Skip to content

Commit

Permalink
feat: add direct fleet registration option (#1878)
Browse files Browse the repository at this point in the history
  • Loading branch information
apeabody authored Feb 26, 2024
1 parent 2a39b0b commit 6b267bd
Show file tree
Hide file tree
Showing 52 changed files with 225 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,7 @@ Then perform the following commands on the root folder:
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
Expand Down Expand Up @@ -239,6 +240,7 @@ Then perform the following commands on the root folder:
| ca\_certificate | Cluster ca certificate (base64 encoded) |
| cluster\_id | Cluster ID |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
7 changes: 7 additions & 0 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -347,6 +347,13 @@ resource "google_container_cluster" "primary" {
vulnerability_mode = var.security_posture_vulnerability_mode
}

dynamic "fleet" {
for_each = var.fleet_project != null ? [1] : []
content {
project = var.fleet_project
}
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
2 changes: 2 additions & 0 deletions autogen/main/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ locals {
windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools)))
{% endif %}

fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null

release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : []
gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : []

Expand Down
5 changes: 5 additions & 0 deletions autogen/main/outputs.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -234,3 +234,8 @@ output "identity_service_enabled" {
value = local.cluster_pod_security_policy_enabled
}
{% endif %}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}
6 changes: 6 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -857,3 +857,9 @@ variable "allow_net_admin" {
default = null
}
{% endif %}

variable "fleet_project" {
description = "(Optional) Register the cluster with the fleet in this project."
type = string
default = null
}
7 changes: 7 additions & 0 deletions cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,13 @@ resource "google_container_cluster" "primary" {
vulnerability_mode = var.security_posture_vulnerability_mode
}

dynamic "fleet" {
for_each = var.fleet_project != null ? [1] : []
content {
project = var.fleet_project
}
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
1 change: 1 addition & 0 deletions examples/simple_regional/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,5 +43,6 @@ module "gke" {
enable_cost_allocation = true
enable_binary_authorization = var.enable_binary_authorization
gcs_fuse_csi_driver = true
fleet_project = var.project_id
deletion_protection = false
}
1 change: 1 addition & 0 deletions examples/simple_zonal_with_hub/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ It incorporates the standard cluster module, the [registration module](../../mod
| ca\_certificate | n/a |
| client\_token | n/a |
| cluster\_name | Cluster name |
| hub\_location | The location of the hub membership. |
| ip\_range\_pods | The secondary IP range used for pods |
| ip\_range\_services | The secondary IP range used for services |
| kubernetes\_endpoint | n/a |
Expand Down
5 changes: 5 additions & 0 deletions examples/simple_zonal_with_hub/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -79,3 +79,8 @@ output "master_kubernetes_version" {
description = "The master Kubernetes version"
value = module.gke.master_version
}

output "hub_location" {
description = "The location of the hub membership."
value = module.hub.location
}
2 changes: 2 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ locals {
windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name]
windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools)))

fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null

release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : []
gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : []

Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ Then perform the following commands on the root folder:
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
Expand Down Expand Up @@ -153,6 +154,7 @@ Then perform the following commands on the root folder:
| cluster\_id | Cluster ID |
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-autopilot-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,13 @@ resource "google_container_cluster" "primary" {
vulnerability_mode = var.security_posture_vulnerability_mode
}

dynamic "fleet" {
for_each = var.fleet_project != null ? [1] : []
content {
project = var.fleet_project
}
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-private-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ locals {
master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
master_version = var.regional ? local.master_version_regional : local.master_version_zonal

fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null

release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : []
gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : []

Expand Down
5 changes: 5 additions & 0 deletions modules/beta-autopilot-private-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -188,3 +188,8 @@ output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_pod_security_policy_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}
6 changes: 6 additions & 0 deletions modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -460,3 +460,9 @@ variable "allow_net_admin" {
type = bool
default = null
}

variable "fleet_project" {
description = "(Optional) Register the cluster with the fleet in this project."
type = string
default = null
}
2 changes: 2 additions & 0 deletions modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ Then perform the following commands on the root folder:
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
Expand Down Expand Up @@ -142,6 +143,7 @@ Then perform the following commands on the root folder:
| cluster\_id | Cluster ID |
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-autopilot-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,13 @@ resource "google_container_cluster" "primary" {
vulnerability_mode = var.security_posture_vulnerability_mode
}

dynamic "fleet" {
for_each = var.fleet_project != null ? [1] : []
content {
project = var.fleet_project
}
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-public-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ locals {
master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version
master_version = var.regional ? local.master_version_regional : local.master_version_zonal

fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null

release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : []
gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : []

Expand Down
5 changes: 5 additions & 0 deletions modules/beta-autopilot-public-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -178,3 +178,8 @@ output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_pod_security_policy_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}
6 changes: 6 additions & 0 deletions modules/beta-autopilot-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -430,3 +430,9 @@ variable "allow_net_admin" {
type = bool
default = null
}

variable "fleet_project" {
description = "(Optional) Register the cluster with the fleet in this project."
type = string
default = null
}
2 changes: 2 additions & 0 deletions modules/beta-private-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,7 @@ Then perform the following commands on the root folder:
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
Expand Down Expand Up @@ -293,6 +294,7 @@ Then perform the following commands on the root folder:
| cluster\_id | Cluster ID |
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" {
vulnerability_mode = var.security_posture_vulnerability_mode
}

dynamic "fleet" {
for_each = var.fleet_project != null ? [1] : []
content {
project = var.fleet_project
}
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-private-cluster-update-variant/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ locals {
windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name]
windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools)))

fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null

release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : []
gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : []

Expand Down
5 changes: 5 additions & 0 deletions modules/beta-private-cluster-update-variant/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -214,3 +214,8 @@ output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_pod_security_policy_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}
6 changes: 6 additions & 0 deletions modules/beta-private-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -811,3 +811,9 @@ variable "enable_gcfs" {
description = "Enable image streaming on cluster level."
default = false
}

variable "fleet_project" {
description = "(Optional) Register the cluster with the fleet in this project."
type = string
default = null
}
2 changes: 2 additions & 0 deletions modules/beta-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,7 @@ Then perform the following commands on the root folder:
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
Expand Down Expand Up @@ -271,6 +272,7 @@ Then perform the following commands on the root folder:
| cluster\_id | Cluster ID |
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" {
vulnerability_mode = var.security_posture_vulnerability_mode
}

dynamic "fleet" {
for_each = var.fleet_project != null ? [1] : []
content {
project = var.fleet_project
}
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-private-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ locals {
windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name]
windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools)))

fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null

release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : []
gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : []

Expand Down
5 changes: 5 additions & 0 deletions modules/beta-private-cluster/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -214,3 +214,8 @@ output "identity_service_enabled" {
description = "Whether Identity Service is enabled"
value = local.cluster_pod_security_policy_enabled
}

output "fleet_membership" {
description = "Fleet membership (if registered)"
value = local.fleet_membership
}
6 changes: 6 additions & 0 deletions modules/beta-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -811,3 +811,9 @@ variable "enable_gcfs" {
description = "Enable image streaming on cluster level."
default = false
}

variable "fleet_project" {
description = "(Optional) Register the cluster with the fleet in this project."
type = string
default = null
}
2 changes: 2 additions & 0 deletions modules/beta-public-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,7 @@ Then perform the following commands on the root folder:
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | <pre>[<br> "8443",<br> "9443",<br> "15017"<br>]</pre> | no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no |
| gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no |
| gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no |
| gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no |
Expand Down Expand Up @@ -282,6 +283,7 @@ Then perform the following commands on the root folder:
| cluster\_id | Cluster ID |
| dns\_cache\_enabled | Whether DNS Cache enabled |
| endpoint | Cluster endpoint |
| fleet\_membership | Fleet membership (if registered) |
| gateway\_api\_channel | The gateway api channel of this cluster. |
| horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
| http\_load\_balancing\_enabled | Whether http load balancing enabled |
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-public-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" {
vulnerability_mode = var.security_posture_vulnerability_mode
}

dynamic "fleet" {
for_each = var.fleet_project != null ? [1] : []
content {
project = var.fleet_project
}
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
Loading

0 comments on commit 6b267bd

Please sign in to comment.