Merge pull request terraform-google-modules#207 from marko7460/upstre…

…am_nameservers Add support for upstreamNameservers
WALTER-GROUP · Jul 8, 2019 · 4df5b54 · 4df5b54
2 parents c17c865 + d4fd495
commit 4df5b54
Show file tree

Hide file tree

Showing 50 changed files with 1,290 additions and 11 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -104,6 +104,20 @@ suites:
       systems:
         - name: stub_domains_private
           backend: local
+  - name: "upstream_nameservers"
+    driver:
+      root_module_directory: test/fixtures/upstream_nameservers
+    verifier:
+        systems:
+          - name: upstream_nameservers
+            backend: local
+  - name: "stub_domains_upstream_nameservers"
+    driver:
+      root_module_directory: test/fixtures/stub_domains_upstream_nameservers
+    verifier:
+        systems:
+          - name: stub_domains_upstream_nameservers
+            backend: local
   - name: "workload_metadata_config"
     driver:
       root_module_directory: test/fixtures/workload_metadata_config

diff --git a/README.md b/README.md
@@ -154,6 +154,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created. | string | `"create"` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
+| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | list | `<list>` | no |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |
 
 ## Outputs

diff --git a/autogen/dns.tf b/autogen/dns.tf
@@ -20,7 +20,7 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = "${local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0}"
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
@@ -33,7 +33,7 @@ resource "null_resource" "delete_default_kube_dns_configmap" {
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = "${local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0}"
 
   metadata {
     name      = "kube-dns"
@@ -52,3 +52,48 @@ EOF
 
   depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
 }
+
+resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+  count = "${!local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+
+  metadata {
+    name      = "kube-dns"
+    namespace = "kube-system"
+
+    labels {
+      maintained_by = "terraform"
+    }
+  }
+
+  data {
+    upstreamNameservers = <<EOF
+${jsonencode(var.upstream_nameservers)}
+EOF
+  }
+
+  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+}
+
+resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+  count = "${local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+
+  metadata {
+    name      = "kube-dns"
+    namespace = "kube-system"
+
+    labels {
+      maintained_by = "terraform"
+    }
+  }
+
+  data {
+    upstreamNameservers = <<EOF
+${jsonencode(var.upstream_nameservers)}
+EOF
+    stubDomains = <<EOF
+${jsonencode(var.stub_domains)}
+EOF
+  }
+
+  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+}
diff --git a/autogen/main.tf b/autogen/main.tf
@@ -36,6 +36,7 @@ locals {
   node_version_regional       = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}"
   node_version_zonal          = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}"
   custom_kube_dns_config      = "${length(keys(var.stub_domains)) > 0 ? true : false}"
+  upstream_nameservers_config = "${length(var.upstream_nameservers) > 0 ? true : false}"
   network_project_id          = "${var.network_project_id != "" ? var.network_project_id : var.project_id}"
 
   cluster_type = "${var.regional ? "regional" : "zonal"}"

diff --git a/autogen/variables.tf b/autogen/variables.tf
@@ -206,6 +206,12 @@ variable "stub_domains" {
   default     = {}
 }
 
+variable "upstream_nameservers" {
+  type        = "list"
+  description = "If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf"
+  default     = []
+}
+
 variable "non_masquerade_cidrs" {
   type        = "list"
   description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading."

diff --git a/dns.tf b/dns.tf
@@ -20,7 +20,7 @@
   Delete default kube-dns configmap
  *****************************************/
 resource "null_resource" "delete_default_kube_dns_configmap" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = "${local.custom_kube_dns_config || local.upstream_nameservers_config ? 1 : 0}"
 
   provisioner "local-exec" {
     command = "${path.module}/scripts/kubectl_wrapper.sh https://${local.cluster_endpoint} ${data.google_client_config.default.access_token} ${local.cluster_ca_certificate} ${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
@@ -33,7 +33,7 @@ resource "null_resource" "delete_default_kube_dns_configmap" {
   Create kube-dns confimap
  *****************************************/
 resource "kubernetes_config_map" "kube-dns" {
-  count = "${local.custom_kube_dns_config ? 1 : 0}"
+  count = "${local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0}"
 
   metadata {
     name      = "kube-dns"
@@ -52,3 +52,48 @@ EOF
 
   depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
 }
+
+resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+  count = "${!local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+
+  metadata {
+    name      = "kube-dns"
+    namespace = "kube-system"
+
+    labels {
+      maintained_by = "terraform"
+    }
+  }
+
+  data {
+    upstreamNameservers = <<EOF
+${jsonencode(var.upstream_nameservers)}
+EOF
+  }
+
+  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+}
+
+resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+  count = "${local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0}"
+
+  metadata {
+    name      = "kube-dns"
+    namespace = "kube-system"
+
+    labels {
+      maintained_by = "terraform"
+    }
+  }
+
+  data {
+    upstreamNameservers = <<EOF
+${jsonencode(var.upstream_nameservers)}
+EOF
+    stubDomains = <<EOF
+${jsonencode(var.stub_domains)}
+EOF
+  }
+
+  depends_on = ["null_resource.delete_default_kube_dns_configmap", "data.google_client_config.default", "google_container_cluster.primary", "google_container_node_pool.pools", "google_container_cluster.zonal_primary", "google_container_node_pool.zonal_pools"]
+}
diff --git a/examples/stub_domains_private/main.tf b/examples/stub_domains_private/main.tf
@@ -15,7 +15,7 @@
  */
 
 provider "google-beta" {
-  version = "~> 2.2"
+  version = "~> 2.9.0"
   region  = "${var.region}"
 }
 

diff --git a/examples/stub_domains_upstream_nameservers/README.md b/examples/stub_domains_upstream_nameservers/README.md
@@ -0,0 +1,50 @@
+# Stub Domains and Upstream Nameservers Cluster
+
+This example illustrates how to create a cluster that adds custom stub domains and custom upstream nameservers to kube-dns.
+
+It will:
+- Create a cluster
+- Remove the default kube-dns configmap
+- Add a new kube-dns configmap with custom stub domains and upstream nameservers
+
+[^]: (autogen_docs_start)
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
+| compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
+| ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
+| network | The VPC network to host the cluster in | string | n/a | yes |
+| project\_id | The project ID to host the cluster in | string | n/a | yes |
+| region | The region to host the cluster in | string | n/a | yes |
+| subnetwork | The subnetwork to host the cluster in | string | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| ca\_certificate |  |
+| client\_token |  |
+| cluster\_name | Cluster name |
+| ip\_range\_pods | The secondary IP range used for pods |
+| ip\_range\_services | The secondary IP range used for services |
+| kubernetes\_endpoint |  |
+| location |  |
+| master\_kubernetes\_version | The master Kubernetes version |
+| network |  |
+| project\_id |  |
+| region |  |
+| service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
+| subnetwork |  |
+| zones | List of zones in which the cluster resides |
+
+[^]: (autogen_docs_end)
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure
diff --git a/examples/stub_domains_upstream_nameservers/main.tf b/examples/stub_domains_upstream_nameservers/main.tf
@@ -0,0 +1,60 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_type = "domains-nameservers"
+}
+
+provider "google" {
+  version = "~> 2.9.0"
+  region  = "${var.region}"
+}
+
+provider "google-beta" {
+  version = "~> 2.9.0"
+  region  = "${var.region}"
+}
+
+module "gke" {
+  source            = "../../"
+  project_id        = "${var.project_id}"
+  name              = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+  region            = "${var.region}"
+  network           = "${var.network}"
+  subnetwork        = "${var.subnetwork}"
+  ip_range_pods     = "${var.ip_range_pods}"
+  ip_range_services = "${var.ip_range_services}"
+  network_policy    = true
+  service_account   = "${var.compute_engine_service_account}"
+
+  configure_ip_masq = true
+
+  stub_domains {
+    "example.com" = [
+      "10.254.154.11",
+      "10.254.154.12",
+    ]
+
+    "example.net" = [
+      "10.254.154.11",
+      "10.254.154.12",
+    ]
+  }
+
+  upstream_nameservers = ["8.8.8.8", "8.8.4.4"]
+}
+
+data "google_client_config" "default" {}
diff --git a/examples/stub_domains_upstream_nameservers/outputs.tf b/examples/stub_domains_upstream_nameservers/outputs.tf
@@ -0,0 +1,34 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "kubernetes_endpoint" {
+  sensitive = true
+  value     = "${module.gke.endpoint}"
+}
+
+output "client_token" {
+  sensitive = true
+  value     = "${base64encode(data.google_client_config.default.access_token)}"
+}
+
+output "ca_certificate" {
+  value = "${module.gke.ca_certificate}"
+}
+
+output "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`."
+  value       = "${module.gke.service_account}"
+}