Skip to content

Commit

Permalink
feat: add cross project fleet service agent for beta clusters
Browse files Browse the repository at this point in the history
  • Loading branch information
apeabody committed Mar 7, 2024
1 parent 79a8d68 commit 594178c
Show file tree
Hide file tree
Showing 27 changed files with 193 additions and 0 deletions.
7 changes: 7 additions & 0 deletions autogen/main/outputs.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -239,3 +239,10 @@ output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}
{% if beta_cluster %}

output "fleet_project_service_agent_email" {
description = "Fleet project service agent email (if granted)"
value = try(google_project_service_identity.fleet_project[0].email, null)
}
{% endif %}
16 changes: 16 additions & 0 deletions autogen/main/sa.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,19 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
role = "roles/artifactregistry.reader"
member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
}
{% if beta_cluster %}

resource "google_project_service_identity" "fleet_project" {
count = var.fleet_project_grant_service_agent ? 1 : 0
provider = google-beta
project = var.fleet_project
service = "gkehub.googleapis.com"
}

resource "google_project_iam_member" "service_agent" {
for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
project = var.fleet_project
role = each.value
member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
}
{% endif %}
8 changes: 8 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -863,3 +863,11 @@ variable "fleet_project" {
type = string
default = null
}
{% if beta_cluster %}

variable "fleet_project_grant_service_agent" {
description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
type = bool
default = false
}
{% endif %}
2 changes: 2 additions & 0 deletions modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ Then perform the following commands on the root folder:
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
Expand Down Expand Up @@ -155,6 +156,7 @@ Then perform the following commands on the root folder:
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
5 changes: 5 additions & 0 deletions modules/beta-autopilot-private-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -193,3 +193,8 @@ output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}

output "fleet_project_service_agent_email" {
description = "Fleet project service agent email (if granted)"
value = try(google_project_service_identity.fleet_project[0].email, null)
}
14 changes: 14 additions & 0 deletions modules/beta-autopilot-private-cluster/sa.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
role = "roles/artifactregistry.reader"
member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
}

resource "google_project_service_identity" "fleet_project" {
count = var.fleet_project_grant_service_agent ? 1 : 0
provider = google-beta
project = var.fleet_project
service = "gkehub.googleapis.com"
}

resource "google_project_iam_member" "service_agent" {
for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
project = var.fleet_project
role = each.value
member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
}
6 changes: 6 additions & 0 deletions modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -466,3 +466,9 @@ variable "fleet_project" {
type = string
default = null
}

variable "fleet_project_grant_service_agent" {
description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
type = bool
default = false
}
2 changes: 2 additions & 0 deletions modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ Then perform the following commands on the root folder:
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
Expand Down Expand Up @@ -144,6 +145,7 @@ Then perform the following commands on the root folder:
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
5 changes: 5 additions & 0 deletions modules/beta-autopilot-public-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -183,3 +183,8 @@ output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}

output "fleet_project_service_agent_email" {
description = "Fleet project service agent email (if granted)"
value = try(google_project_service_identity.fleet_project[0].email, null)
}
14 changes: 14 additions & 0 deletions modules/beta-autopilot-public-cluster/sa.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
role = "roles/artifactregistry.reader"
member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
}

resource "google_project_service_identity" "fleet_project" {
count = var.fleet_project_grant_service_agent ? 1 : 0
provider = google-beta
project = var.fleet_project
service = "gkehub.googleapis.com"
}

resource "google_project_iam_member" "service_agent" {
for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
project = var.fleet_project
role = each.value
member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
}
6 changes: 6 additions & 0 deletions modules/beta-autopilot-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -436,3 +436,9 @@ variable "fleet_project" {
type = string
default = null
}

variable "fleet_project_grant_service_agent" {
description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
type = bool
default = false
}
2 changes: 2 additions & 0 deletions modules/beta-private-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ Then perform the following commands on the root folder:
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
Expand Down Expand Up @@ -295,6 +296,7 @@ Then perform the following commands on the root folder:
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
5 changes: 5 additions & 0 deletions modules/beta-private-cluster-update-variant/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -219,3 +219,8 @@ output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}

output "fleet_project_service_agent_email" {
description = "Fleet project service agent email (if granted)"
value = try(google_project_service_identity.fleet_project[0].email, null)
}
14 changes: 14 additions & 0 deletions modules/beta-private-cluster-update-variant/sa.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
role = "roles/artifactregistry.reader"
member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
}

resource "google_project_service_identity" "fleet_project" {
count = var.fleet_project_grant_service_agent ? 1 : 0
provider = google-beta
project = var.fleet_project
service = "gkehub.googleapis.com"
}

resource "google_project_iam_member" "service_agent" {
for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
project = var.fleet_project
role = each.value
member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
}
6 changes: 6 additions & 0 deletions modules/beta-private-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -817,3 +817,9 @@ variable "fleet_project" {
type = string
default = null
}

variable "fleet_project_grant_service_agent" {
description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
type = bool
default = false
}
2 changes: 2 additions & 0 deletions modules/beta-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,7 @@ Then perform the following commands on the root folder:
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
Expand Down Expand Up @@ -273,6 +274,7 @@ Then perform the following commands on the root folder:
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
5 changes: 5 additions & 0 deletions modules/beta-private-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -219,3 +219,8 @@ output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}

output "fleet_project_service_agent_email" {
description = "Fleet project service agent email (if granted)"
value = try(google_project_service_identity.fleet_project[0].email, null)
}
14 changes: 14 additions & 0 deletions modules/beta-private-cluster/sa.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
role = "roles/artifactregistry.reader"
member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
}

resource "google_project_service_identity" "fleet_project" {
count = var.fleet_project_grant_service_agent ? 1 : 0
provider = google-beta
project = var.fleet_project
service = "gkehub.googleapis.com"
}

resource "google_project_iam_member" "service_agent" {
for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
project = var.fleet_project
role = each.value
member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
}
6 changes: 6 additions & 0 deletions modules/beta-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -817,3 +817,9 @@ variable "fleet_project" {
type = string
default = null
}

variable "fleet_project_grant_service_agent" {
description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
type = bool
default = false
}
2 changes: 2 additions & 0 deletions modules/beta-public-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,7 @@ Then perform the following commands on the root folder:
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
Expand Down Expand Up @@ -284,6 +285,7 @@ Then perform the following commands on the root folder:
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
5 changes: 5 additions & 0 deletions modules/beta-public-cluster-update-variant/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -209,3 +209,8 @@ output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}

output "fleet_project_service_agent_email" {
description = "Fleet project service agent email (if granted)"
value = try(google_project_service_identity.fleet_project[0].email, null)
}
14 changes: 14 additions & 0 deletions modules/beta-public-cluster-update-variant/sa.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry"
role = "roles/artifactregistry.reader"
member = "serviceAccount:${google_service_account.cluster_service_account[0].email}"
}

resource "google_project_service_identity" "fleet_project" {
count = var.fleet_project_grant_service_agent ? 1 : 0
provider = google-beta
project = var.fleet_project
service = "gkehub.googleapis.com"
}

resource "google_project_iam_member" "service_agent" {
for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : []
project = var.fleet_project
role = each.value
member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}"
}
6 changes: 6 additions & 0 deletions modules/beta-public-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -787,3 +787,9 @@ variable "fleet_project" {
type = string
default = null
}

variable "fleet_project_grant_service_agent" {
description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles."
type = bool
default = false
}
2 changes: 2 additions & 0 deletions modules/beta-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@ Then perform the following commands on the root folder:
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
Expand Down Expand Up @@ -262,6 +263,7 @@ Then perform the following commands on the root folder:
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| fleet\_project\_service\_agent\_email | Fleet project service agent email (if granted) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
5 changes: 5 additions & 0 deletions modules/beta-public-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -209,3 +209,8 @@ output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}

output "fleet_project_service_agent_email" {
description = "Fleet project service agent email (if granted)"
value = try(google_project_service_identity.fleet_project[0].email, null)
}
Loading

0 comments on commit 594178c

Please sign in to comment.