle { - ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0].enabled] + ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0]] } {% endif %} diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 06e7074659..7bb915f04a 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -262,7 +262,7 @@ resource "google_container_cluster" "primary" { } lifecycle { - ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0].enabled] + ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0]] } timeouts { diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index d68eae0db8..2d950e6c81 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -262,7 +262,7 @@ resource "google_container_cluster" "primary" { } lifecycle { - ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0].enabled] + ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0]] } timeouts { From 8dfb20965052cf615d4b33044c4fe10ce52fbbc5 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Wed, 21 Aug 2024 20:39:20 +0000 Subject: [PATCH 138/176] chore(master): release 32.0.2 (#2050) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ autogen/main/versions.tf.tmpl | 4 ++-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-app-operator-permissions/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 32 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b25c37592c..542beea07a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [32.0.2](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v32.0.1...v32.0.2) (2024-08-21) + + +### Bug Fixes + +* **autopilot:** ignore gcfs null ([#2049](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2049)) ([5e0de62](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/5e0de62f34b4adb96b136779fdf9491299f450db)) + ## [32.0.1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v32.0.0...v32.0.1) (2024-08-20) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 5c7ae89646..6a7a104583 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.2" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.2" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index c02ef48da0..9787fa28d1 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.2" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index a493e34def..779abb3647 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.2" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.2" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 8adf85ed21..a9f97c2853 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.2" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.2" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 8b53ab5cde..dfe83fbb6e 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v32.0.2" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 22adb9d2c9..a5d8b49c6b 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v32.0.2" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 0230f142c6..08a914cb3f 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v32.0.2" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 35d9737293..0387a54940 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v32.0.2" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 6d4e151db8..6e617f2562 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v32.0.2" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 6727fca0f8..f7b8a590fd 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v32.0.2" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 3aca6a9cd3..2d7217b597 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v32.0.2" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index fcdcf71289..2184192fa8 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v32.0.2" } } diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf index bf719d7f69..d81b9dc50e 100644 --- a/modules/fleet-app-operator-permissions/versions.tf +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -33,7 +33,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v32.0.2" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 397840e900..a84c912606 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.2" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index d68aa77082..cefc9927cd 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.2" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 0883ecf3f7..fe9693e153 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v32.0.2" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 51f378cd87..dbd2621d02 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v32.0.2" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index 3bc9ab7515..1dc7a9d215 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v32.0.2" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index e528187462..3957a67245 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v32.0.2" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 880e7ab667..e7426de82c 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v32.0.2" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 3f5ab7da96..2c387ddebd 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v32.0.2" } } diff --git a/versions.tf b/versions.tf index 4786534f05..23961b2cfb 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v32.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v32.0.2" } } From c1a720a404e21540b44300fa972eb1ffd9b736e3 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 22 Aug 2024 16:47:25 -0700 Subject: [PATCH 139/176] fix(autopilot): option to configure gcfs (#2052) --- autogen/main/cluster.tf.tmpl | 11 ++++++----- autogen/main/variables.tf.tmpl | 7 ++++++- modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 9 ++++++--- modules/beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 9 ++++++--- modules/beta-autopilot-public-cluster/variables.tf | 6 ++++++ 8 files changed, 38 insertions(+), 12 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 88fd2b5871..b4fcd80ae3 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -480,11 +480,6 @@ resource "google_container_cluster" "primary" { ignore_changes = [node_pool, initial_node_count, resource_labels["asmv"]] } {% endif %} - {% if autopilot_cluster == true %} - lifecycle { - ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0]] - } - {% endif %} {% if autopilot_cluster != true %} dynamic "dns_config" { @@ -671,6 +666,12 @@ resource "google_container_cluster" "primary" { node_config_defaults { {% if autopilot_cluster %} logging_variant = var.logging_variant + dynamic "gcfs_config" { + for_each = var.enable_gcfs != null ? [true] : [] + content { + enabled = var.enable_gcfs + } + } {% endif %} {% if autopilot_cluster != true %} gcfs_config { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 01a3142ce6..a3118d41ab 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -941,13 +941,18 @@ variable "sandbox_enabled" { description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." default = false } + {% endif %} variable "enable_gcfs" { type = bool description = "(Beta) Enable image streaming on cluster level." + {% if autopilot_cluster != true %} default = false -} {% endif %} + {% if autopilot_cluster %} + default = null + {% endif %} +} {% endif %} {% if autopilot_cluster != true %} diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index f2cfe4a8d4..b94c531c4b 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -93,6 +93,7 @@ Then perform the following commands on the root folder: | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | +| enable\_gcfs | (Beta) Enable image streaming on cluster level. | `bool` | `null` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 7bb915f04a..7472b09941 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -261,9 +261,6 @@ resource "google_container_cluster" "primary" { } } - lifecycle { - ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0]] - } timeouts { create = lookup(var.timeouts, "create", "45m") @@ -352,6 +349,12 @@ resource "google_container_cluster" "primary" { node_pool_defaults { node_config_defaults { logging_variant = var.logging_variant + dynamic "gcfs_config" { + for_each = var.enable_gcfs != null ? [true] : [] + content { + enabled = var.enable_gcfs + } + } } } diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 6c815c5a3a..b53537b90e 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -524,6 +524,12 @@ variable "enable_l4_ilb_subsetting" { default = false } +variable "enable_gcfs" { + type = bool + description = "(Beta) Enable image streaming on cluster level." + default = null +} + variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." type = bool diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 0eb3696956..596d5512a1 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -86,6 +86,7 @@ Then perform the following commands on the root folder: | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | +| enable\_gcfs | (Beta) Enable image streaming on cluster level. | `bool` | `null` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 2d950e6c81..bc65225fcc 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -261,9 +261,6 @@ resource "google_container_cluster" "primary" { } } - lifecycle { - ignore_changes = [node_pool_defaults[0].node_config_defaults[0].gcfs_config[0]] - } timeouts { create = lookup(var.timeouts, "create", "45m") @@ -331,6 +328,12 @@ resource "google_container_cluster" "primary" { node_pool_defaults { node_config_defaults { logging_variant = var.logging_variant + dynamic "gcfs_config" { + for_each = var.enable_gcfs != null ? [true] : [] + content { + enabled = var.enable_gcfs + } + } } } diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 744b16b551..6e88d8a3a1 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -488,6 +488,12 @@ variable "enable_l4_ilb_subsetting" { default = false } +variable "enable_gcfs" { + type = bool + description = "(Beta) Enable image streaming on cluster level." + default = null +} + variable "allow_net_admin" { description = "(Optional) Enable NET_ADMIN for the cluster." type = bool From bb2db4645c67f0570986a9200b4e8fcbaf0ce2eb Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 00:54:50 +0000 Subject: [PATCH 140/176] chore(master): release 32.0.3 (#2054) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ autogen/main/versions.tf.tmpl | 4 ++-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-app-operator-permissions/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 32 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 542beea07a..547a850ea9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [32.0.3](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v32.0.2...v32.0.3) (2024-08-22) + + +### Bug Fixes + +* **autopilot:** option to configure gcfs ([#2052](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2052)) ([c1a720a](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/c1a720a404e21540b44300fa972eb1ffd9b736e3)) + ## [32.0.2](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v32.0.1...v32.0.2) (2024-08-21) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 6a7a104583..998ae8bd49 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.3" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.3" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 9787fa28d1..9613b5be40 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.3" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 779abb3647..170c4f56f2 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.3" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.3" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index a9f97c2853..25d5442cf7 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.3" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.3" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index dfe83fbb6e..1ca48afc14 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v32.0.3" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index a5d8b49c6b..a2775c00a3 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v32.0.3" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 08a914cb3f..e84bd0ef73 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v32.0.3" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 0387a54940..fd1e24983c 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v32.0.3" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 6e617f2562..89ff797f64 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v32.0.3" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index f7b8a590fd..3ef7549d18 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v32.0.3" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 2d7217b597..58c3a51dd3 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v32.0.3" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 2184192fa8..bd7c5de075 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v32.0.3" } } diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf index d81b9dc50e..d8ae6293dd 100644 --- a/modules/fleet-app-operator-permissions/versions.tf +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -33,7 +33,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v32.0.3" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index a84c912606..b3334fe871 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.3" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index cefc9927cd..ad1a46899a 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.3" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index fe9693e153..7430b76a29 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v32.0.3" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index dbd2621d02..351e317270 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v32.0.3" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index 1dc7a9d215..de507fd56b 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v32.0.3" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index 3957a67245..052590a6d0 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v32.0.3" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index e7426de82c..8e01602b55 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v32.0.3" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 2c387ddebd..1f30509723 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v32.0.3" } } diff --git a/versions.tf b/versions.tf index 23961b2cfb..cfedaf0ca4 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v32.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v32.0.3" } } From f67f416747a0169ff1584bbfc46c518561cb3650 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 10:04:06 -0700 Subject: [PATCH 141/176] chore(deps): Update nginx Docker tag to v1.27.1 (#2053) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/deploy_service/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index 5cd745c8b0..02312c42f0 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -55,7 +55,7 @@ resource "kubernetes_pod" "nginx-example" { spec { container { - image = "nginx:1.27.0" + image = "nginx:1.27.1" name = "nginx-example" } } From 528b373cc13e8c02d18fdc2078169b940f076083 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Mon, 26 Aug 2024 10:17:58 -0700 Subject: [PATCH 142/176] fix: allow enable_private_endpoint with no master_authorized_networks (#2058) --- autogen/main/cluster.tf.tmpl | 4 ++-- autogen/main/main.tf.tmpl | 5 ----- cluster.tf | 4 ++-- examples/simple_autopilot_private/main.tf | 7 ------- main.tf | 5 ----- modules/beta-autopilot-private-cluster/cluster.tf | 4 ++-- modules/beta-autopilot-private-cluster/main.tf | 5 ----- modules/beta-autopilot-public-cluster/cluster.tf | 4 ++-- modules/beta-autopilot-public-cluster/main.tf | 5 ----- modules/beta-private-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-private-cluster-update-variant/main.tf | 5 ----- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/beta-private-cluster/main.tf | 5 ----- modules/beta-public-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-public-cluster-update-variant/main.tf | 5 ----- modules/beta-public-cluster/cluster.tf | 4 ++-- modules/beta-public-cluster/main.tf | 5 ----- modules/private-cluster-update-variant/cluster.tf | 4 ++-- modules/private-cluster-update-variant/main.tf | 5 ----- modules/private-cluster/cluster.tf | 4 ++-- modules/private-cluster/main.tf | 5 ----- .../simple_autopilot_private_test.go | 1 + .../testdata/TestSimpleAutopilotPrivate.json | 6 ------ .../simple_zonal_private/simple_zonal_private_test.go | 1 + 24 files changed, 22 insertions(+), 83 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index b4fcd80ae3..b1a305ccf4 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -257,10 +257,10 @@ resource "google_container_cluster" "primary" { enable_autopilot = true {% endif %} dynamic "master_authorized_networks_config" { - for_each = local.master_authorized_networks_config + for_each = {% if private_cluster %}var.enable_private_endpoint || {% endif %}length(var.master_authorized_networks) > 0 ? [true] : [] content { dynamic "cidr_blocks" { - for_each = master_authorized_networks_config.value.cidr_blocks + for_each = var.master_authorized_networks content { cidr_block = lookup(cidr_blocks.value, "cidr_block", "") display_name = lookup(cidr_blocks.value, "display_name", "") diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 8872676a67..a7c8afe484 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -174,11 +174,6 @@ locals { # /BETA features {% endif %} - - master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ - cidr_blocks : var.master_authorized_networks - }] - {% if autopilot_cluster != true %} cluster_output_node_pools_names = concat( [for np in google_container_node_pool.pools : np.name], [""], diff --git a/cluster.tf b/cluster.tf index edc2d074df..d8fc73abc8 100644 --- a/cluster.tf +++ b/cluster.tf @@ -190,10 +190,10 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy dynamic "master_authorized_networks_config" { - for_each = local.master_authorized_networks_config + for_each = length(var.master_authorized_networks) > 0 ? [true] : [] content { dynamic "cidr_blocks" { - for_each = master_authorized_networks_config.value.cidr_blocks + for_each = var.master_authorized_networks content { cidr_block = lookup(cidr_blocks.value, "cidr_block", "") display_name = lookup(cidr_blocks.value, "display_name", "") diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf index e81a983e73..17f2b17885 100644 --- a/examples/simple_autopilot_private/main.tf +++ b/examples/simple_autopilot_private/main.tf @@ -51,11 +51,4 @@ module "gke" { enable_private_nodes = true network_tags = [local.cluster_type] deletion_protection = false - - master_authorized_networks = [ - { - cidr_block = "10.60.0.0/17" - display_name = "VPC" - }, - ] } diff --git a/main.tf b/main.tf index 4f91f356d6..9754bf86ab 100644 --- a/main.tf +++ b/main.tf @@ -126,11 +126,6 @@ locals { cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false - - master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ - cidr_blocks : var.master_authorized_networks - }] - cluster_output_node_pools_names = concat( [for np in google_container_node_pool.pools : np.name], [""], [for np in google_container_node_pool.windows_pools : np.name], [""] diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 7472b09941..a725060cc9 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -106,10 +106,10 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { - for_each = local.master_authorized_networks_config + for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : [] content { dynamic "cidr_blocks" { - for_each = master_authorized_networks_config.value.cidr_blocks + for_each = var.master_authorized_networks content { cidr_block = lookup(cidr_blocks.value, "cidr_block", "") display_name = lookup(cidr_blocks.value, "display_name", "") diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 9c23b42d05..1f921ebb76 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -101,11 +101,6 @@ locals { # /BETA features - master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ - cidr_blocks : var.master_authorized_networks - }] - - cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] cluster_master_auth_map = local.cluster_master_auth_list_layer2[0] diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index bc65225fcc..dc9915bc7b 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -106,10 +106,10 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { - for_each = local.master_authorized_networks_config + for_each = length(var.master_authorized_networks) > 0 ? [true] : [] content { dynamic "cidr_blocks" { - for_each = master_authorized_networks_config.value.cidr_blocks + for_each = var.master_authorized_networks content { cidr_block = lookup(cidr_blocks.value, "cidr_block", "") display_name = lookup(cidr_blocks.value, "display_name", "") diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index b4956bb6a3..15edafa7f9 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -100,11 +100,6 @@ locals { # /BETA features - master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ - cidr_blocks : var.master_authorized_networks - }] - - cluster_master_auth_list_layer1 = local.cluster_output_master_auth cluster_master_auth_list_layer2 = local.cluster_master_auth_list_layer1[0] cluster_master_auth_map = local.cluster_master_auth_list_layer2[0] diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 6242de6549..d3401ca09c 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -211,10 +211,10 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = local.master_authorized_networks_config + for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : [] content { dynamic "cidr_blocks" { - for_each = master_authorized_networks_config.value.cidr_blocks + for_each = var.master_authorized_networks content { cidr_block = lookup(cidr_blocks.value, "cidr_block", "") display_name = lookup(cidr_blocks.value, "display_name", "") diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 4ee56aaacd..a715e4a691 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -145,11 +145,6 @@ locals { cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features - - master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ - cidr_blocks : var.master_authorized_networks - }] - cluster_output_node_pools_names = concat( [for np in google_container_node_pool.pools : np.name], [""], [for np in google_container_node_pool.windows_pools : np.name], [""] diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 0578d91001..f073f632be 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -211,10 +211,10 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = local.master_authorized_networks_config + for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : [] content { dynamic "cidr_blocks" { - for_each = master_authorized_networks_config.value.cidr_blocks + for_each = var.master_authorized_networks content { cidr_block = lookup(cidr_blocks.value, "cidr_block", "") display_name = lookup(cidr_blocks.value, "display_name", "") diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 4ee56aaacd..a715e4a691 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -145,11 +145,6 @@ locals { cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features - - master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ - cidr_blocks : var.master_authorized_networks - }] - cluster_output_node_pools_names = concat( [for np in google_container_node_pool.pools : np.name], [""], [for np in google_container_node_pool.windows_pools : np.name], [""] diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index d63bbba197..6c68b5264d 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -211,10 +211,10 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = local.master_authorized_networks_config + for_each = length(var.master_authorized_networks) > 0 ? [true] : [] content { dynamic "cidr_blocks" { - for_each = master_authorized_networks_config.value.cidr_blocks + for_each = var.master_authorized_networks content { cidr_block = lookup(cidr_blocks.value, "cidr_block", "") display_name = lookup(cidr_blocks.value, "display_name", "") diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 58d2dce97c..23a49126ed 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -144,11 +144,6 @@ locals { cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features - - master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ - cidr_blocks : var.master_authorized_networks - }] - cluster_output_node_pools_names = concat( [for np in google_container_node_pool.pools : np.name], [""], [for np in google_container_node_pool.windows_pools : np.name], [""] diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 174b33c6be..e844bf1f01 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -211,10 +211,10 @@ resource "google_container_cluster" "primary" { enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { - for_each = local.master_authorized_networks_config + for_each = length(var.master_authorized_networks) > 0 ? [true] : [] content { dynamic "cidr_blocks" { - for_each = master_authorized_networks_config.value.cidr_blocks + for_each = var.master_authorized_networks content { cidr_block = lookup(cidr_blocks.value, "cidr_block", "") display_name = lookup(cidr_blocks.value, "display_name", "") diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 58d2dce97c..23a49126ed 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -144,11 +144,6 @@ locals { cluster_output_secret_manager_addon_enabled = google_container_cluster.primary.secret_manager_config != null && length(google_container_cluster.primary.secret_manager_config) == 1 ? google_container_cluster.primary.secret_manager_config[0].enabled : false # /BETA features - - master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ - cidr_blocks : var.master_authorized_networks - }] - cluster_output_node_pools_names = concat( [for np in google_container_node_pool.pools : np.name], [""], [for np in google_container_node_pool.windows_pools : np.name], [""] diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 65b66dc412..2ab271cd5f 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -190,10 +190,10 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy dynamic "master_authorized_networks_config" { - for_each = local.master_authorized_networks_config + for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : [] content { dynamic "cidr_blocks" { - for_each = master_authorized_networks_config.value.cidr_blocks + for_each = var.master_authorized_networks content { cidr_block = lookup(cidr_blocks.value, "cidr_block", "") display_name = lookup(cidr_blocks.value, "display_name", "") diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 884ea93033..91643752ce 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -127,11 +127,6 @@ locals { cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false - - master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ - cidr_blocks : var.master_authorized_networks - }] - cluster_output_node_pools_names = concat( [for np in google_container_node_pool.pools : np.name], [""], [for np in google_container_node_pool.windows_pools : np.name], [""] diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 1ed3bdb20b..6ee3c32c6c 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -190,10 +190,10 @@ resource "google_container_cluster" "primary" { enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy dynamic "master_authorized_networks_config" { - for_each = local.master_authorized_networks_config + for_each = var.enable_private_endpoint || length(var.master_authorized_networks) > 0 ? [true] : [] content { dynamic "cidr_blocks" { - for_each = master_authorized_networks_config.value.cidr_blocks + for_each = var.master_authorized_networks content { cidr_block = lookup(cidr_blocks.value, "cidr_block", "") display_name = lookup(cidr_blocks.value, "display_name", "") diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 884ea93033..91643752ce 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -127,11 +127,6 @@ locals { cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config[0].enabled : false - - master_authorized_networks_config = length(var.master_authorized_networks) == 0 ? [] : [{ - cidr_blocks : var.master_authorized_networks - }] - cluster_output_node_pools_names = concat( [for np in google_container_node_pool.pools : np.name], [""], [for np in google_container_node_pool.windows_pools : np.name], [""] diff --git a/test/integration/simple_autopilot_private/simple_autopilot_private_test.go b/test/integration/simple_autopilot_private/simple_autopilot_private_test.go index aa506b0e09..290dc1873b 100644 --- a/test/integration/simple_autopilot_private/simple_autopilot_private_test.go +++ b/test/integration/simple_autopilot_private/simple_autopilot_private_test.go @@ -53,6 +53,7 @@ func TestSimpleAutopilotPrivate(t *testing.T) { "addonsConfig.httpLoadBalancing", "addonsConfig.kubernetesDashboard.disabled", "addonsConfig.networkPolicyConfig.disabled", + "masterAuthorizedNetworksConfig.enabled", } for _, pth := range validateJSONPaths { g.JSONEq(assert, op, pth) diff --git a/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json b/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json index 62103f7ee9..97237dc953 100644 --- a/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json +++ b/test/integration/simple_autopilot_private/testdata/TestSimpleAutopilotPrivate.json @@ -124,12 +124,6 @@ "clusterCaCertificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMVENDQXBXZ0F3SUJBZ0lSQUl6eEJuNWlDNm9hV2h5N0YwMnpoand3RFFZSktvWklodmNOQVFFTEJRQXcKTHpFdE1Dc0dBMVVFQXhNa05UZ3hOak5qWVRVdFpHSmhOQzAwWXpKaExUZ3lNemN0TmpreE9Ua3paREJpWXpJMQpNQ0FYRFRJek1ERXhNakF6TURZMU1Gb1lEekl3TlRNd01UQTBNRFF3TmpVd1dqQXZNUzB3S3dZRFZRUURFeVExCk9ERTJNMk5oTlMxa1ltRTBMVFJqTW1FdE9ESXpOeTAyT1RFNU9UTmtNR0pqTWpVd2dnR2lNQTBHQ1NxR1NJYjMKRFFFQkFRVUFBNElCandBd2dnR0tBb0lCZ1FEUnltd1RVaEFkN1cwcWNZYWhRY0hkeTkxNWdRYzJrUTJQM2ZNcwozdGlISmRaUDFLb3o5djVuWUlZL3Q4aWxSb0NCSHEvNzhQVnBJZjNSWDVvSDdiTjN4UTFKWWF0ZEEvZ1lhVTRzCkdSZG05OW9zUmFsc01JdzR3SkNDWm50b2dtV3FmcmFzZldyOHo4b1NUSFVCL2N3UFhiaHBxMjlTanFUckM3elQKQnpoT0M5aGg5WUcwYnc0cHBReC9PL1Y2eGdhQ1Y0ZllQU1BML3lGSGs5cUpqUnB3bEh1YzduVlVLNHZFL2Y0LwpHRm44dXp1SnpRQ1FrSzBTUmx4WHJzRlM1WlB3YVB5OHJUZVJsVmhzRW1HWjYySkd5RFJuTDhJNTBvQlZtWXlSClF0ay93eGpFUVZiYUFNYlZsLytjSnhBWGJSTmhCZU85OWRjaFlhZ1o2UitBR2pHTHNaWUlka3JoNlZJNVh3OTcKY2xnTUJ0bXAxdHV2dVlIM3pGQitwckRMMmF5eXRTYXZ6VnlVV21OSDV6aDZSWnphMk9sRmFyeWo0RHYyemlNRgozckFnUE9KejhSdC9ZMUQzM1Y4ODZQVlNnUjNpZFZ0NDJ2dDcvaU9ZNUkxbmMyM1orRWdvaWZDTmtKVEM1MUtHClVZdTJjTjdzVjh1NnNuK1ltT1dPY0tXYzd2MENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdJRU1BOEcKQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRHpPUGYyZU84enVMa2prZWI4TEZ5eVpRMk1YTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQmdRQlZDR2RGRWtmTE43bVg2SXZlb2tvMmVjZjhrUGlreTQyeFBvTEJtTnI2Cm94UXZWbnJtZlAxRTdxM2oyUnRNc2N5VzFUQU8wMTAwdzQyUWVUWWVPYm94em5xSms4TmNjQmQxdlNTa3NaOHUKdDlsS29GVmdRdkhLUzNldy81eG1Cb2o3em0rU0llQkRnSFJTNmMrNFQ0L25zMnl2UEhsbno2ZE5sLzJQMWtINwpBdmh2MkF3andZVC9EZU1tc3BEZERnMlVvVlhpYjliRTRES2Q2MUVCanhOc05EUjJDZ0VEYkZ1M0QwK01zRmcrCm9kcEUvc1BtZytsQWE0U24xNEZWZUNRdGxwWTBjY1RYY0tmKzN4c3FLMGZoSGk4Tk53ckg2bGpkUGN6VVJmS3cKK0hDVXVjeWtFOC96ay91aHR1dzhmOXlXbjcrS3RJbmxSNEtkOHk5WGFCaytsMkt6TVlxSkUyTzFNTmNkYlhONApvQmVrNE5QcGhGM1FrQmo3RUpnL0lkTGx1WEVCd1J3ZHg4SFlRRVoyRENvemlMNENtWThuS1dXR3lLeVJWSTIxCnlSaVY4SEJvWXZ5ZHNxYy9NSFFQUERrZDRSRk52YWtVUW55M0tUaDJoSlJyejB4Y2xXNENydDhsN3dGQkNEdzcKTEJvcWs5dWxjY01iWlJ6bTV4YkxCcUE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" }, "masterAuthorizedNetworksConfig": { - "cidrBlocks": [ - { - "cidrBlock": "10.60.0.0/17", - "displayName": "VPC" - } - ], "enabled": true }, "monitoringConfig": { diff --git a/test/integration/simple_zonal_private/simple_zonal_private_test.go b/test/integration/simple_zonal_private/simple_zonal_private_test.go index 515ee59f82..819a5ba456 100644 --- a/test/integration/simple_zonal_private/simple_zonal_private_test.go +++ b/test/integration/simple_zonal_private/simple_zonal_private_test.go @@ -64,6 +64,7 @@ func TestSimpleZonalPrivate(t *testing.T) { "nodePools.config.labels", "nodePools.config.tags", "nodePools.management.autoRepair", + "masterAuthorizedNetworksConfig", } for _, pth := range validateJSONPaths { g.JSONEq(assert, op, pth) From 1060d2e10d9acc49e03b773d2c34f789d795a454 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Mon, 26 Aug 2024 11:50:40 -0700 Subject: [PATCH 143/176] chore(master): release 32.0.4 (#2061) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ autogen/main/versions.tf.tmpl | 4 ++-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-app-operator-permissions/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 32 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 547a850ea9..de84c5ec9a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [32.0.4](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v32.0.3...v32.0.4) (2024-08-26) + + +### Bug Fixes + +* allow enable_private_endpoint with no master_authorized_networks ([#2058](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2058)) ([528b373](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/528b373cc13e8c02d18fdc2078169b940f076083)) + ## [32.0.3](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v32.0.2...v32.0.3) (2024-08-22) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 998ae8bd49..7c68bb2545 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 9613b5be40..ae4ce79090 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 170c4f56f2..5779d86966 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.4" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.4" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 25d5442cf7..dc4f84eea0 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.4" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.4" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 1ca48afc14..5a02050197 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v32.0.4" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index a2775c00a3..5c00fe2f32 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v32.0.4" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index e84bd0ef73..6a14f69040 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v32.0.4" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index fd1e24983c..d6999dc909 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v32.0.4" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 89ff797f64..b12022e58f 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v32.0.4" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 3ef7549d18..8eef1adeb6 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v32.0.4" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 58c3a51dd3..fed51318b1 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v32.0.4" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index bd7c5de075..692f103786 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v32.0.4" } } diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf index d8ae6293dd..12aa2fe997 100644 --- a/modules/fleet-app-operator-permissions/versions.tf +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -33,7 +33,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v32.0.4" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index b3334fe871..8edafe204d 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.4" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index ad1a46899a..9f67a583d6 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.4" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 7430b76a29..30e68870a1 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v32.0.4" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 351e317270..ca6363a83d 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v32.0.4" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index de507fd56b..2cb29380aa 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v32.0.4" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index 052590a6d0..c398dd854e 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v32.0.4" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 8e01602b55..9bde744e59 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v32.0.4" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 1f30509723..6b7ab8e1fc 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v32.0.4" } } diff --git a/versions.tf b/versions.tf index cfedaf0ca4..bfec31e721 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v32.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v32.0.4" } } From b7ba6e9e494c16d83f945f05400be132417cf14a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 09:08:11 -0700 Subject: [PATCH 144/176] chore(deps): Update Terraform terraform-google-modules/bastion-host/google to v7 (#2062) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/safer_cluster_iap_bastion/bastion.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/safer_cluster_iap_bastion/bastion.tf b/examples/safer_cluster_iap_bastion/bastion.tf index c4213b4f74..7fea1c368d 100644 --- a/examples/safer_cluster_iap_bastion/bastion.tf +++ b/examples/safer_cluster_iap_bastion/bastion.tf @@ -21,7 +21,7 @@ locals { module "bastion" { source = "terraform-google-modules/bastion-host/google" - version = "~> 6.0" + version = "~> 7.0" network = module.vpc.network_self_link subnet = module.vpc.subnets_self_links[0] From 7ef544eae64fa0f90e0d5c604a8442ee66a31a98 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 27 Aug 2024 11:07:02 -0700 Subject: [PATCH 145/176] chore(CI): add DefaultVerify for simple_fleet_app_operator_permissions_test (#2059) --- .../simple_fleet_app_operator_permissions_test.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/integration/simple_fleet_app_operator_permissions/simple_fleet_app_operator_permissions_test.go b/test/integration/simple_fleet_app_operator_permissions/simple_fleet_app_operator_permissions_test.go index 23d9b46ec7..eb180e1965 100644 --- a/test/integration/simple_fleet_app_operator_permissions/simple_fleet_app_operator_permissions_test.go +++ b/test/integration/simple_fleet_app_operator_permissions/simple_fleet_app_operator_permissions_test.go @@ -24,13 +24,15 @@ import ( "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" "github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration/testutils" - ) +) func TestSimpleFleetAppOperatorPermissions(t *testing.T) { appOppT := tft.NewTFBlueprintTest(t, tft.WithRetryableTerraformErrors(testutils.RetryableTransientErrors, 3, 2*time.Minute), ) appOppT.DefineVerify(func(assert *assert.Assertions) { + appOppT.DefaultVerify(assert) + projectId := appOppT.GetStringOutput("project_id") scopeId := "app-operator-team" appOperatorEmail := fmt.Sprintf("app-operator-id@%s.iam.gserviceaccount.com", projectId) From 8e53122ccc78e9301c5c9041d195b0c0e3754b26 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 14:04:12 -0700 Subject: [PATCH 146/176] fix(deps)!: Update Terraform terraform-google-modules/project-factory/google to v16 (#2057) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/acm-terraform-blog-part1/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part2/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part3/terraform/gke.tf | 2 +- examples/safer_cluster_iap_bastion/apis.tf | 2 +- modules/binary-authorization/main.tf | 2 +- modules/services/main.tf | 2 +- test/setup/main.tf | 8 ++++---- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf index 4555c2556e..615a86f484 100644 --- a/examples/acm-terraform-blog-part1/terraform/gke.tf +++ b/examples/acm-terraform-blog-part1/terraform/gke.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 16.0" project_id = var.project disable_services_on_destroy = false diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf index 37e0f55eaf..f81db34073 100644 --- a/examples/acm-terraform-blog-part2/terraform/gke.tf +++ b/examples/acm-terraform-blog-part2/terraform/gke.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 16.0" project_id = var.project disable_services_on_destroy = false diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf index d80df284bc..07025627ee 100644 --- a/examples/acm-terraform-blog-part3/terraform/gke.tf +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 16.0" project_id = var.project disable_services_on_destroy = false diff --git a/examples/safer_cluster_iap_bastion/apis.tf b/examples/safer_cluster_iap_bastion/apis.tf index f72733494f..68334b926a 100644 --- a/examples/safer_cluster_iap_bastion/apis.tf +++ b/examples/safer_cluster_iap_bastion/apis.tf @@ -16,7 +16,7 @@ module "enabled_google_apis" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 16.0" project_id = var.project_id disable_services_on_destroy = false diff --git a/modules/binary-authorization/main.tf b/modules/binary-authorization/main.tf index 8e09bb13eb..901aecc5b4 100644 --- a/modules/binary-authorization/main.tf +++ b/modules/binary-authorization/main.tf @@ -25,7 +25,7 @@ locals { module "project-services" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 16.0" project_id = var.project_id activate_apis = local.required_enabled_apis diff --git a/modules/services/main.tf b/modules/services/main.tf index 9ef548c06a..25daf441b6 100644 --- a/modules/services/main.tf +++ b/modules/services/main.tf @@ -16,7 +16,7 @@ module "services" { source = "terraform-google-modules/project-factory/google//modules/project_services" - version = "~> 15.0" + version = "~> 16.0" project_id = var.project_id enable_apis = var.enable_apis diff --git a/test/setup/main.tf b/test/setup/main.tf index fb10513a64..6f68dbbc02 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -45,7 +45,7 @@ locals { module "gke-project-1" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 16.0" name = "ci-gke-${random_id.random_project_id_suffix.hex}" random_project_id = true @@ -69,7 +69,7 @@ module "gke-project-1" { module "gke-project-2" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 16.0" name = "ci-gke-${random_id.random_project_id_suffix.hex}" random_project_id = true @@ -91,7 +91,7 @@ module "gke-project-2" { # apis as documented https://cloud.google.com/service-mesh/docs/scripted-install/reference#setting_up_your_project module "gke-project-asm" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 16.0" name = "ci-gke-asm-${random_id.random_project_id_suffix.hex}" random_project_id = true @@ -106,7 +106,7 @@ module "gke-project-asm" { module "gke-project-fleet" { source = "terraform-google-modules/project-factory/google" - version = "~> 15.0" + version = "~> 16.0" name = "ci-gke-fleet-${random_id.random_project_id_suffix.hex}" random_project_id = true From 7cc06267bb8654194eb0031772b0345863030457 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Thu, 29 Aug 2024 16:52:39 -0400 Subject: [PATCH 147/176] feat: support reservation affinity (#2010) Signed-off-by: drfaust92 Co-authored-by: Andrew Peabody --- README.md | 3 +++ autogen/main/README.md | 3 +++ autogen/main/cluster.tf.tmpl | 9 +++++++-- cluster.tf | 12 ++++++++---- .../beta-private-cluster-update-variant/README.md | 3 +++ .../cluster.tf | 15 +++++++++++---- modules/beta-private-cluster/README.md | 3 +++ modules/beta-private-cluster/cluster.tf | 12 ++++++++---- .../beta-public-cluster-update-variant/README.md | 3 +++ .../beta-public-cluster-update-variant/cluster.tf | 15 +++++++++++---- modules/beta-public-cluster/README.md | 3 +++ modules/beta-public-cluster/cluster.tf | 12 ++++++++---- modules/private-cluster-update-variant/README.md | 3 +++ modules/private-cluster-update-variant/cluster.tf | 15 +++++++++++---- modules/private-cluster/README.md | 3 +++ modules/private-cluster/cluster.tf | 12 ++++++++---- 16 files changed, 96 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 53b69a88b9..71b21d0060 100644 --- a/README.md +++ b/README.md @@ -358,6 +358,9 @@ The node_pools variable takes the following parameters: | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | +| consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional | +| reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional | +| reservation_affinity_values | The list of label values of reservation resources. For example: the name of the specific reservation when using a key of "compute.googleapis.com/reservation-name". This should be passed as comma separated string. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/autogen/main/README.md b/autogen/main/README.md index 89b4864b62..9031338c76 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -261,6 +261,9 @@ The node_pools variable takes the following parameters: | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | +| consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional | +| reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional | +| reservation_affinity_values | The list of label values of reservation resources. For example: the name of the specific reservation when using a key of "compute.googleapis.com/reservation-name". This should be passed as comma separated string. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index b1a305ccf4..175065a9a8 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -718,6 +718,9 @@ locals { "boot_disk_kms_key", "queued_provisioning", "enable_confidential_storage", + "consume_reservation_type", + "reservation_affinity_key", + "reservation_affinity_values" ] } @@ -896,9 +899,11 @@ resource "google_container_node_pool" "windows_pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( diff --git a/cluster.tf b/cluster.tf index d8fc73abc8..bf913825d4 100644 --- a/cluster.tf +++ b/cluster.tf @@ -605,9 +605,11 @@ resource "google_container_node_pool" "pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( @@ -885,9 +887,11 @@ resource "google_container_node_pool" "windows_pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 291c5ac550..7b39d3fdf1 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -417,6 +417,9 @@ The node_pools variable takes the following parameters: | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | +| consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional | +| reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional | +| reservation_affinity_values | The list of label values of reservation resources. For example: the name of the specific reservation when using a key of "compute.googleapis.com/reservation-name". This should be passed as comma separated string. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index d3401ca09c..a03e04ba55 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -614,6 +614,9 @@ locals { "boot_disk_kms_key", "queued_provisioning", "enable_confidential_storage", + "consume_reservation_type", + "reservation_affinity_key", + "reservation_affinity_values" ] } @@ -769,9 +772,11 @@ resource "google_container_node_pool" "pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( @@ -1063,9 +1068,11 @@ resource "google_container_node_pool" "windows_pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 5db9fc0ddb..f10cc3e03b 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -395,6 +395,9 @@ The node_pools variable takes the following parameters: | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | +| consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional | +| reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional | +| reservation_affinity_values | The list of label values of reservation resources. For example: the name of the specific reservation when using a key of "compute.googleapis.com/reservation-name". This should be passed as comma separated string. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index f073f632be..0ccdc462ae 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -690,9 +690,11 @@ resource "google_container_node_pool" "pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( @@ -983,9 +985,11 @@ resource "google_container_node_pool" "windows_pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index a5417cdabc..c996793ae4 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -404,6 +404,9 @@ The node_pools variable takes the following parameters: | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | +| consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional | +| reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional | +| reservation_affinity_values | The list of label values of reservation resources. For example: the name of the specific reservation when using a key of "compute.googleapis.com/reservation-name". This should be passed as comma separated string. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 6c68b5264d..cf9f095861 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -593,6 +593,9 @@ locals { "boot_disk_kms_key", "queued_provisioning", "enable_confidential_storage", + "consume_reservation_type", + "reservation_affinity_key", + "reservation_affinity_values" ] } @@ -748,9 +751,11 @@ resource "google_container_node_pool" "pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( @@ -1042,9 +1047,11 @@ resource "google_container_node_pool" "windows_pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 00654e1b3e..61cd7ab92f 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -382,6 +382,9 @@ The node_pools variable takes the following parameters: | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | +| consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional | +| reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional | +| reservation_affinity_values | The list of label values of reservation resources. For example: the name of the specific reservation when using a key of "compute.googleapis.com/reservation-name". This should be passed as comma separated string. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index e844bf1f01..5f8c5d1556 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -669,9 +669,11 @@ resource "google_container_node_pool" "pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( @@ -962,9 +964,11 @@ resource "google_container_node_pool" "windows_pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index db5fb5784f..707fbc9237 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -393,6 +393,9 @@ The node_pools variable takes the following parameters: | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | +| consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional | +| reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional | +| reservation_affinity_values | The list of label values of reservation resources. For example: the name of the specific reservation when using a key of "compute.googleapis.com/reservation-name". This should be passed as comma separated string. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 2ab271cd5f..59c6b01da2 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -550,6 +550,9 @@ locals { "boot_disk_kms_key", "queued_provisioning", "enable_confidential_storage", + "consume_reservation_type", + "reservation_affinity_key", + "reservation_affinity_values" ] } @@ -705,9 +708,11 @@ resource "google_container_node_pool" "pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( @@ -986,9 +991,11 @@ resource "google_container_node_pool" "windows_pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 590004ace3..b6d3eaa10e 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -371,6 +371,9 @@ The node_pools variable takes the following parameters: | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional | | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional | | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional | +| consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional | +| reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional | +| reservation_affinity_values | The list of label values of reservation resources. For example: the name of the specific reservation when using a key of "compute.googleapis.com/reservation-name". This should be passed as comma separated string. | | Optional | ## windows_node_pools variable The windows_node_pools variable takes the same parameters as [node_pools](#node\_pools-variable) but is reserved for provisioning Windows based node pools only. This variable is introduced to satisfy a [specific requirement](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-cluster-windows#create_a_cluster_and_node_pools) for the presence of at least one linux based node pool in the cluster before a windows based node pool can be created. diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 6ee3c32c6c..e257f9b0da 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -626,9 +626,11 @@ resource "google_container_node_pool" "pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( @@ -906,9 +908,11 @@ resource "google_container_node_pool" "windows_pools" { } } dynamic "reservation_affinity" { - for_each = lookup(each.value, "queued_provisioning", false) ? [true] : [] + for_each = lookup(each.value, "queued_provisioning", false) || lookup(each.value, "consume_reservation_type", "") != "" ? [each.value] : [] content { - consume_reservation_type = "NO_RESERVATION" + consume_reservation_type = lookup(reservation_affinity.value, "queued_provisioning", false) ? "NO_RESERVATION" : lookup(reservation_affinity.value, "consume_reservation_type", null) + key = lookup(reservation_affinity.value, "reservation_affinity_key", null) + values = lookup(reservation_affinity.value, "reservation_affinity_values", null) == null ? null : [for s in split(",", lookup(reservation_affinity.value, "reservation_affinity_values", null)) : trimspace(s)] } } labels = merge( From e11787c83169c93fe6de3f774cf310ee05287659 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 3 Sep 2024 10:29:34 -0700 Subject: [PATCH 148/176] feat(private_cluster)!: enable private nodes by default (#2064) --- autogen/main/variables.tf.tmpl | 2 +- docs/upgrading_to_v33.0.md | 15 +++++++++++++++ modules/beta-autopilot-private-cluster/README.md | 2 +- .../beta-autopilot-private-cluster/variables.tf | 2 +- .../beta-private-cluster-update-variant/README.md | 2 +- .../variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 2 +- modules/private-cluster-update-variant/README.md | 2 +- .../private-cluster-update-variant/variables.tf | 2 +- modules/private-cluster/README.md | 2 +- modules/private-cluster/variables.tf | 2 +- 12 files changed, 26 insertions(+), 11 deletions(-) create mode 100644 docs/upgrading_to_v33.0.md diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index a3118d41ab..d678fa60e6 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -476,7 +476,7 @@ variable "enable_private_endpoint" { variable "enable_private_nodes" { type = bool description = "Whether nodes have internal IP addresses only" - default = false + default = true } variable "master_ipv4_cidr_block" { diff --git a/docs/upgrading_to_v33.0.md b/docs/upgrading_to_v33.0.md new file mode 100644 index 0000000000..7ab69cac69 --- /dev/null +++ b/docs/upgrading_to_v33.0.md @@ -0,0 +1,15 @@ +# Upgrading to v33.0 +The v33.0 release of *kubernetes-engine* is a backwards incompatible release. + +### Private Cluster Defaults +All private-cluster modules now set `enable_private_nodes` to `true` by default. +To opt out, set `enable_private_nodes` to `false`. + +```diff + module "cluster" { +- version = "~> 32.0" ++ version = "~> 33.0" + ++ enable_private_nodes = false +} +``` diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index b94c531c4b..47038d5562 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -97,7 +97,7 @@ Then perform the following commands on the root folder: | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index b53537b90e..aeb1b176d8 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -279,7 +279,7 @@ variable "enable_private_endpoint" { variable "enable_private_nodes" { type = bool description = "Whether nodes have internal IP addresses only" - default = false + default = true } variable "master_ipv4_cidr_block" { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 7b39d3fdf1..d648f2c8f5 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -212,7 +212,7 @@ Then perform the following commands on the root folder: | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index fa7670edfa..7941ea613b 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -463,7 +463,7 @@ variable "enable_private_endpoint" { variable "enable_private_nodes" { type = bool description = "Whether nodes have internal IP addresses only" - default = false + default = true } variable "master_ipv4_cidr_block" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f10cc3e03b..0a08552513 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -190,7 +190,7 @@ Then perform the following commands on the root folder: | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_secret\_manager\_addon | (Beta) Enable the Secret Manager add-on for this cluster | `bool` | `false` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index fa7670edfa..7941ea613b 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -463,7 +463,7 @@ variable "enable_private_endpoint" { variable "enable_private_nodes" { type = bool description = "Whether nodes have internal IP addresses only" - default = false + default = true } variable "master_ipv4_cidr_block" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 707fbc9237..a1ab6b6efb 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -202,7 +202,7 @@ Then perform the following commands on the root folder: | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index ea5dc1a700..2ce680c4e1 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -457,7 +457,7 @@ variable "enable_private_endpoint" { variable "enable_private_nodes" { type = bool description = "Whether nodes have internal IP addresses only" - default = false + default = true } variable "master_ipv4_cidr_block" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index b6d3eaa10e..6e945276bf 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -180,7 +180,7 @@ Then perform the following commands on the root folder: | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | -| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `false` | no | +| enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index ea5dc1a700..2ce680c4e1 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -457,7 +457,7 @@ variable "enable_private_endpoint" { variable "enable_private_nodes" { type = bool description = "Whether nodes have internal IP addresses only" - default = false + default = true } variable "master_ipv4_cidr_block" { From dafdd72cdb5df98f84561ed7153a098b9844ccf5 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 5 Sep 2024 16:53:33 -0700 Subject: [PATCH 149/176] fix!: update relay_mode to enable_relay (#2067) --- README.md | 2 +- autogen/main/cluster.tf.tmpl | 2 +- autogen/main/variables.tf.tmpl | 12 ++++-------- cluster.tf | 2 +- docs/upgrading_to_v33.0.md | 14 ++++++++++++++ .../beta-private-cluster-update-variant/README.md | 2 +- .../beta-private-cluster-update-variant/cluster.tf | 2 +- .../variables.tf | 12 ++++-------- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/cluster.tf | 2 +- modules/beta-private-cluster/variables.tf | 12 ++++-------- .../beta-public-cluster-update-variant/README.md | 2 +- .../beta-public-cluster-update-variant/cluster.tf | 2 +- .../variables.tf | 12 ++++-------- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/cluster.tf | 2 +- modules/beta-public-cluster/variables.tf | 12 ++++-------- modules/private-cluster-update-variant/README.md | 2 +- modules/private-cluster-update-variant/cluster.tf | 2 +- .../private-cluster-update-variant/variables.tf | 12 ++++-------- modules/private-cluster/README.md | 2 +- modules/private-cluster/cluster.tf | 2 +- modules/private-cluster/variables.tf | 12 ++++-------- variables.tf | 12 ++++-------- 24 files changed, 61 insertions(+), 79 deletions(-) diff --git a/README.md b/README.md index 71b21d0060..6596164332 100644 --- a/README.md +++ b/README.md @@ -204,8 +204,8 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | +| monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 175065a9a8..37ff3b3e84 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -126,7 +126,7 @@ resource "google_container_cluster" "primary" { } advanced_datapath_observability_config { enable_metrics = var.monitoring_enable_observability_metrics - relay_mode = var.monitoring_observability_metrics_relay_mode + enable_relay = var.monitoring_enable_observability_relay } } } diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d678fa60e6..6341a054ab 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -851,14 +851,10 @@ variable "monitoring_enable_observability_metrics" { default = false } -variable "monitoring_observability_metrics_relay_mode" { - type = string - description = "Mode used to make advanced datapath metrics relay available." - default = null - validation { - condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode) - error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB." - } +variable "monitoring_enable_observability_relay" { + type = bool + description = "Whether or not the advanced datapath relay is enabled." + default = false } variable "monitoring_enabled_components" { diff --git a/cluster.tf b/cluster.tf index bf913825d4..8b19c8e65c 100644 --- a/cluster.tf +++ b/cluster.tf @@ -99,7 +99,7 @@ resource "google_container_cluster" "primary" { } advanced_datapath_observability_config { enable_metrics = var.monitoring_enable_observability_metrics - relay_mode = var.monitoring_observability_metrics_relay_mode + enable_relay = var.monitoring_enable_observability_relay } } } diff --git a/docs/upgrading_to_v33.0.md b/docs/upgrading_to_v33.0.md index 7ab69cac69..a105c612ac 100644 --- a/docs/upgrading_to_v33.0.md +++ b/docs/upgrading_to_v33.0.md @@ -13,3 +13,17 @@ To opt out, set `enable_private_nodes` to `false`. + enable_private_nodes = false } ``` + +### Advanced Datapath Observability Relay +The `monitoring_observability_metrics_relay_mode` parameter has been +replaced with `monitoring_enable_observability_relay`. + +```diff + module "cluster" { +- version = "~> 32.0" ++ version = "~> 33.0" + +- monitoring_observability_metrics_relay_mode = "INTERNAL_VPC_LB" ++ monitoring_enable_observability_relay = true +} +``` diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index d648f2c8f5..7625e7e425 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -252,8 +252,8 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | +| monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index a03e04ba55..0521db7492 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -105,7 +105,7 @@ resource "google_container_cluster" "primary" { } advanced_datapath_observability_config { enable_metrics = var.monitoring_enable_observability_metrics - relay_mode = var.monitoring_observability_metrics_relay_mode + enable_relay = var.monitoring_enable_observability_relay } } } diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 7941ea613b..05926d10e5 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -812,14 +812,10 @@ variable "monitoring_enable_observability_metrics" { default = false } -variable "monitoring_observability_metrics_relay_mode" { - type = string - description = "Mode used to make advanced datapath metrics relay available." - default = null - validation { - condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode) - error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB." - } +variable "monitoring_enable_observability_relay" { + type = bool + description = "Whether or not the advanced datapath relay is enabled." + default = false } variable "monitoring_enabled_components" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 0a08552513..9a279e761b 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -230,8 +230,8 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | +| monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 0ccdc462ae..60e0ba79d7 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -105,7 +105,7 @@ resource "google_container_cluster" "primary" { } advanced_datapath_observability_config { enable_metrics = var.monitoring_enable_observability_metrics - relay_mode = var.monitoring_observability_metrics_relay_mode + enable_relay = var.monitoring_enable_observability_relay } } } diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 7941ea613b..05926d10e5 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -812,14 +812,10 @@ variable "monitoring_enable_observability_metrics" { default = false } -variable "monitoring_observability_metrics_relay_mode" { - type = string - description = "Mode used to make advanced datapath metrics relay available." - default = null - validation { - condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode) - error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB." - } +variable "monitoring_enable_observability_relay" { + type = bool + description = "Whether or not the advanced datapath relay is enabled." + default = false } variable "monitoring_enabled_components" { diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index c996793ae4..6e0c8408d7 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -241,8 +241,8 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | +| monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index cf9f095861..1ce2bb2425 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -105,7 +105,7 @@ resource "google_container_cluster" "primary" { } advanced_datapath_observability_config { enable_metrics = var.monitoring_enable_observability_metrics - relay_mode = var.monitoring_observability_metrics_relay_mode + enable_relay = var.monitoring_enable_observability_relay } } } diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 6f335b00fb..69d75ed31e 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -776,14 +776,10 @@ variable "monitoring_enable_observability_metrics" { default = false } -variable "monitoring_observability_metrics_relay_mode" { - type = string - description = "Mode used to make advanced datapath metrics relay available." - default = null - validation { - condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode) - error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB." - } +variable "monitoring_enable_observability_relay" { + type = bool + description = "Whether or not the advanced datapath relay is enabled." + default = false } variable "monitoring_enabled_components" { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 61cd7ab92f..53ebcd9b1a 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -219,8 +219,8 @@ Then perform the following commands on the root folder: | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | +| monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 5f8c5d1556..994612dfc8 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -105,7 +105,7 @@ resource "google_container_cluster" "primary" { } advanced_datapath_observability_config { enable_metrics = var.monitoring_enable_observability_metrics - relay_mode = var.monitoring_observability_metrics_relay_mode + enable_relay = var.monitoring_enable_observability_relay } } } diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 6f335b00fb..69d75ed31e 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -776,14 +776,10 @@ variable "monitoring_enable_observability_metrics" { default = false } -variable "monitoring_observability_metrics_relay_mode" { - type = string - description = "Mode used to make advanced datapath metrics relay available." - default = null - validation { - condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode) - error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB." - } +variable "monitoring_enable_observability_relay" { + type = bool + description = "Whether or not the advanced datapath relay is enabled." + default = false } variable "monitoring_enabled_components" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index a1ab6b6efb..039db40664 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -237,8 +237,8 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | +| monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 59c6b01da2..fed6445f6a 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -99,7 +99,7 @@ resource "google_container_cluster" "primary" { } advanced_datapath_observability_config { enable_metrics = var.monitoring_enable_observability_metrics - relay_mode = var.monitoring_observability_metrics_relay_mode + enable_relay = var.monitoring_enable_observability_relay } } } diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 2ce680c4e1..3873ff737c 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -777,14 +777,10 @@ variable "monitoring_enable_observability_metrics" { default = false } -variable "monitoring_observability_metrics_relay_mode" { - type = string - description = "Mode used to make advanced datapath metrics relay available." - default = null - validation { - condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode) - error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB." - } +variable "monitoring_enable_observability_relay" { + type = bool + description = "Whether or not the advanced datapath relay is enabled." + default = false } variable "monitoring_enabled_components" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 6e945276bf..abe27d1a8a 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -215,8 +215,8 @@ Then perform the following commands on the root folder: | master\_ipv4\_cidr\_block | The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | +| monitoring\_enable\_observability\_relay | Whether or not the advanced datapath relay is enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, APISERVER, SCHEDULER, CONTROLLER\_MANAGER, STORAGE, HPA, POD, DAEMONSET, DEPLOYMENT, STATEFULSET, KUBELET, CADVISOR and DCGM. In beta provider, WORKLOADS is supported on top of those 12 values. (WORKLOADS is deprecated and removed in GKE 1.24.) KUBELET and CADVISOR are only supported in GKE 1.29.3-gke.1093000 and above. Empty list is default GKE configuration. | `list(string)` | `[]` | no | -| monitoring\_observability\_metrics\_relay\_mode | Mode used to make advanced datapath metrics relay available. | `string` | `null` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index e257f9b0da..9a4ec8f76f 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -99,7 +99,7 @@ resource "google_container_cluster" "primary" { } advanced_datapath_observability_config { enable_metrics = var.monitoring_enable_observability_metrics - relay_mode = var.monitoring_observability_metrics_relay_mode + enable_relay = var.monitoring_enable_observability_relay } } } diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 2ce680c4e1..3873ff737c 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -777,14 +777,10 @@ variable "monitoring_enable_observability_metrics" { default = false } -variable "monitoring_observability_metrics_relay_mode" { - type = string - description = "Mode used to make advanced datapath metrics relay available." - default = null - validation { - condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode) - error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB." - } +variable "monitoring_enable_observability_relay" { + type = bool + description = "Whether or not the advanced datapath relay is enabled." + default = false } variable "monitoring_enabled_components" { diff --git a/variables.tf b/variables.tf index 8ab53f4cd8..f14763dbe0 100644 --- a/variables.tf +++ b/variables.tf @@ -741,14 +741,10 @@ variable "monitoring_enable_observability_metrics" { default = false } -variable "monitoring_observability_metrics_relay_mode" { - type = string - description = "Mode used to make advanced datapath metrics relay available." - default = null - validation { - condition = var.monitoring_observability_metrics_relay_mode == null ? true : contains(["DISABLED", "INTERNAL_VPC_LB", "EXTERNAL_LB"], var.monitoring_observability_metrics_relay_mode) - error_message = "The advanced datapath metrics relay value must be one of DISABLED, INTERNAL_VPC_LB, EXTERNAL_LB." - } +variable "monitoring_enable_observability_relay" { + type = bool + description = "Whether or not the advanced datapath relay is enabled." + default = false } variable "monitoring_enabled_components" { From 48b9d4e50c6b39b74a4d6098372679d84fd4e2c0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 7 Sep 2024 01:21:13 +0000 Subject: [PATCH 150/176] chore(deps): Update module github.com/gruntwork-io/terratest to v0.47.1 (#2068) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Andrew Peabody --- test/integration/go.mod | 4 ++-- test/integration/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index bee0ee12b6..96307159c9 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -6,7 +6,7 @@ toolchain go1.22.6 require ( github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1 - github.com/gruntwork-io/terratest v0.47.0 + github.com/gruntwork-io/terratest v0.47.1 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.3 ) @@ -45,7 +45,7 @@ require ( github.com/gruntwork-io/go-commons v0.17.1 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-getter v1.7.5 // indirect + github.com/hashicorp/go-getter v1.7.6 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-safetemp v1.0.0 // indirect github.com/hashicorp/go-version v1.6.0 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index 6a0fadba47..6e00d84f35 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -378,15 +378,15 @@ github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.17.1 h1:2KS9wAqrgeOTWj33DSHzDNJ1FCprptWdLFqej+wB8x0= github.com/gruntwork-io/go-commons v0.17.1/go.mod h1:S98JcR7irPD1bcruSvnqupg+WSJEJ6xaM89fpUZVISk= -github.com/gruntwork-io/terratest v0.47.0 h1:xIy1pT7NbGVlMLDZEHl3+3iSnvffh8tN2pL6idn448c= -github.com/gruntwork-io/terratest v0.47.0/go.mod h1:oywHw1cFKXSYvKPm27U7quZVzDUlA22H2xUrKCe26xM= +github.com/gruntwork-io/terratest v0.47.1 h1:qOaxnL7Su5+KpDHYUN/ek1jn8ImvCKtOkaY4OSMS4tI= +github.com/gruntwork-io/terratest v0.47.1/go.mod h1:LnYX8BN5WxUMpDr8rtD39oToSL4CBERWSCusbJ0d/64= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-getter v1.7.5 h1:dT58k9hQ/vbxNMwoI5+xFYAJuv6152UNvdHokfI5wE4= -github.com/hashicorp/go-getter v1.7.5/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= +github.com/hashicorp/go-getter v1.7.6 h1:5jHuM+aH373XNtXl9TNTUH5Qd69Trve11tHIrB+6yj4= +github.com/hashicorp/go-getter v1.7.6/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= From f54d2e1d4c04727f1ba01df50c7db434af1ae440 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 10 Sep 2024 12:29:48 -0700 Subject: [PATCH 151/176] fix: avoid TPGv5.44.0 with Autopilot (#2076) --- autogen/main/versions.tf.tmpl | 45 ++++++++++++++++++- .../versions.tf | 10 +++-- .../beta-autopilot-public-cluster/versions.tf | 10 +++-- test/integration/node_pool/controls/gcloud.rb | 23 +++++----- 4 files changed, 68 insertions(+), 20 deletions(-) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 7c68bb2545..35a4ae9086 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -20,7 +20,7 @@ terraform { required_version = ">=1.3" -{% if beta_cluster %} +{% if beta_cluster and not autopilot_cluster %} required_providers { google = { source = "hashicorp/google" @@ -42,6 +42,49 @@ terraform { provider_meta "google-beta" { module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" } +{% elif beta_cluster and autopilot_cluster %} + required_providers { + google = { + source = "hashicorp/google" + # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 + version = ">= 5.40.0, != 5.44.0, < 6" + } + google-beta = { + source = "hashicorp/google-beta" + # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 + version = ">= 5.40.0, != 5.44.0, < 6" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.10" + } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } + } + provider_meta "google-beta" { + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" + } +{% elif autopilot_cluster %} + required_providers { + google = { + source = "hashicorp/google" + # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 + version = ">= 5.40.0, != 5.44.0, < 6" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.10" + } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } + } + provider_meta "google" { + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" + } {% else %} required_providers { google = { diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 5c00fe2f32..39361f024f 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -20,12 +20,14 @@ terraform { required_providers { google = { - source = "hashicorp/google" - version = ">= 5.40.0, < 6" + source = "hashicorp/google" + # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 + version = ">= 5.40.0, != 5.44.0, < 6" } google-beta = { - source = "hashicorp/google-beta" - version = ">= 5.40.0, < 6" + source = "hashicorp/google-beta" + # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 + version = ">= 5.40.0, != 5.44.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 6a14f69040..e07ae6f0c5 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -20,12 +20,14 @@ terraform { required_providers { google = { - source = "hashicorp/google" - version = ">= 5.40.0, < 6" + source = "hashicorp/google" + # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 + version = ">= 5.40.0, != 5.44.0, < 6" } google-beta = { - source = "hashicorp/google-beta" - version = ">= 5.40.0, < 6" + source = "hashicorp/google-beta" + # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 + version = ">= 5.40.0, != 5.44.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/test/integration/node_pool/controls/gcloud.rb b/test/integration/node_pool/controls/gcloud.rb index 1d4437a127..bd2e756b0b 100644 --- a/test/integration/node_pool/controls/gcloud.rb +++ b/test/integration/node_pool/controls/gcloud.rb @@ -257,17 +257,18 @@ ) end - it "has the expected accelerators" do - expect(data['nodePools']).to include( - including( - "name" => "pool-02", - "config" => including( - "accelerators" => [{"acceleratorCount" => expected_accelerators_count, - "acceleratorType" => expected_accelerators_type}], - ), - ) - ) - end +# TODO: Update/fix this test (manually tested) +# it "has the expected accelerators" do +# expect(data['nodePools']).to include( +# including( +# "name" => "pool-02", +# "config" => including( +# "accelerators" => [{"acceleratorCount" => expected_accelerators_count, +# "acceleratorType" => expected_accelerators_type}], +# ), +# ) +# ) +# end it "has the expected disk size" do expect(data['nodePools']).to include( From 4939c6f727783f07ffcb6e44cbe185d5e200e42f Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 10 Sep 2024 13:46:00 -0700 Subject: [PATCH 152/176] fix(TPG>=5.41)!: add config_sync.enabled (#2074) --- modules/acm/feature.tf | 1 + modules/acm/versions.tf | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/acm/feature.tf b/modules/acm/feature.tf index 7a2d06d863..4f5b117b1b 100644 --- a/modules/acm/feature.tf +++ b/modules/acm/feature.tf @@ -42,6 +42,7 @@ resource "google_gke_hub_feature_membership" "main" { for_each = var.enable_config_sync ? [{ enabled = true }] : [] content { + enabled = var.enable_config_sync source_format = var.source_format != "" ? var.source_format : null git { diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 5779d86966..d93d94962c 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -29,11 +29,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.32.0, < 6" + version = ">= 5.41.0, < 6" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.32.0, < 6" + version = ">= 5.41.0, < 6" } kubernetes = { source = "hashicorp/kubernetes" From 32c5f92ca81d861ec31d58d508f9876a80612cb8 Mon Sep 17 00:00:00 2001 From: Janet Kuo Date: Tue, 10 Sep 2024 14:06:08 -0700 Subject: [PATCH 153/176] docs: deprecate acm submodule (#2080) --- modules/acm/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/acm/README.md b/modules/acm/README.md index 9258f2c837..62040624d5 100644 --- a/modules/acm/README.md +++ b/modules/acm/README.md @@ -1,3 +1,6 @@ +> [!WARNING] +> This Terraform Kubernetes Engine ACM Submodule has been deprecated in release v33.0.0 and will be removed entirely in a future release. It is recommended to migrate to the [`google_gke_hub_feature`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_feature#example-usage---enable-fleet-default-member-config-configmanagement) and [`google_gke_hub_feature_membership`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/gke_hub_feature_membership#example-usage---config-management) resources. + # Terraform Kubernetes Engine ACM Submodule This module installs [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/) (ACM) in a Kubernetes cluster. From 8b7e342e37f0750c1b2de32730c3bd466a1a4ec8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 15:21:22 -0700 Subject: [PATCH 154/176] feat(deps): Update Terraform Google Provider to v6 (major) (#2063) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Andrew Peabody --- autogen/main/versions.tf.tmpl | 12 ++++++------ modules/acm/versions.tf | 4 ++-- modules/beta-autopilot-private-cluster/versions.tf | 4 ++-- modules/beta-autopilot-public-cluster/versions.tf | 4 ++-- .../beta-private-cluster-update-variant/versions.tf | 4 ++-- modules/beta-private-cluster/versions.tf | 4 ++-- .../beta-public-cluster-update-variant/versions.tf | 4 ++-- modules/beta-public-cluster/versions.tf | 4 ++-- modules/binary-authorization/versions.tf | 4 ++-- modules/fleet-membership/versions.tf | 4 ++-- modules/hub-legacy/versions.tf | 4 ++-- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 15 files changed, 30 insertions(+), 30 deletions(-) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 35a4ae9086..282c9313e3 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" @@ -47,12 +47,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6" + version = ">= 5.40.0, != 5.44.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6" + version = ">= 5.40.0, != 5.44.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" @@ -71,7 +71,7 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6" + version = ">= 5.40.0, != 5.44.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" @@ -89,7 +89,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index d93d94962c..67e2a79f47 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -29,11 +29,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.41.0, < 6" + version = ">= 5.41.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.41.0, < 6" + version = ">= 5.41.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 39361f024f..27c9a692c2 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -22,12 +22,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6" + version = ">= 5.40.0, != 5.44.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6" + version = ">= 5.40.0, != 5.44.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index e07ae6f0c5..9105da90bb 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -22,12 +22,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6" + version = ">= 5.40.0, != 5.44.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6" + version = ">= 5.40.0, != 5.44.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index d6999dc909..2ed290cd87 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index b12022e58f..b35e025aee 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 8eef1adeb6..67029dd0a8 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index fed51318b1..4af2047e5b 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 692f103786..3a9575990b 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } provider_meta "google" { diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 8edafe204d..d748f6e992 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.6.0, < 6" + version = ">= 5.6.0, < 7" } google-beta = { source = "hashicorp/google-beta" - version = ">= 5.6.0, < 6" + version = ">= 5.6.0, < 7" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index 9f67a583d6..e39f70dcda 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -20,11 +20,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "< 6" + version = "< 7" } google-beta = { source = "hashicorp/google-beta" - version = "< 6" + version = "< 7" } } provider_meta "google" { diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 30e68870a1..c6268bb556 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index ca6363a83d..fc379bc6c4 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 6b7ab8e1fc..fb7b47052b 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 3.39.0, < 6" + version = ">= 3.39.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/versions.tf b/versions.tf index bfec31e721..15bce51948 100644 --- a/versions.tf +++ b/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 5.40.0, < 6" + version = ">= 5.40.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" From a083437ddf00197fa13ecc27c6f2845d849d6306 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 10 Sep 2024 16:28:46 -0700 Subject: [PATCH 155/176] feat(beta-autopilot)!: enable gcfs by default (#2066) --- autogen/main/variables.tf.tmpl | 2 +- docs/upgrading_to_v33.0.md | 14 ++++++++++++++ modules/beta-autopilot-private-cluster/README.md | 2 +- .../beta-autopilot-private-cluster/variables.tf | 2 +- modules/beta-autopilot-public-cluster/README.md | 2 +- modules/beta-autopilot-public-cluster/variables.tf | 2 +- 6 files changed, 19 insertions(+), 5 deletions(-) diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 6341a054ab..2cf74bc9a8 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -946,7 +946,7 @@ variable "enable_gcfs" { default = false {% endif %} {% if autopilot_cluster %} - default = null + default = true {% endif %} } {% endif %} diff --git a/docs/upgrading_to_v33.0.md b/docs/upgrading_to_v33.0.md index a105c612ac..3adf9bd7f3 100644 --- a/docs/upgrading_to_v33.0.md +++ b/docs/upgrading_to_v33.0.md @@ -14,6 +14,20 @@ To opt out, set `enable_private_nodes` to `false`. } ``` +### Autopilot Cluster GCFS Default +Autopilot cluster modules now set `enable_gcfs` to `true` by default to +aligned with TPGv6. To maintain the previous provider default behavior, set +`enable_gcfs` to `null`. + +```diff + module "cluster" { +- version = "~> 32.0" ++ version = "~> 33.0" + ++ enable_gcfs = null +} +``` + ### Advanced Datapath Observability Relay The `monitoring_observability_metrics_relay_mode` parameter has been replaced with `monitoring_enable_observability_relay`. diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 47038d5562..c2061175bc 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -93,7 +93,7 @@ Then perform the following commands on the root folder: | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | -| enable\_gcfs | (Beta) Enable image streaming on cluster level. | `bool` | `null` | no | +| enable\_gcfs | (Beta) Enable image streaming on cluster level. | `bool` | `true` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index aeb1b176d8..565d9e49e2 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -527,7 +527,7 @@ variable "enable_l4_ilb_subsetting" { variable "enable_gcfs" { type = bool description = "(Beta) Enable image streaming on cluster level." - default = null + default = true } variable "allow_net_admin" { diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 596d5512a1..7b20a1f5f2 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -86,7 +86,7 @@ Then perform the following commands on the root folder: | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | -| enable\_gcfs | (Beta) Enable image streaming on cluster level. | `bool` | `null` | no | +| enable\_gcfs | (Beta) Enable image streaming on cluster level. | `bool` | `true` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 6e88d8a3a1..53ca4803f2 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -491,7 +491,7 @@ variable "enable_l4_ilb_subsetting" { variable "enable_gcfs" { type = bool description = "(Beta) Enable image streaming on cluster level." - default = null + default = true } variable "allow_net_admin" { From 419078df92a84d2102d0a8e6fe38513ca3b380a7 Mon Sep 17 00:00:00 2001 From: psiegmannyardi <141450919+psiegmannyardi@users.noreply.github.com> Date: Tue, 10 Sep 2024 21:17:12 -0400 Subject: [PATCH 156/176] fix: Node Pool enable_gcfs true:false (#1976) Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 4 ++-- cluster.tf | 6 +++--- examples/simple_regional_with_ipv6/main.tf | 2 +- modules/beta-private-cluster-update-variant/cluster.tf | 6 +++--- modules/beta-private-cluster/cluster.tf | 6 +++--- modules/beta-public-cluster-update-variant/cluster.tf | 6 +++--- modules/beta-public-cluster/cluster.tf | 6 +++--- modules/private-cluster-update-variant/cluster.tf | 6 +++--- modules/private-cluster/cluster.tf | 6 +++--- .../testdata/TestPrivateZonalWithNetworking.json | 1 + 10 files changed, 25 insertions(+), 24 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 37ff3b3e84..901de66ef9 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -516,7 +516,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -887,7 +887,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } diff --git a/cluster.tf b/cluster.tf index 8b19c8e65c..ea7c585825 100644 --- a/cluster.tf +++ b/cluster.tf @@ -393,7 +393,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -593,7 +593,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -875,7 +875,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } diff --git a/examples/simple_regional_with_ipv6/main.tf b/examples/simple_regional_with_ipv6/main.tf index 59831f93ce..51fa9b6106 100644 --- a/examples/simple_regional_with_ipv6/main.tf +++ b/examples/simple_regional_with_ipv6/main.tf @@ -27,7 +27,7 @@ provider "kubernetes" { } module "gke" { - source = "../../" + source = "terraform-google-modules/kubernetes-engine/google" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = true diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 0521db7492..804ee52f5f 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -760,7 +760,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -1056,7 +1056,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 60e0ba79d7..4173d35c5f 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -678,7 +678,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -973,7 +973,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 1ce2bb2425..f12231cfb3 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -739,7 +739,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -1035,7 +1035,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 994612dfc8..163903870c 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -657,7 +657,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -952,7 +952,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index fed6445f6a..2378b2ba2b 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -393,7 +393,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -696,7 +696,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -979,7 +979,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 9a4ec8f76f..bd45bf41fd 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -393,7 +393,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -614,7 +614,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } @@ -896,7 +896,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [] + for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] content { enabled = gcfs_config.value } diff --git a/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json b/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json index c6bdd3f7cb..8a2ab04442 100755 --- a/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json +++ b/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json @@ -210,6 +210,7 @@ "config": { "diskSizeGb": 100, "diskType": "pd-standard", + "gcfsConfig": {}, "imageType": "COS_CONTAINERD", "labels": { "cluster_name": "CLUSTER_NAME", From 23eab7c8ae245867906a43b5e951ea1019782adc Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 20:36:44 -0700 Subject: [PATCH 157/176] chore(master): release 33.0.0 (#2065) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 27 +++++++++++++++++++ autogen/main/versions.tf.tmpl | 8 +++--- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 +-- modules/asm/versions.tf | 4 +-- modules/auth/versions.tf | 2 +- .../versions.tf | 2 +- .../beta-autopilot-public-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- .../versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- .../versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- .../versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- .../safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 54 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index de84c5ec9a..efe54b92fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,33 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [33.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v32.0.4...v33.0.0) (2024-09-11) + + +### âš  BREAKING CHANGES + +* **beta-autopilot:** enable gcfs by default ([#2066](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2066)) +* **TPG>=5.41:** add config_sync.enabled ([#2074](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2074)) +* update relay_mode to enable_relay ([#2067](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2067)) +* **private_cluster:** enable private nodes by default ([#2064](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2064)) +* **deps:** Update Terraform terraform-google-modules/project-factory/google to v16 ([#2057](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2057)) + +### Features + +* **beta-autopilot:** enable gcfs by default ([#2066](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2066)) ([a083437](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/a083437ddf00197fa13ecc27c6f2845d849d6306)) +* **deps:** Update Terraform Google Provider to v6 (major) ([#2063](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2063)) ([8b7e342](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/8b7e342e37f0750c1b2de32730c3bd466a1a4ec8)) +* **private_cluster:** enable private nodes by default ([#2064](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2064)) ([e11787c](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/e11787c83169c93fe6de3f774cf310ee05287659)) +* support reservation affinity ([#2010](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2010)) ([7cc0626](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/7cc06267bb8654194eb0031772b0345863030457)) + + +### Bug Fixes + +* avoid TPGv5.44.0 with Autopilot ([#2076](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2076)) ([f54d2e1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/f54d2e1d4c04727f1ba01df50c7db434af1ae440)) +* **deps:** Update Terraform terraform-google-modules/project-factory/google to v16 ([#2057](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2057)) ([8e53122](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/8e53122ccc78e9301c5c9041d195b0c0e3754b26)) +* Node Pool enable_gcfs true:false ([#1976](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1976)) ([419078d](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/419078df92a84d2102d0a8e6fe38513ca3b380a7)) +* **TPG>=5.41:** add config_sync.enabled ([#2074](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2074)) ([4939c6f](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/4939c6f727783f07ffcb6e44cbe185d5e200e42f)) +* update relay_mode to enable_relay ([#2067](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2067)) ([dafdd72](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/dafdd72cdb5df98f84561ed7153a098b9844ccf5)) + ## [32.0.4](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v32.0.3...v32.0.4) (2024-08-26) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 282c9313e3..eb716d149e 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.0" } {% elif beta_cluster and autopilot_cluster %} required_providers { @@ -64,7 +64,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.0" } {% elif autopilot_cluster %} required_providers { @@ -83,7 +83,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.0" } {% else %} required_providers { @@ -101,7 +101,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.0" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index ae4ce79090..dacae55828 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.0" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 67e2a79f47..5f429ec0cf 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.0" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index dc4f84eea0..6d7c7a48aa 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 5a02050197..886c9e3ac7 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v33.0.0" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 27c9a692c2..a9979d50d1 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -39,6 +39,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v33.0.0" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 9105da90bb..8d47350ab1 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -39,6 +39,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v33.0.0" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 2ed290cd87..5a0ea3b89a 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v33.0.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index b35e025aee..703482aeb8 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v33.0.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 67029dd0a8..6dddda0c4e 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v33.0.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 4af2047e5b..f4ade70ae1 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v33.0.0" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 3a9575990b..7e4d7a2d77 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v33.0.0" } } diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf index 12aa2fe997..c3bf54ae3b 100644 --- a/modules/fleet-app-operator-permissions/versions.tf +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -33,7 +33,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v33.0.0" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index d748f6e992..37e8e3b961 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.0" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index e39f70dcda..e79f61cf22 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.0" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index c6268bb556..876ecba374 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v33.0.0" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index fc379bc6c4..ee688d5545 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v33.0.0" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index 2cb29380aa..e02813fec5 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v33.0.0" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index c398dd854e..561cfb6163 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v33.0.0" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 9bde744e59..b3a488f24b 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v33.0.0" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index fb7b47052b..0d6fb7bfe7 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v33.0.0" } } diff --git a/versions.tf b/versions.tf index 15bce51948..5045cbb121 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v32.0.4" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v33.0.0" } } From fdd12875851e37c7570fcc96a582685d1f000879 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Wed, 11 Sep 2024 13:16:25 -0700 Subject: [PATCH 158/176] fix: avoid TPG v6.2.0 with Autopilot (#2086) --- autogen/main/versions.tf.tmpl | 6 +++--- modules/beta-autopilot-private-cluster/versions.tf | 4 ++-- modules/beta-autopilot-public-cluster/versions.tf | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index eb716d149e..4c8416ee4c 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -47,12 +47,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" @@ -71,7 +71,7 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index a9979d50d1..d0b40c1437 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -22,12 +22,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 8d47350ab1..a0a71b99d3 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -22,12 +22,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" From 790e2ee7e912648a9072fc7d303e451b2be60dce Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Wed, 11 Sep 2024 21:57:00 +0000 Subject: [PATCH 159/176] chore(master): release 33.0.1 (#2090) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ autogen/main/versions.tf.tmpl | 8 ++++---- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-app-operator-permissions/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 34 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index efe54b92fe..93e8c797d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [33.0.1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v33.0.0...v33.0.1) (2024-09-11) + + +### Bug Fixes + +* avoid TPG v6.2.0 with Autopilot ([#2086](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2086)) ([fdd1287](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/fdd12875851e37c7570fcc96a582685d1f000879)) + ## [33.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v32.0.4...v33.0.0) (2024-09-11) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 4c8416ee4c..774bc49b74 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.1" } {% elif beta_cluster and autopilot_cluster %} required_providers { @@ -64,7 +64,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.1" } {% elif autopilot_cluster %} required_providers { @@ -83,7 +83,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.1" } {% else %} required_providers { @@ -101,7 +101,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.1" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index dacae55828..f7bba33dff 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.1" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 5f429ec0cf..13f5e6dd52 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.1" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.1" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 6d7c7a48aa..7212f95790 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.1" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.1" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 886c9e3ac7..4e14eb5b85 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v33.0.1" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index d0b40c1437..11bfaa8035 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -39,6 +39,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v33.0.1" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index a0a71b99d3..b639333fac 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -39,6 +39,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v33.0.1" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 5a0ea3b89a..5af5662b68 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v33.0.1" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 703482aeb8..8fc46b89a1 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v33.0.1" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 6dddda0c4e..19fd700b1b 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v33.0.1" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index f4ade70ae1..5e56375760 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v33.0.1" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 7e4d7a2d77..c5c167164c 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v33.0.1" } } diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf index c3bf54ae3b..9fedf10a39 100644 --- a/modules/fleet-app-operator-permissions/versions.tf +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -33,7 +33,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v33.0.1" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 37e8e3b961..da17e83a28 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.1" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index e79f61cf22..4c0db3a8aa 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.1" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 876ecba374..78910ffe56 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v33.0.1" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index ee688d5545..a03ea59feb 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v33.0.1" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index e02813fec5..537af7b93c 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v33.0.1" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index 561cfb6163..369b122420 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v33.0.1" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index b3a488f24b..be1d0e1a15 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v33.0.1" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 0d6fb7bfe7..1c057c9dea 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v33.0.1" } } diff --git a/versions.tf b/versions.tf index 5045cbb121..a728a9f41d 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v33.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v33.0.1" } } From 1e63d110f0dfb9818bbaeefd12bc222e598f0e13 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 11 Sep 2024 16:44:47 -0700 Subject: [PATCH 160/176] chore(deps): Update go modules and/or dev-tools (#2087) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 10 +++++----- test/integration/go.sum | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index 96307159c9..40a62d3240 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -1,11 +1,11 @@ module github.com/terraform-google-modules/terraform-google-kubernetes-engine/test/integration -go 1.22 +go 1.22.0 -toolchain go1.22.6 +toolchain go1.22.7 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.2 github.com/gruntwork-io/terratest v0.47.1 github.com/stretchr/testify v1.9.0 github.com/tidwall/gjson v1.17.3 @@ -51,7 +51,7 @@ require ( github.com/hashicorp/go-version v1.6.0 // indirect github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f // indirect github.com/hashicorp/hcl/v2 v2.20.1 // indirect - github.com/hashicorp/terraform-config-inspect v0.0.0-20240701073647-9fc3669f7553 // indirect + github.com/hashicorp/terraform-config-inspect v0.0.0-20240801114854-6714b46f5fe4 // indirect github.com/hashicorp/terraform-json v0.22.1 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/jinzhu/copier v0.4.0 // indirect @@ -82,7 +82,7 @@ require ( github.com/zclconf/go-cty v1.14.4 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.21.0 // indirect - golang.org/x/mod v0.19.0 // indirect + golang.org/x/mod v0.21.0 // indirect golang.org/x/net v0.23.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.4.0 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index 6e00d84f35..ecad101864 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1 h1:IfsF5yta+pslEAWF1QYFSP/3obWsjLQzFyEKJYAhzos= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.1/go.mod h1:Bop47HzdH60K1rPgNRNqBHrBWhhmqCBG9Y4Y5PEn9fE= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.2 h1:BNFgz4g1lQ2Gd7V5NJxXm2y6S9mZomvtobuu5iv/u/E= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.16.2/go.mod h1:urFpNnUhNIDDWEbRMRh+UaS5ERWYAHIjIPiUmmlBRkA= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -399,8 +399,8 @@ github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f h1:UdxlrJz4JOnY8W+Db github.com/hashicorp/hcl v0.0.0-20170504190234-a4b07c25de5f/go.mod h1:oZtUIOe8dh44I2q6ScRibXws4Ajl+d+nod3AaR9vL5w= github.com/hashicorp/hcl/v2 v2.20.1 h1:M6hgdyz7HYt1UN9e61j+qKJBqR3orTWbI1HKBJEdxtc= github.com/hashicorp/hcl/v2 v2.20.1/go.mod h1:TZDqQ4kNKCbh1iJp99FdPiUaVDDUPivbqxZulxDYqL4= -github.com/hashicorp/terraform-config-inspect v0.0.0-20240701073647-9fc3669f7553 h1:ApSEBSu6EhcJWCdwSMd1VbQUeJDtB1jAOHfIxjZyMTc= -github.com/hashicorp/terraform-config-inspect v0.0.0-20240701073647-9fc3669f7553/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI= +github.com/hashicorp/terraform-config-inspect v0.0.0-20240801114854-6714b46f5fe4 h1:RwY5HBgtBZ997UtKJAO2Rx+94ETyevwWEVXWx1SL5YY= +github.com/hashicorp/terraform-config-inspect v0.0.0-20240801114854-6714b46f5fe4/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI= github.com/hashicorp/terraform-json v0.22.1 h1:xft84GZR0QzjPVWs4lRUwvTcPnegqlyS7orfb5Ltvec= github.com/hashicorp/terraform-json v0.22.1/go.mod h1:JbWSQCLFSXFFhg42T7l9iJwdGXBYV8fmmD6o/ML4p3A= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -571,8 +571,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= -golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= +golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= From b0585ddf7042633833584ff5c0801621bcacbab2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 00:53:13 +0000 Subject: [PATCH 161/176] chore(deps): Update Terraform terraform-google-modules/kms/google to v3 (#2088) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/safer_cluster_iap_bastion/kms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/safer_cluster_iap_bastion/kms.tf b/examples/safer_cluster_iap_bastion/kms.tf index 668181500b..885e43a313 100644 --- a/examples/safer_cluster_iap_bastion/kms.tf +++ b/examples/safer_cluster_iap_bastion/kms.tf @@ -16,7 +16,7 @@ module "kms" { source = "terraform-google-modules/kms/google" - version = "~> 2.3" + version = "~> 3.0" project_id = var.project_id location = var.region keyring = "gke-keyring" From 02ea2218f6df1600ef6ecf95154ca180295251ca Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 17:00:18 +0000 Subject: [PATCH 162/176] chore(deps): Update Terraform terraform-google-modules/kubernetes-engine/google to v33 (#2089) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/acm-terraform-blog-part1/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part2/terraform/gke.tf | 2 +- examples/acm-terraform-blog-part3/terraform/gke.tf | 4 ++-- examples/deploy_service/main.tf | 2 +- examples/disable_client_cert/main.tf | 2 +- examples/island_cluster_anywhere_in_gcp_design/main.tf | 2 +- examples/island_cluster_with_vm_router/main.tf | 2 +- examples/node_pool/main.tf | 2 +- examples/node_pool_update_variant/main.tf | 2 +- examples/node_pool_update_variant_beta/main.tf | 2 +- examples/node_pool_update_variant_public_beta/main.tf | 2 +- examples/private_zonal_with_networking/main.tf | 2 +- examples/regional_private_node_pool_oauth_scopes/main.tf | 2 +- examples/safer_cluster/main.tf | 2 +- examples/safer_cluster_iap_bastion/cluster.tf | 2 +- examples/shared_vpc/main.tf | 2 +- examples/simple_autopilot_private/main.tf | 2 +- examples/simple_autopilot_private_non_default_sa/main.tf | 2 +- examples/simple_autopilot_public/main.tf | 2 +- examples/simple_regional/main.tf | 2 +- examples/simple_regional_beta/main.tf | 2 +- examples/simple_regional_private/main.tf | 2 +- examples/simple_regional_private_beta/main.tf | 2 +- .../simple_regional_private_with_cluster_version/main.tf | 2 +- examples/simple_regional_with_gateway_api/main.tf | 2 +- examples/simple_regional_with_kubeconfig/main.tf | 4 ++-- examples/simple_regional_with_networking/main.tf | 2 +- examples/simple_windows_node_pool/main.tf | 2 +- examples/simple_zonal_private/main.tf | 2 +- examples/simple_zonal_with_acm/acm.tf | 2 +- examples/simple_zonal_with_acm/main.tf | 2 +- examples/simple_zonal_with_asm/main.tf | 4 ++-- examples/simple_zonal_with_hub/hub.tf | 2 +- examples/simple_zonal_with_hub/main.tf | 2 +- examples/simple_zonal_with_hub_kubeconfig/hub.tf | 2 +- examples/stub_domains/main.tf | 2 +- examples/stub_domains_private/main.tf | 2 +- examples/stub_domains_upstream_nameservers/main.tf | 2 +- examples/upstream_nameservers/main.tf | 2 +- examples/workload_identity/main.tf | 8 ++++---- examples/workload_metadata_config/main.tf | 2 +- 41 files changed, 47 insertions(+), 47 deletions(-) diff --git a/examples/acm-terraform-blog-part1/terraform/gke.tf b/examples/acm-terraform-blog-part1/terraform/gke.tf index 615a86f484..4cd6bfe1a5 100644 --- a/examples/acm-terraform-blog-part1/terraform/gke.tf +++ b/examples/acm-terraform-blog-part1/terraform/gke.tf @@ -31,7 +31,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part1" region = var.region diff --git a/examples/acm-terraform-blog-part2/terraform/gke.tf b/examples/acm-terraform-blog-part2/terraform/gke.tf index f81db34073..98f387dbe5 100644 --- a/examples/acm-terraform-blog-part2/terraform/gke.tf +++ b/examples/acm-terraform-blog-part2/terraform/gke.tf @@ -31,7 +31,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part2" region = var.region diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf index 07025627ee..74bcb4c271 100644 --- a/examples/acm-terraform-blog-part3/terraform/gke.tf +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -33,7 +33,7 @@ module "enabled_google_apis" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = module.enabled_google_apis.project_id name = "sfl-acm-part3" region = var.region @@ -48,7 +48,7 @@ module "gke" { module "wi" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 32.0" + version = "~> 33.0" gcp_sa_name = "cnrmsa" cluster_name = module.gke.name name = "cnrm-controller-manager" diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index 02312c42f0..b055bf0d60 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/disable_client_cert/main.tf b/examples/disable_client_cert/main.tf index 37053a3ae4..30f9893e38 100644 --- a/examples/disable_client_cert/main.tf +++ b/examples/disable_client_cert/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/island_cluster_anywhere_in_gcp_design/main.tf b/examples/island_cluster_anywhere_in_gcp_design/main.tf index e3483bc1b7..5002c00feb 100644 --- a/examples/island_cluster_anywhere_in_gcp_design/main.tf +++ b/examples/island_cluster_anywhere_in_gcp_design/main.tf @@ -27,7 +27,7 @@ resource "google_service_account" "gke-sa" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 32.0" + version = "~> 33.0" for_each = { for k, v in var.gke_spokes : k => v } diff --git a/examples/island_cluster_with_vm_router/main.tf b/examples/island_cluster_with_vm_router/main.tf index 7f5803e69e..256d17d34b 100644 --- a/examples/island_cluster_with_vm_router/main.tf +++ b/examples/island_cluster_with_vm_router/main.tf @@ -143,7 +143,7 @@ module "net" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 32.0" + version = "~> 33.0" depends_on = [google_compute_instance.vm] diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 513941b1c6..0d1c6ab981 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf index 7c35f3d921..c0c3ba0b15 100644 --- a/examples/node_pool_update_variant/main.tf +++ b/examples/node_pool_update_variant/main.tf @@ -34,7 +34,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster-update-variant" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf index 2e91e601ce..f48e70744e 100644 --- a/examples/node_pool_update_variant_beta/main.tf +++ b/examples/node_pool_update_variant_beta/main.tf @@ -39,7 +39,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster-update-variant" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/node_pool_update_variant_public_beta/main.tf b/examples/node_pool_update_variant_public_beta/main.tf index f85cb9a091..b7c61ec6f8 100644 --- a/examples/node_pool_update_variant_public_beta/main.tf +++ b/examples/node_pool_update_variant_public_beta/main.tf @@ -39,7 +39,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster-update-variant" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/private_zonal_with_networking/main.tf b/examples/private_zonal_with_networking/main.tf index 8f0180e0fe..fbaf3d95ca 100644 --- a/examples/private_zonal_with_networking/main.tf +++ b/examples/private_zonal_with_networking/main.tf @@ -61,7 +61,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = var.cluster_name diff --git a/examples/regional_private_node_pool_oauth_scopes/main.tf b/examples/regional_private_node_pool_oauth_scopes/main.tf index 81302d0331..6f7e284703 100644 --- a/examples/regional_private_node_pool_oauth_scopes/main.tf +++ b/examples/regional_private_node_pool_oauth_scopes/main.tf @@ -16,7 +16,7 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "random-test-cluster" diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index 64551b16f4..e91fe6fd33 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -52,7 +52,7 @@ resource "random_shuffle" "version" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster-${random_string.suffix.result}" diff --git a/examples/safer_cluster_iap_bastion/cluster.tf b/examples/safer_cluster_iap_bastion/cluster.tf index c90667378b..7ea0c6a0bb 100644 --- a/examples/safer_cluster_iap_bastion/cluster.tf +++ b/examples/safer_cluster_iap_bastion/cluster.tf @@ -16,7 +16,7 @@ module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/safer-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = module.enabled_google_apis.project_id name = var.cluster_name diff --git a/examples/shared_vpc/main.tf b/examples/shared_vpc/main.tf index c7bed09ccc..647db429e4 100644 --- a/examples/shared_vpc/main.tf +++ b/examples/shared_vpc/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf index 17f2b17885..156a351b73 100644 --- a/examples/simple_autopilot_private/main.tf +++ b/examples/simple_autopilot_private/main.tf @@ -35,7 +35,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_autopilot_private_non_default_sa/main.tf b/examples/simple_autopilot_private_non_default_sa/main.tf index 93ade48198..53e96b88b7 100644 --- a/examples/simple_autopilot_private_non_default_sa/main.tf +++ b/examples/simple_autopilot_private_non_default_sa/main.tf @@ -35,7 +35,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-private-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_autopilot_public/main.tf b/examples/simple_autopilot_public/main.tf index cf4deb5909..8a1ba5597a 100644 --- a/examples/simple_autopilot_public/main.tf +++ b/examples/simple_autopilot_public/main.tf @@ -34,7 +34,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-autopilot-public-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster" diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index 205557b3e2..20747771be 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index c6a5401b4d..956cb1789a 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private/main.tf b/examples/simple_regional_private/main.tf index 9f852323bb..2db7fab12d 100644 --- a/examples/simple_regional_private/main.tf +++ b/examples/simple_regional_private/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index 6170d36574..71077866cd 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_private_with_cluster_version/main.tf b/examples/simple_regional_private_with_cluster_version/main.tf index cff361a8de..531dc841d8 100644 --- a/examples/simple_regional_private_with_cluster_version/main.tf +++ b/examples/simple_regional_private_with_cluster_version/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_with_gateway_api/main.tf b/examples/simple_regional_with_gateway_api/main.tf index f6fef5026f..6cb918cda4 100644 --- a/examples/simple_regional_with_gateway_api/main.tf +++ b/examples/simple_regional_with_gateway_api/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_regional_with_kubeconfig/main.tf b/examples/simple_regional_with_kubeconfig/main.tf index 84f4e99ba9..a7d38ca231 100644 --- a/examples/simple_regional_with_kubeconfig/main.tf +++ b/examples/simple_regional_with_kubeconfig/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" @@ -45,7 +45,7 @@ module "gke" { module "gke_auth" { source = "terraform-google-modules/kubernetes-engine/google//modules/auth" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_regional_with_networking/main.tf b/examples/simple_regional_with_networking/main.tf index e072c50814..8d185ff542 100644 --- a/examples/simple_regional_with_networking/main.tf +++ b/examples/simple_regional_with_networking/main.tf @@ -53,7 +53,7 @@ module "gcp-network" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = var.cluster_name diff --git a/examples/simple_windows_node_pool/main.tf b/examples/simple_windows_node_pool/main.tf index e2ad5ac199..79a7169a92 100644 --- a/examples/simple_windows_node_pool/main.tf +++ b/examples/simple_windows_node_pool/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_private/main.tf b/examples/simple_zonal_private/main.tf index a44b2d4c1a..ef7dcb656b 100644 --- a/examples/simple_zonal_private/main.tf +++ b/examples/simple_zonal_private/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index c58eb4874c..3c15a155ea 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -16,7 +16,7 @@ module "acm" { source = "terraform-google-modules/kubernetes-engine/google//modules/acm" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_zonal_with_acm/main.tf b/examples/simple_zonal_with_acm/main.tf index 814118ffdb..f4e55dd614 100644 --- a/examples/simple_zonal_with_acm/main.tf +++ b/examples/simple_zonal_with_acm/main.tf @@ -32,7 +32,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index a5879d50cd..ca0a004307 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -28,7 +28,7 @@ data "google_project" "project" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "test-prefix-cluster-test-suffix" @@ -57,7 +57,7 @@ module "gke" { module "asm" { source = "terraform-google-modules/kubernetes-engine/google//modules/asm" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id cluster_name = module.gke.name diff --git a/examples/simple_zonal_with_hub/hub.tf b/examples/simple_zonal_with_hub/hub.tf index 94706e7c5a..82574310eb 100644 --- a/examples/simple_zonal_with_hub/hub.tf +++ b/examples/simple_zonal_with_hub/hub.tf @@ -16,7 +16,7 @@ module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/fleet-membership" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id location = module.gke.location diff --git a/examples/simple_zonal_with_hub/main.tf b/examples/simple_zonal_with_hub/main.tf index 245c11d53e..da66da19e6 100644 --- a/examples/simple_zonal_with_hub/main.tf +++ b/examples/simple_zonal_with_hub/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id regional = false diff --git a/examples/simple_zonal_with_hub_kubeconfig/hub.tf b/examples/simple_zonal_with_hub_kubeconfig/hub.tf index b987a3bd86..5bd81f7a73 100644 --- a/examples/simple_zonal_with_hub_kubeconfig/hub.tf +++ b/examples/simple_zonal_with_hub_kubeconfig/hub.tf @@ -16,7 +16,7 @@ module "hub" { source = "terraform-google-modules/kubernetes-engine/google//modules/hub-legacy" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id location = "remote" diff --git a/examples/stub_domains/main.tf b/examples/stub_domains/main.tf index c2f0afabb9..a3ce305987 100644 --- a/examples/stub_domains/main.tf +++ b/examples/stub_domains/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf index dc0bb99f4c..dbd4e611f5 100644 --- a/examples/stub_domains_private/main.tf +++ b/examples/stub_domains_private/main.tf @@ -30,7 +30,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 32.0" + version = "~> 33.0" ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf index cb8b748458..9a4e2f8b8c 100644 --- a/examples/stub_domains_upstream_nameservers/main.tf +++ b/examples/stub_domains_upstream_nameservers/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/upstream_nameservers/main.tf b/examples/upstream_nameservers/main.tf index 8e613ce7b1..0aa34cac6b 100644 --- a/examples/upstream_nameservers/main.tf +++ b/examples/upstream_nameservers/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index 01bf4977ce..0cfe84ed8f 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -28,7 +28,7 @@ provider "kubernetes" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" @@ -54,7 +54,7 @@ module "gke" { # example without existing KSA module "workload_identity" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "iden-${module.gke.name}" @@ -74,7 +74,7 @@ resource "kubernetes_service_account" "test" { module "workload_identity_existing_ksa" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "existing-${module.gke.name}" @@ -93,7 +93,7 @@ resource "google_service_account" "custom" { module "workload_identity_existing_gsa" { source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = google_service_account.custom.account_id diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index 110bd7d29e..8cec078eac 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -34,7 +34,7 @@ data "google_compute_subnetwork" "subnetwork" { module "gke" { source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster" - version = "~> 32.0" + version = "~> 33.0" project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" From 0ce1df6894fe8883ad394e4e5a39ac766a33e1ce Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 12 Sep 2024 16:47:02 -0700 Subject: [PATCH 163/176] fix: asm and auth allow TPGv6 (#2092) --- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 7212f95790..54cea1f2a0 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -26,12 +26,12 @@ terraform { google = { source = "hashicorp/google" # Avoid v4.49 and v4.50 for https://github.com/hashicorp/terraform-provider-google/issues/13507 - version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 6" + version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Avoid v4.49 and v4.50 for https://github.com/hashicorp/terraform-provider-google/issues/13507 - version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 6" + version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 7" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 4e14eb5b85..5bbcbddc15 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -21,7 +21,7 @@ terraform { google = { source = "hashicorp/google" # Avoid v4.49 and v4.50 for https://github.com/hashicorp/terraform-provider-google/issues/13507 - version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 6" + version = ">= 4.47.0, != 4.49.0, != 4.50.0, < 7" } } From f4c1af2a544ac426ecad44525bca5a34713c40a5 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Fri, 13 Sep 2024 09:37:53 -0700 Subject: [PATCH 164/176] fix: no gcfs block when enable_gcfs null (#2093) --- autogen/main/cluster.tf.tmpl | 2 +- cluster.tf | 2 +- modules/beta-private-cluster-update-variant/cluster.tf | 2 +- modules/beta-private-cluster/cluster.tf | 2 +- modules/beta-public-cluster-update-variant/cluster.tf | 2 +- modules/beta-public-cluster/cluster.tf | 2 +- modules/private-cluster-update-variant/cluster.tf | 2 +- modules/private-cluster/cluster.tf | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 901de66ef9..4423f2d694 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -516,7 +516,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] content { enabled = gcfs_config.value } diff --git a/cluster.tf b/cluster.tf index ea7c585825..9304059307 100644 --- a/cluster.tf +++ b/cluster.tf @@ -393,7 +393,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 804ee52f5f..ff77b6211f 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4173d35c5f..a514da0e14 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index f12231cfb3..98c1685321 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 163903870c..1010467a93 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] content { enabled = gcfs_config.value } diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 2378b2ba2b..228b1ed12f 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -393,7 +393,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] content { enabled = gcfs_config.value } diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index bd45bf41fd..a6079069c2 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -393,7 +393,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", false) ? [true] : [false] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] content { enabled = gcfs_config.value } From af0c7d527f13c752c9dc5e501aa86d2b788549a3 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 11:13:33 -0700 Subject: [PATCH 165/176] chore(master): release 33.0.2 (#2094) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 8 ++++++++ autogen/main/versions.tf.tmpl | 8 ++++---- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-app-operator-permissions/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 35 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93e8c797d2..75d9eb6298 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [33.0.2](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v33.0.1...v33.0.2) (2024-09-13) + + +### Bug Fixes + +* asm and auth allow TPGv6 ([#2092](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2092)) ([0ce1df6](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/0ce1df6894fe8883ad394e4e5a39ac766a33e1ce)) +* no gcfs block when enable_gcfs null ([#2093](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2093)) ([f4c1af2](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/f4c1af2a544ac426ecad44525bca5a34713c40a5)) + ## [33.0.1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v33.0.0...v33.0.1) (2024-09-11) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 774bc49b74..5c9046421a 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.2" } {% elif beta_cluster and autopilot_cluster %} required_providers { @@ -64,7 +64,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.2" } {% elif autopilot_cluster %} required_providers { @@ -83,7 +83,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.2" } {% else %} required_providers { @@ -101,7 +101,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.2" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index f7bba33dff..e00f5f99f8 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.2" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 13f5e6dd52..8a800fa7b4 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.2" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.2" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 54cea1f2a0..f4924bfb09 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.2" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.2" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 5bbcbddc15..e27ddf39b1 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v33.0.2" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 11bfaa8035..bbc9ba1471 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -39,6 +39,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v33.0.2" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index b639333fac..1fedb8bcef 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -39,6 +39,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v33.0.2" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 5af5662b68..0b69d00302 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v33.0.2" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 8fc46b89a1..4733140553 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v33.0.2" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 19fd700b1b..3eb952cd49 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v33.0.2" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 5e56375760..959424b7a2 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v33.0.2" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index c5c167164c..b74b81c54a 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v33.0.2" } } diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf index 9fedf10a39..2402fe6f56 100644 --- a/modules/fleet-app-operator-permissions/versions.tf +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -33,7 +33,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v33.0.2" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index da17e83a28..ca390ee5da 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.2" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index 4c0db3a8aa..d1a281cfae 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.2" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 78910ffe56..c8a6616bc9 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v33.0.2" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index a03ea59feb..498200759c 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v33.0.2" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index 537af7b93c..7090e2128e 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v33.0.2" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index 369b122420..82fc43d3f8 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v33.0.2" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index be1d0e1a15..7bae87df2b 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v33.0.2" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 1c057c9dea..e4871b78f7 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v33.0.2" } } diff --git a/versions.tf b/versions.tf index a728a9f41d..258712e046 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v33.0.1" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v33.0.2" } } From 1b7a845714cd86cbc3fbb7bf782b868330ca5fe9 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Fri, 13 Sep 2024 14:00:21 -0700 Subject: [PATCH 166/176] fix: correct gcfs_config value (#2095) --- autogen/main/cluster.tf.tmpl | 2 +- cluster.tf | 2 +- examples/node_pool/main.tf | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 2 +- modules/beta-private-cluster/cluster.tf | 2 +- modules/beta-public-cluster-update-variant/cluster.tf | 2 +- modules/beta-public-cluster/cluster.tf | 2 +- modules/private-cluster-update-variant/cluster.tf | 2 +- modules/private-cluster/cluster.tf | 2 +- 9 files changed, 9 insertions(+), 8 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 4423f2d694..52d6ef05d2 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -516,7 +516,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/cluster.tf b/cluster.tf index 9304059307..27cd0cebb0 100644 --- a/cluster.tf +++ b/cluster.tf @@ -393,7 +393,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 0d1c6ab981..6d61682f5b 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -51,6 +51,7 @@ module "gke" { max_count = 2 service_account = var.compute_engine_service_account auto_upgrade = true + enable_gcfs = false }, { name = "pool-02" diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index ff77b6211f..7f6916b96e 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index a514da0e14..ef77e7808d 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 98c1685321..bafcacdd12 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 1010467a93..2c362c4263 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -439,7 +439,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 228b1ed12f..e3a1a52263 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -393,7 +393,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index a6079069c2..c6cf074c54 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -393,7 +393,7 @@ resource "google_container_cluster" "primary" { min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") enable_confidential_storage = lookup(var.node_pools[0], "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0]] : [] + for_each = lookup(var.node_pools[0], "enable_gcfs", null) != null ? [var.node_pools[0].enable_gcfs] : [] content { enabled = gcfs_config.value } From 151274e2f369620a236678aff3b715dc8c2b03d2 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:38:37 -0700 Subject: [PATCH 167/176] chore(master): release 33.0.3 (#2096) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ autogen/main/versions.tf.tmpl | 8 ++++---- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-app-operator-permissions/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 34 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 75d9eb6298..d41fe0abed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [33.0.3](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v33.0.2...v33.0.3) (2024-09-13) + + +### Bug Fixes + +* correct gcfs_config value ([#2095](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2095)) ([1b7a845](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/1b7a845714cd86cbc3fbb7bf782b868330ca5fe9)) + ## [33.0.2](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v33.0.1...v33.0.2) (2024-09-13) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 5c9046421a..d575b81cd8 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.3" } {% elif beta_cluster and autopilot_cluster %} required_providers { @@ -64,7 +64,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.3" } {% elif autopilot_cluster %} required_providers { @@ -83,7 +83,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.3" } {% else %} required_providers { @@ -101,7 +101,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.3" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index e00f5f99f8..dec039a64e 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.3" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 8a800fa7b4..03dc6fc9b2 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.3" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.3" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index f4924bfb09..1ee54794a9 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.3" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.3" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index e27ddf39b1..5b1a6761da 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v33.0.3" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index bbc9ba1471..91182de84a 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -39,6 +39,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v33.0.3" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 1fedb8bcef..161ab7e90b 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -39,6 +39,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v33.0.3" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 0b69d00302..286e235763 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v33.0.3" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 4733140553..ae73d2d153 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v33.0.3" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 3eb952cd49..1ee24ccfe2 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v33.0.3" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 959424b7a2..ac2e27dd8d 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v33.0.3" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index b74b81c54a..5ea50df907 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v33.0.3" } } diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf index 2402fe6f56..8627770ecc 100644 --- a/modules/fleet-app-operator-permissions/versions.tf +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -33,7 +33,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v33.0.3" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index ca390ee5da..69d189dbe0 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.3" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index d1a281cfae..ca05160e1e 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.3" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index c8a6616bc9..a738c97543 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v33.0.3" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 498200759c..3e23e3e796 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v33.0.3" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index 7090e2128e..117b2dc0d5 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v33.0.3" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index 82fc43d3f8..95a7874731 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v33.0.3" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 7bae87df2b..9eed0f00c4 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v33.0.3" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index e4871b78f7..6f81df148b 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v33.0.3" } } diff --git a/versions.tf b/versions.tf index 258712e046..65ffef7d53 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v33.0.2" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v33.0.3" } } From 75540ddd9a2a3fc000dc2e72c3fcde13f95a1440 Mon Sep 17 00:00:00 2001 From: Will Yardley Date: Mon, 16 Sep 2024 09:12:24 -0700 Subject: [PATCH 168/176] docs: clarify templating language in use (#2099) --- CONTRIBUTING.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 734520fa68..e91b14216d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -21,6 +21,8 @@ must be refreshed if the module interfaces are changed. To more cleanly handle cases where desired functionality would require complex duplication of Terraform resources (i.e. [PR 51](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/51)), this repository is largely generated from the [`autogen`](/autogen) directory. +This uses [Jinja2](https://jinja.palletsprojects.com/en/3.1.x/) under the hood for templating. + The root module is generated by running `make build`. Changes to this repository should be made in the [`autogen`](/autogen) directory where appropriate. Note: The correct sequence to update the repo using autogen functionality is to run From bff49e1964889d49c0e0b774b2c23220c116ac15 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Mon, 16 Sep 2024 16:15:11 -0700 Subject: [PATCH 169/176] fix: TPG < 6.2 for Autopilot (#2101) --- autogen/main/versions.tf.tmpl | 6 +++--- modules/beta-autopilot-private-cluster/versions.tf | 4 ++-- modules/beta-autopilot-public-cluster/versions.tf | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index d575b81cd8..5c00de8efe 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -47,12 +47,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" @@ -71,7 +71,7 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 91182de84a..d3d54fee39 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -22,12 +22,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 161ab7e90b..5a1725b22d 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -22,12 +22,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, != 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" From d68af17a627eaf01437f9250d364bd0942b4b3a6 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Wed, 18 Sep 2024 15:31:58 -0700 Subject: [PATCH 170/176] chore(CI): fix window node pool test (#2103) --- examples/simple_windows_node_pool/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/simple_windows_node_pool/main.tf b/examples/simple_windows_node_pool/main.tf index 79a7169a92..d3dde58491 100644 --- a/examples/simple_windows_node_pool/main.tf +++ b/examples/simple_windows_node_pool/main.tf @@ -63,7 +63,7 @@ module "gke" { autoscaling = false auto_upgrade = true node_count = 1 - machine_type = "n2-standard-2" + machine_type = "n2-standard-4" image_type = "WINDOWS_LTSC_CONTAINERD" }, ] From 303b85d108669de3bc45548ba9d3375cf0079cb1 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Thu, 19 Sep 2024 00:27:20 +0000 Subject: [PATCH 171/176] chore(master): release 33.0.4 (#2102) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ autogen/main/versions.tf.tmpl | 8 ++++---- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-app-operator-permissions/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 23 files changed, 34 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d41fe0abed..d88f593a68 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [33.0.4](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v33.0.3...v33.0.4) (2024-09-18) + + +### Bug Fixes + +* TPG < 6.2 for Autopilot ([#2101](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/2101)) ([bff49e1](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/bff49e1964889d49c0e0b774b2c23220c116ac15)) + ## [33.0.3](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v33.0.2...v33.0.3) (2024-09-13) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 5c00de8efe..22ca7e5eec 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.4" } {% elif beta_cluster and autopilot_cluster %} required_providers { @@ -64,7 +64,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.4" } {% elif autopilot_cluster %} required_providers { @@ -83,7 +83,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.4" } {% else %} required_providers { @@ -101,7 +101,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.4" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index dec039a64e..db94ee50f0 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v33.0.4" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 03dc6fc9b2..943afe951c 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.4" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v33.0.4" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 1ee54794a9..336dcf337f 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.4" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v33.0.4" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 5b1a6761da..ed26d2328c 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v33.0.4" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index d3d54fee39..51332f952b 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -39,6 +39,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v33.0.4" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 5a1725b22d..9a8aa004e4 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -39,6 +39,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v33.0.4" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 286e235763..0c3ad8978d 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v33.0.4" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index ae73d2d153..a6aab246ca 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v33.0.4" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 1ee24ccfe2..2e6eb1954a 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v33.0.4" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index ac2e27dd8d..d5394af2ce 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v33.0.4" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index 5ea50df907..9d06e02007 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v33.0.4" } } diff --git a/modules/fleet-app-operator-permissions/versions.tf b/modules/fleet-app-operator-permissions/versions.tf index 8627770ecc..fb36d06831 100644 --- a/modules/fleet-app-operator-permissions/versions.tf +++ b/modules/fleet-app-operator-permissions/versions.tf @@ -33,7 +33,7 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:fleet-app-operator-permissions/v33.0.4" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 69d189dbe0..447270a0cd 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.4" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index ca05160e1e..9f18f39354 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v33.0.4" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index a738c97543..0fc6be766c 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v33.0.4" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 3e23e3e796..fb25d5b04a 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v33.0.4" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index 117b2dc0d5..11957fcff0 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v33.0.4" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index 95a7874731..e7d7874a9d 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v33.0.4" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 9eed0f00c4..8a7886c2ee 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v33.0.4" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 6f81df148b..0ec6506fb8 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v33.0.4" } } diff --git a/versions.tf b/versions.tf index 65ffef7d53..6a7a20413d 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v33.0.3" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v33.0.4" } } From 073390897e38310124646e56a39c305809fbded4 Mon Sep 17 00:00:00 2001 From: Felipe Marques Date: Thu, 19 Sep 2024 16:18:58 -0300 Subject: [PATCH 172/176] feat: enable L4 ILB subsetting support for safer clusters (#2105) --- autogen/safer-cluster/main.tf.tmpl | 3 +++ autogen/safer-cluster/variables.tf.tmpl | 6 ++++++ modules/safer-cluster-update-variant/README.md | 1 + modules/safer-cluster-update-variant/main.tf | 3 +++ modules/safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/README.md | 1 + modules/safer-cluster/main.tf | 3 +++ modules/safer-cluster/variables.tf | 6 ++++++ 8 files changed, 29 insertions(+) diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 5a156c7ccc..95a2fc6e2e 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -169,6 +169,9 @@ module "gke" { // Enable cost allocation support enable_cost_allocation = var.enable_cost_allocation + // Enable L4 ILB subsetting on the cluster + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + // Use of PodSecurityPolicy admission controller // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies enable_pod_security_policy = var.enable_pod_security_policy diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 88da0f4adc..eeb1b77ec4 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -391,6 +391,12 @@ variable "enable_intranode_visibility" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index ee2e8bee69..d2203ddf33 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -221,6 +221,7 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index f79239f47d..85f55f3e7b 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -165,6 +165,9 @@ module "gke" { // Enable cost allocation support enable_cost_allocation = var.enable_cost_allocation + // Enable L4 ILB subsetting on the cluster + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + // Use of PodSecurityPolicy admission controller // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies enable_pod_security_policy = var.enable_pod_security_policy diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index d6e72d35c4..1934526404 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -391,6 +391,12 @@ variable "enable_intranode_visibility" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index ee2e8bee69..d2203ddf33 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -221,6 +221,7 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index ac8b6d9409..3c67db4830 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -165,6 +165,9 @@ module "gke" { // Enable cost allocation support enable_cost_allocation = var.enable_cost_allocation + // Enable L4 ILB subsetting on the cluster + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + // Use of PodSecurityPolicy admission controller // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies enable_pod_security_policy = var.enable_pod_security_policy diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index d6e72d35c4..1934526404 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -391,6 +391,12 @@ variable "enable_intranode_visibility" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" From 700a01d56f063d2aeec97c30cd03abdfbf1ca312 Mon Sep 17 00:00:00 2001 From: Will Yardley Date: Tue, 24 Sep 2024 08:16:19 -0700 Subject: [PATCH 173/176] fix: allow null `enable_gcfs` setting in defined nodepools (#2111) --- autogen/main/cluster.tf.tmpl | 2 +- cluster.tf | 4 ++-- modules/beta-private-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/beta-public-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-public-cluster/cluster.tf | 4 ++-- modules/private-cluster-update-variant/cluster.tf | 4 ++-- modules/private-cluster/cluster.tf | 4 ++-- .../testdata/TestPrivateZonalWithNetworking.json | 1 - 9 files changed, 15 insertions(+), 16 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 52d6ef05d2..3732440c05 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -887,7 +887,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null ) !=null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/cluster.tf b/cluster.tf index 27cd0cebb0..5ac63fc65e 100644 --- a/cluster.tf +++ b/cluster.tf @@ -593,7 +593,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } @@ -875,7 +875,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 7f6916b96e..1a42cbd6f6 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -760,7 +760,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } @@ -1056,7 +1056,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index ef77e7808d..4b5bd2455c 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -678,7 +678,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } @@ -973,7 +973,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index bafcacdd12..c4d50aca18 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -739,7 +739,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } @@ -1035,7 +1035,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 2c362c4263..a36f5d95e3 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -657,7 +657,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } @@ -952,7 +952,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index e3a1a52263..a3b8ed94d1 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -696,7 +696,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } @@ -979,7 +979,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index c6cf074c54..17724dcd64 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -614,7 +614,7 @@ resource "google_container_node_pool" "pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } @@ -896,7 +896,7 @@ resource "google_container_node_pool" "windows_pools" { min_cpu_platform = lookup(each.value, "min_cpu_platform", "") enable_confidential_storage = lookup(each.value, "enable_confidential_storage", false) dynamic "gcfs_config" { - for_each = lookup(each.value, "enable_gcfs", false) ? [true] : [false] + for_each = lookup(each.value, "enable_gcfs", null) != null ? [each.value.enable_gcfs] : [] content { enabled = gcfs_config.value } diff --git a/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json b/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json index 8a2ab04442..c6bdd3f7cb 100755 --- a/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json +++ b/test/integration/private_zonal_with_networking/testdata/TestPrivateZonalWithNetworking.json @@ -210,7 +210,6 @@ "config": { "diskSizeGb": 100, "diskType": "pd-standard", - "gcfsConfig": {}, "imageType": "COS_CONTAINERD", "labels": { "cluster_name": "CLUSTER_NAME", From 620bf32e877201af5a7e575af61b9590431991ef Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Tue, 24 Sep 2024 17:11:09 -0700 Subject: [PATCH 174/176] fix(autopilot): narrow version exclusion (#2112) --- autogen/main/versions.tf.tmpl | 6 +++--- modules/beta-autopilot-private-cluster/versions.tf | 4 ++-- modules/beta-autopilot-public-cluster/versions.tf | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 22ca7e5eec..4db219a34b 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -47,12 +47,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, != 6.3.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, != 6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" @@ -71,7 +71,7 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, != 6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 51332f952b..c203858b69 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -22,12 +22,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, != 6.3.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, != 6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 9a8aa004e4..2c0052f473 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -22,12 +22,12 @@ terraform { google = { source = "hashicorp/google" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, != 6.3.0, < 7" } google-beta = { source = "hashicorp/google-beta" # Workaround for https://github.com/hashicorp/terraform-provider-google/issues/19428 - version = ">= 5.40.0, != 5.44.0, < 6.2.0, < 7" + version = ">= 5.40.0, != 5.44.0, != 6.2.0, != 6.3.0, < 7" } kubernetes = { source = "hashicorp/kubernetes" From 7ea17522659a6fb911d72af87f219ccfd8a73765 Mon Sep 17 00:00:00 2001 From: Will Yardley Date: Wed, 25 Sep 2024 11:03:05 -0700 Subject: [PATCH 175/176] chore: pin version in `simple_regional_with_ipv6` example (#2115) --- examples/simple_regional_with_ipv6/main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/simple_regional_with_ipv6/main.tf b/examples/simple_regional_with_ipv6/main.tf index 51fa9b6106..04d51920b1 100644 --- a/examples/simple_regional_with_ipv6/main.tf +++ b/examples/simple_regional_with_ipv6/main.tf @@ -27,7 +27,9 @@ provider "kubernetes" { } module "gke" { - source = "terraform-google-modules/kubernetes-engine/google" + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 33.0" + project_id = var.project_id name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" regional = true From 3a23cd4daaea4486eac02370f5ffba1d9cdd85cf Mon Sep 17 00:00:00 2001 From: Will Yardley Date: Wed, 25 Sep 2024 12:16:43 -0700 Subject: [PATCH 176/176] refactor: replace non-default `lookup()` calls with direct access (#2113) --- autogen/main/cluster.tf.tmpl | 6 +++--- cluster.tf | 6 +++--- modules/beta-private-cluster-update-variant/cluster.tf | 6 +++--- modules/beta-private-cluster/cluster.tf | 6 +++--- modules/beta-public-cluster-update-variant/cluster.tf | 6 +++--- modules/beta-public-cluster/cluster.tf | 6 +++--- modules/private-cluster-update-variant/cluster.tf | 6 +++--- modules/private-cluster/cluster.tf | 6 +++--- 8 files changed, 24 insertions(+), 24 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 3732440c05..80200fe7a2 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -184,9 +184,9 @@ resource "google_container_cluster" "primary" { dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { - resource_type = lookup(resource_limits.value, "resource_type") - minimum = lookup(resource_limits.value, "minimum") - maximum = lookup(resource_limits.value, "maximum") + resource_type = resource_limits.value["resource_type"] + minimum = resource_limits.value["minimum"] + maximum = resource_limits.value["maximum"] } } } diff --git a/cluster.tf b/cluster.tf index 5ac63fc65e..ad40edfcd6 100644 --- a/cluster.tf +++ b/cluster.tf @@ -154,9 +154,9 @@ resource "google_container_cluster" "primary" { dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { - resource_type = lookup(resource_limits.value, "resource_type") - minimum = lookup(resource_limits.value, "minimum") - maximum = lookup(resource_limits.value, "maximum") + resource_type = resource_limits.value["resource_type"] + minimum = resource_limits.value["minimum"] + maximum = resource_limits.value["maximum"] } } } diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 1a42cbd6f6..f72e09afa1 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -161,9 +161,9 @@ resource "google_container_cluster" "primary" { dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { - resource_type = lookup(resource_limits.value, "resource_type") - minimum = lookup(resource_limits.value, "minimum") - maximum = lookup(resource_limits.value, "maximum") + resource_type = resource_limits.value["resource_type"] + minimum = resource_limits.value["minimum"] + maximum = resource_limits.value["maximum"] } } } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4b5bd2455c..a4d1fa97a8 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -161,9 +161,9 @@ resource "google_container_cluster" "primary" { dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { - resource_type = lookup(resource_limits.value, "resource_type") - minimum = lookup(resource_limits.value, "minimum") - maximum = lookup(resource_limits.value, "maximum") + resource_type = resource_limits.value["resource_type"] + minimum = resource_limits.value["minimum"] + maximum = resource_limits.value["maximum"] } } } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index c4d50aca18..0bd731d0f9 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -161,9 +161,9 @@ resource "google_container_cluster" "primary" { dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { - resource_type = lookup(resource_limits.value, "resource_type") - minimum = lookup(resource_limits.value, "minimum") - maximum = lookup(resource_limits.value, "maximum") + resource_type = resource_limits.value["resource_type"] + minimum = resource_limits.value["minimum"] + maximum = resource_limits.value["maximum"] } } } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index a36f5d95e3..234d71e718 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -161,9 +161,9 @@ resource "google_container_cluster" "primary" { dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { - resource_type = lookup(resource_limits.value, "resource_type") - minimum = lookup(resource_limits.value, "minimum") - maximum = lookup(resource_limits.value, "maximum") + resource_type = resource_limits.value["resource_type"] + minimum = resource_limits.value["minimum"] + maximum = resource_limits.value["maximum"] } } } diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index a3b8ed94d1..f857959530 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -154,9 +154,9 @@ resource "google_container_cluster" "primary" { dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { - resource_type = lookup(resource_limits.value, "resource_type") - minimum = lookup(resource_limits.value, "minimum") - maximum = lookup(resource_limits.value, "maximum") + resource_type = resource_limits.value["resource_type"] + minimum = resource_limits.value["minimum"] + maximum = resource_limits.value["maximum"] } } } diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 17724dcd64..382e1b8cfd 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -154,9 +154,9 @@ resource "google_container_cluster" "primary" { dynamic "resource_limits" { for_each = local.autoscaling_resource_limits content { - resource_type = lookup(resource_limits.value, "resource_type") - minimum = lookup(resource_limits.value, "minimum") - maximum = lookup(resource_limits.value, "maximum") + resource_type = resource_limits.value["resource_type"] + minimum = resource_limits.value["minimum"] + maximum = resource_limits.value["maximum"] } } }