From 3a94528701a06b99bbb02274c3a75012eeae72ea Mon Sep 17 00:00:00 2001 From: Sasha Sobol Date: Mon, 11 Apr 2022 18:40:53 -0700 Subject: [PATCH] feat: Add support for image streaming/GCFS (#1174) * propagate enable_gcfs * move changes to autogen * add enable_gcfs to docs --- README.md | 2 ++ autogen/main/README.md | 2 ++ autogen/main/cluster.tf.tmpl | 6 ++++++ cluster.tf | 6 ++++++ modules/beta-private-cluster-update-variant/README.md | 2 ++ modules/beta-private-cluster-update-variant/cluster.tf | 6 ++++++ modules/beta-private-cluster/README.md | 2 ++ modules/beta-private-cluster/cluster.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 2 ++ modules/beta-public-cluster-update-variant/cluster.tf | 6 ++++++ modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 6 ++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 6 ++++++ 16 files changed, 64 insertions(+) diff --git a/README.md b/README.md index d03c0a354..cbafbe9a7 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,7 @@ module "gke" { disk_size_gb = 100 disk_type = "pd-standard" image_type = "COS_CONTAINERD" + enable_gcfs = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -235,6 +236,7 @@ The node_pools variable takes the following parameters: | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/autogen/main/README.md b/autogen/main/README.md index d9d74c6d2..a41e0b600 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -108,6 +108,7 @@ module "gke" { disk_size_gb = 100 disk_type = "pd-standard" image_type = "COS_CONTAINERD" + enable_gcfs = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -194,6 +195,7 @@ The node_pools variable takes the following parameters: | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 60831abc9..6abd539ed 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -295,6 +295,9 @@ resource "google_container_cluster" "primary" { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(var.node_pools[0], "enable_gcfs", false) + } service_account = lookup(var.node_pools[0], "service_account", local.service_account) @@ -576,6 +579,9 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(each.value, "enable_gcfs", false) + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/cluster.tf b/cluster.tf index a06712b2d..2e6cc659d 100644 --- a/cluster.tf +++ b/cluster.tf @@ -146,6 +146,9 @@ resource "google_container_cluster" "primary" { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(var.node_pools[0], "enable_gcfs", false) + } service_account = lookup(var.node_pools[0], "service_account", local.service_account) @@ -266,6 +269,9 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(each.value, "enable_gcfs", false) + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index c51e71be1..58552c320 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -91,6 +91,7 @@ module "gke" { disk_size_gb = 100 disk_type = "pd-standard" image_type = "COS_CONTAINERD" + enable_gcfs = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -311,6 +312,7 @@ The node_pools variable takes the following parameters: | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 8bb01a865..ea8c36ade 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -252,6 +252,9 @@ resource "google_container_cluster" "primary" { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(var.node_pools[0], "enable_gcfs", false) + } service_account = lookup(var.node_pools[0], "service_account", local.service_account) @@ -501,6 +504,9 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(each.value, "enable_gcfs", false) + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 98379fe5a..12fceb743 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -69,6 +69,7 @@ module "gke" { disk_size_gb = 100 disk_type = "pd-standard" image_type = "COS_CONTAINERD" + enable_gcfs = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -289,6 +290,7 @@ The node_pools variable takes the following parameters: | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index fe874b762..60ce1a2c4 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -252,6 +252,9 @@ resource "google_container_cluster" "primary" { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(var.node_pools[0], "enable_gcfs", false) + } service_account = lookup(var.node_pools[0], "service_account", local.service_account) @@ -415,6 +418,9 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(each.value, "enable_gcfs", false) + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 8801d7ccd..d0475292c 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -85,6 +85,7 @@ module "gke" { disk_size_gb = 100 disk_type = "pd-standard" image_type = "COS_CONTAINERD" + enable_gcfs = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -298,6 +299,7 @@ The node_pools variable takes the following parameters: | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 762955d34..a81dbe457 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -252,6 +252,9 @@ resource "google_container_cluster" "primary" { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(var.node_pools[0], "enable_gcfs", false) + } service_account = lookup(var.node_pools[0], "service_account", local.service_account) @@ -482,6 +485,9 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(each.value, "enable_gcfs", false) + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7d9d2577c..3fd495cee 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -63,6 +63,7 @@ module "gke" { disk_size_gb = 100 disk_type = "pd-standard" image_type = "COS_CONTAINERD" + enable_gcfs = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -276,6 +277,7 @@ The node_pools variable takes the following parameters: | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index a6d20774d..a079ed782 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -252,6 +252,9 @@ resource "google_container_cluster" "primary" { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(var.node_pools[0], "enable_gcfs", false) + } service_account = lookup(var.node_pools[0], "service_account", local.service_account) @@ -396,6 +399,9 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(each.value, "enable_gcfs", false) + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index f03158538..f82124de2 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -86,6 +86,7 @@ module "gke" { disk_size_gb = 100 disk_type = "pd-standard" image_type = "COS_CONTAINERD" + enable_gcfs = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -269,6 +270,7 @@ The node_pools variable takes the following parameters: | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index b5e4df2dc..87a45f9c2 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -146,6 +146,9 @@ resource "google_container_cluster" "primary" { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(var.node_pools[0], "enable_gcfs", false) + } service_account = lookup(var.node_pools[0], "service_account", local.service_account) @@ -364,6 +367,9 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(each.value, "enable_gcfs", false) + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {}, diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 8aabf2e33..35af609e5 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -64,6 +64,7 @@ module "gke" { disk_size_gb = 100 disk_type = "pd-standard" image_type = "COS_CONTAINERD" + enable_gcfs = false auto_repair = true auto_upgrade = true service_account = "project-service-account@.iam.gserviceaccount.com" @@ -247,6 +248,7 @@ The node_pools variable takes the following parameters: | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_gcfs | Google Container File System (gcfs) has to be enabled for image streaming to be active. Needs image_type to be set to COS_CONTAINERD. | false | Optional | | enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | gpu_partition_size | Size of partitions to create on the GPU | null | Optional | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index ffa8c1a38..a6823c938 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -146,6 +146,9 @@ resource "google_container_cluster" "primary" { image_type = lookup(var.node_pools[0], "image_type", "COS_CONTAINERD") machine_type = lookup(var.node_pools[0], "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(var.node_pools[0], "enable_gcfs", false) + } service_account = lookup(var.node_pools[0], "service_account", local.service_account) @@ -279,6 +282,9 @@ resource "google_container_node_pool" "pools" { image_type = lookup(each.value, "image_type", "COS_CONTAINERD") machine_type = lookup(each.value, "machine_type", "e2-medium") min_cpu_platform = lookup(var.node_pools[0], "min_cpu_platform", "") + gcfs_config { + enabled = lookup(each.value, "enable_gcfs", false) + } labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, lookup(lookup(local.node_pools_labels, "default_values", {}), "node_pool", true) ? { "node_pool" = each.value["name"] } : {},