From 8913ef27d6c97ae2c57d747ff29ca175a15833e7 Mon Sep 17 00:00:00 2001 From: bgvdiscord <122317969+bgvdiscord@users.noreply.github.com> Date: Mon, 11 Sep 2023 13:48:14 -0500 Subject: [PATCH] feat: mesh_certificates support (#1712) --- README.md | 2 ++ autogen/main/cluster.tf.tmpl | 10 ++++++++++ autogen/main/main.tf.tmpl | 6 ++++++ autogen/main/outputs.tf.tmpl | 11 +++++++++++ autogen/main/variables.tf.tmpl | 9 ++++++++- autogen/safer-cluster/main.tf.tmpl | 3 +++ autogen/safer-cluster/outputs.tf.tmpl | 5 +++++ autogen/safer-cluster/variables.tf.tmpl | 6 ++++++ cluster.tf | 8 ++++++++ main.tf | 4 ++++ modules/beta-autopilot-private-cluster/cluster.tf | 1 + modules/beta-autopilot-private-cluster/main.tf | 1 + modules/beta-autopilot-private-cluster/outputs.tf | 2 ++ modules/beta-autopilot-private-cluster/variables.tf | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 1 + modules/beta-autopilot-public-cluster/main.tf | 1 + modules/beta-autopilot-public-cluster/outputs.tf | 2 ++ modules/beta-autopilot-public-cluster/variables.tf | 1 + modules/beta-private-cluster-update-variant/README.md | 2 ++ .../beta-private-cluster-update-variant/cluster.tf | 8 ++++++++ modules/beta-private-cluster-update-variant/main.tf | 4 ++++ .../beta-private-cluster-update-variant/outputs.tf | 9 +++++++++ .../beta-private-cluster-update-variant/variables.tf | 7 ++++++- modules/beta-private-cluster/README.md | 2 ++ modules/beta-private-cluster/cluster.tf | 8 ++++++++ modules/beta-private-cluster/main.tf | 4 ++++ modules/beta-private-cluster/outputs.tf | 9 +++++++++ modules/beta-private-cluster/variables.tf | 7 ++++++- modules/beta-public-cluster-update-variant/README.md | 2 ++ modules/beta-public-cluster-update-variant/cluster.tf | 8 ++++++++ modules/beta-public-cluster-update-variant/main.tf | 4 ++++ modules/beta-public-cluster-update-variant/outputs.tf | 9 +++++++++ .../beta-public-cluster-update-variant/variables.tf | 7 ++++++- modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster.tf | 8 ++++++++ modules/beta-public-cluster/main.tf | 4 ++++ modules/beta-public-cluster/outputs.tf | 9 +++++++++ modules/beta-public-cluster/variables.tf | 7 ++++++- modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 8 ++++++++ modules/private-cluster-update-variant/main.tf | 4 ++++ modules/private-cluster-update-variant/outputs.tf | 9 +++++++++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 8 ++++++++ modules/private-cluster/main.tf | 4 ++++ modules/private-cluster/outputs.tf | 9 +++++++++ modules/private-cluster/variables.tf | 6 ++++++ modules/safer-cluster-update-variant/README.md | 2 ++ modules/safer-cluster-update-variant/main.tf | 3 +++ modules/safer-cluster-update-variant/outputs.tf | 5 +++++ modules/safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/README.md | 2 ++ modules/safer-cluster/main.tf | 3 +++ modules/safer-cluster/outputs.tf | 5 +++++ modules/safer-cluster/variables.tf | 6 ++++++ outputs.tf | 9 +++++++++ test/integration/safer_cluster/safer_cluster_test.go | 1 + .../safer_cluster/testdata/TestSaferCluster.json | 3 +++ variables.tf | 6 ++++++ 60 files changed, 298 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 79513bd60c..01be7adf61 100644 --- a/README.md +++ b/README.md @@ -154,6 +154,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | @@ -237,6 +238,7 @@ Then perform the following commands on the root folder: | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index ea7c68fdf5..efa4cea505 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -517,6 +517,16 @@ resource "google_container_cluster" "primary" { } {% endif %} + {% if autopilot_cluster != true %} + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + {% endif %} + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 80679d4f7a..26c410d5fc 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -219,6 +219,12 @@ locals { cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + {% if autopilot_cluster != true %} + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + {% endif %} + {% if beta_cluster %} # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index d22e8bd087..832054f9cc 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -170,6 +170,17 @@ output "identity_namespace" { google_container_cluster.primary ] } + +{% if autopilot_cluster != true %} +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} +{% endif %} + {% if private_cluster %} output "master_ipv4_cidr_block" { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index a2effe8e07..2525d07242 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -466,6 +466,14 @@ variable "identity_namespace" { default = "enabled" } +{% if autopilot_cluster != true %} +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} +{% endif %} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -763,7 +771,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 7459598fb6..e369762543 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -185,6 +185,9 @@ module "gke" { // We enable Workload Identity by default. identity_namespace = "${var.project_id}.svc.id.goog" + // Enabling mesh certificates requires Workload Identity + enable_mesh_certificates = var.enable_mesh_certificates + authenticator_security_group = var.authenticator_security_group enable_shielded_nodes = var.enable_shielded_nodes diff --git a/autogen/safer-cluster/outputs.tf.tmpl b/autogen/safer-cluster/outputs.tf.tmpl index e84d0aad38..5c1f5539e2 100644 --- a/autogen/safer-cluster/outputs.tf.tmpl +++ b/autogen/safer-cluster/outputs.tf.tmpl @@ -122,3 +122,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = module.gke.peering_name } + +output "enable_mesh_certificates" { + description = "Mesh certificate configuration value" + value = var.enable_mesh_certificates +} diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 22b17ea68f..caf0f537ee 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} diff --git a/cluster.tf b/cluster.tf index a7d07d0a75..a8fd5d7d1e 100644 --- a/cluster.tf +++ b/cluster.tf @@ -359,6 +359,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/main.tf b/main.tf index e307ff82a4..2cf4877992 100644 --- a/main.tf +++ b/main.tf @@ -162,6 +162,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 5d836127bc..5e79c23dac 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -228,6 +228,7 @@ resource "google_container_cluster" "primary" { } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 8a17e29466..dd7466ff31 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -121,6 +121,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index a56e4b4faf..0d955524ae 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -142,6 +142,8 @@ output "identity_namespace" { ] } + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index a9bd584314..86483f30d9 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -299,6 +299,7 @@ variable "identity_namespace" { default = "enabled" } + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 75e6e67f31..4c9569106a 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -209,6 +209,7 @@ resource "google_container_cluster" "primary" { } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 1c0deb7aa0..874bbb76f9 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -120,6 +120,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 533f818844..e33c8aafa6 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -142,6 +142,8 @@ output "identity_namespace" { ] } + + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = false diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index e244b73728..c8776f6853 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -269,6 +269,7 @@ variable "identity_namespace" { default = "enabled" } + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 6b3283c001..936e0018c4 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -194,6 +194,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | @@ -295,6 +296,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 8e5613585a..e1132720ef 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -443,6 +443,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 6f0139cfb2..931844d9a5 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -181,6 +181,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index abdf16f900..72aee4055d 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 5daeb3daad..119f9a5c09 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -439,6 +439,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -722,7 +728,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index da568a971a..c424a77adb 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -172,6 +172,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | @@ -273,6 +274,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 2a61b84bc0..a5b45f882b 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -443,6 +443,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 6f0139cfb2..931844d9a5 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -181,6 +181,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index abdf16f900..72aee4055d 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 5daeb3daad..119f9a5c09 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -439,6 +439,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -722,7 +728,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 6ac0ba92ff..461a30f0cd 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -187,6 +187,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | @@ -283,6 +284,7 @@ Then perform the following commands on the root folder: | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 86742e65c4..db27e34d10 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -424,6 +424,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index febe765811..c6327ea6f5 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -180,6 +180,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index ed73acae2e..bb7cdcc72c 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 2b900e4f93..05bab8df6b 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -409,6 +409,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -692,7 +698,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index f325ea56ad..25cc3549e4 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -165,6 +165,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | @@ -261,6 +262,7 @@ Then perform the following commands on the root folder: | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 69f9842591..b37e1020eb 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -424,6 +424,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index febe765811..c6327ea6f5 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -180,6 +180,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index ed73acae2e..bb7cdcc72c 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 2b900e4f93..05bab8df6b 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -409,6 +409,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -692,7 +698,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 596cc827b7..6f8dde0f5d 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -183,6 +183,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | @@ -271,6 +272,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 8f75d404a2..d16fda5fb0 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -378,6 +378,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 6d4b06f7de..54d054edc0 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -163,6 +163,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 28350e722b..722e3b8fd1 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index ca215e3093..22e808f617 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -431,6 +431,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index c4b7c59ba8..7c73067c95 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -161,6 +161,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | @@ -249,6 +250,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index a621347dc5..c10084dd49 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -378,6 +378,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 6d4b06f7de..54d054edc0 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -163,6 +163,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 28350e722b..722e3b8fd1 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index ca215e3093..22e808f617 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -431,6 +431,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index eb7efac8d1..f9b515f890 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -219,6 +219,7 @@ For simplicity, we suggest using `roles/container.admin` and | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | @@ -278,6 +279,7 @@ For simplicity, we suggest using `roles/container.admin` and |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | +| enable\_mesh\_certificates | Mesh certificate configuration value | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 9bd0429ca2..b0017462b4 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -181,6 +181,9 @@ module "gke" { // We enable Workload Identity by default. identity_namespace = "${var.project_id}.svc.id.goog" + // Enabling mesh certificates requires Workload Identity + enable_mesh_certificates = var.enable_mesh_certificates + authenticator_security_group = var.authenticator_security_group enable_shielded_nodes = var.enable_shielded_nodes diff --git a/modules/safer-cluster-update-variant/outputs.tf b/modules/safer-cluster-update-variant/outputs.tf index 5be616ff66..8928f321ab 100644 --- a/modules/safer-cluster-update-variant/outputs.tf +++ b/modules/safer-cluster-update-variant/outputs.tf @@ -122,3 +122,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = module.gke.peering_name } + +output "enable_mesh_certificates" { + description = "Mesh certificate configuration value" + value = var.enable_mesh_certificates +} diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 6b6405d019..d9b47d90e8 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index eb7efac8d1..f9b515f890 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -219,6 +219,7 @@ For simplicity, we suggest using `roles/container.admin` and | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | @@ -278,6 +279,7 @@ For simplicity, we suggest using `roles/container.admin` and |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | +| enable\_mesh\_certificates | Mesh certificate configuration value | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index b87a2f1d8c..2732ea26c2 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -181,6 +181,9 @@ module "gke" { // We enable Workload Identity by default. identity_namespace = "${var.project_id}.svc.id.goog" + // Enabling mesh certificates requires Workload Identity + enable_mesh_certificates = var.enable_mesh_certificates + authenticator_security_group = var.authenticator_security_group enable_shielded_nodes = var.enable_shielded_nodes diff --git a/modules/safer-cluster/outputs.tf b/modules/safer-cluster/outputs.tf index 5be616ff66..8928f321ab 100644 --- a/modules/safer-cluster/outputs.tf +++ b/modules/safer-cluster/outputs.tf @@ -122,3 +122,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = module.gke.peering_name } + +output "enable_mesh_certificates" { + description = "Mesh certificate configuration value" + value = var.enable_mesh_certificates +} diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 6b6405d019..d9b47d90e8 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} diff --git a/outputs.tf b/outputs.tf index ca55e48b8e..04bbc957fe 100644 --- a/outputs.tf +++ b/outputs.tf @@ -160,3 +160,12 @@ output "identity_namespace" { google_container_cluster.primary ] } + +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + diff --git a/test/integration/safer_cluster/safer_cluster_test.go b/test/integration/safer_cluster/safer_cluster_test.go index 79b482ff13..f440bc8c0e 100644 --- a/test/integration/safer_cluster/safer_cluster_test.go +++ b/test/integration/safer_cluster/safer_cluster_test.go @@ -52,6 +52,7 @@ func TestSaferCluster(t *testing.T) { "networkConfig.datapathProvider", "binaryAuthorization.evaluationMode", "legacyAbac", + "meshCertificates.enableCertificates", "nodePools.autoscaling", "nodePools.config.machineType", "nodePools.config.diskSizeGb", diff --git a/test/integration/safer_cluster/testdata/TestSaferCluster.json b/test/integration/safer_cluster/testdata/TestSaferCluster.json index 793eaf9a5f..0af5138e80 100755 --- a/test/integration/safer_cluster/testdata/TestSaferCluster.json +++ b/test/integration/safer_cluster/testdata/TestSaferCluster.json @@ -90,6 +90,9 @@ ], "enabled": true }, + "meshCertificates": { + "enableCertificates": false + }, "monitoringConfig": { "componentConfig": { "enableComponents": [ diff --git a/variables.tf b/variables.tf index f1be61ecbe..69911eb955 100644 --- a/variables.tf +++ b/variables.tf @@ -401,6 +401,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`."