From 4bba52f53402b4a32bf744868fdefe2a82f08829 Mon Sep 17 00:00:00 2001 From: Roland Urbano Date: Tue, 31 May 2022 21:12:13 +0200 Subject: [PATCH] feat: Recurring maintenance window to GA (#1262) * Added code changes from #1242 Signed-off-by: Roland Urbano * Added variable definition for new inputs Signed-off-by: Roland Urbano * Extended READMEs for new inputs and added documentation Signed-off-by: Roland Urbano Autogenerated documentation and variable inputs Signed-off-by: Roland Urbano Co-authored-by: Roland Urbano Co-authored-by: Andrew Peabody --- README.md | 2 ++ autogen/main/cluster.tf.tmpl | 6 ----- autogen/main/main.tf.tmpl | 2 -- autogen/main/variables.tf.tmpl | 2 -- cluster.tf | 25 +++++++++++++++++-- main.tf | 2 ++ .../private-cluster-update-variant/README.md | 2 ++ .../private-cluster-update-variant/cluster.tf | 25 +++++++++++++++++-- .../private-cluster-update-variant/main.tf | 2 ++ .../variables.tf | 11 ++++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 25 +++++++++++++++++-- modules/private-cluster/main.tf | 2 ++ modules/private-cluster/variables.tf | 11 ++++++++ variables.tf | 11 ++++++++ 15 files changed, 114 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index be33562ca..a1331a25d 100644 --- a/README.md +++ b/README.md @@ -160,7 +160,9 @@ Then perform the following commands on the root folder: | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | +| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string }))` | `[]` | no | +| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index af6cbd485..6e9653671 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -243,7 +243,6 @@ resource "google_container_cluster" "primary" { } maintenance_policy { - {% if beta_cluster %} dynamic "recurring_window" { for_each = local.cluster_maintenance_window_is_recurring content { @@ -268,11 +267,6 @@ resource "google_container_cluster" "primary" { end_time = maintenance_exclusion.value.end_time } } - {% else %} - daily_maintenance_window { - start_time = var.maintenance_start_time - } - {% endif %} } {% if autopilot_cluster != true %} diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index e1b848ca5..8ef03372a 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -213,10 +213,8 @@ locals { # /BETA features {% endif %} -{% if beta_cluster %} cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] -{% endif %} } /****************************************** diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 2b95c0948..1c7c2cf7d 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -114,7 +114,6 @@ variable "maintenance_exclusions" { default = [] } -{% if beta_cluster %} variable "maintenance_end_time" { type = string description = "Time window specified for recurring maintenance operations in RFC3339 format" @@ -126,7 +125,6 @@ variable "maintenance_recurrence" { description = "Frequency of the recurring maintenance window in RFC5545 format." default = "" } -{% endif %} variable "ip_range_pods" { type = string diff --git a/cluster.tf b/cluster.tf index 77f24fcf1..aecf1f118 100644 --- a/cluster.tf +++ b/cluster.tf @@ -124,8 +124,29 @@ resource "google_container_cluster" "primary" { } maintenance_policy { - daily_maintenance_window { - start_time = var.maintenance_start_time + dynamic "recurring_window" { + for_each = local.cluster_maintenance_window_is_recurring + content { + start_time = var.maintenance_start_time + end_time = var.maintenance_end_time + recurrence = var.maintenance_recurrence + } + } + + dynamic "daily_maintenance_window" { + for_each = local.cluster_maintenance_window_is_daily + content { + start_time = var.maintenance_start_time + } + } + + dynamic "maintenance_exclusion" { + for_each = var.maintenance_exclusions + content { + exclusion_name = maintenance_exclusion.value.name + start_time = maintenance_exclusion.value.start_time + end_time = maintenance_exclusion.value.end_time + } } } diff --git a/main.tf b/main.tf index ff906bf81..8eb8b7c47 100644 --- a/main.tf +++ b/main.tf @@ -143,6 +143,8 @@ locals { workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] + cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } /****************************************** diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index e10051ca1..5604ed3f0 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -191,7 +191,9 @@ Then perform the following commands on the root folder: | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | +| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string }))` | `[]` | no | +| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index e7cd7114b..1177f7c55 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -124,8 +124,29 @@ resource "google_container_cluster" "primary" { } maintenance_policy { - daily_maintenance_window { - start_time = var.maintenance_start_time + dynamic "recurring_window" { + for_each = local.cluster_maintenance_window_is_recurring + content { + start_time = var.maintenance_start_time + end_time = var.maintenance_end_time + recurrence = var.maintenance_recurrence + } + } + + dynamic "daily_maintenance_window" { + for_each = local.cluster_maintenance_window_is_daily + content { + start_time = var.maintenance_start_time + } + } + + dynamic "maintenance_exclusion" { + for_each = var.maintenance_exclusions + content { + exclusion_name = maintenance_exclusion.value.name + start_time = maintenance_exclusion.value.start_time + end_time = maintenance_exclusion.value.end_time + } } } diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index c6e02efd5..7051be0fc 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -144,6 +144,8 @@ locals { workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] + cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } /****************************************** diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 17a02fb46..6656854ad 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -114,6 +114,17 @@ variable "maintenance_exclusions" { default = [] } +variable "maintenance_end_time" { + type = string + description = "Time window specified for recurring maintenance operations in RFC3339 format" + default = "" +} + +variable "maintenance_recurrence" { + type = string + description = "Frequency of the recurring maintenance window in RFC5545 format." + default = "" +} variable "ip_range_pods" { type = string diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 879e3f65b..7d7e394cb 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -169,7 +169,9 @@ Then perform the following commands on the root folder: | issue\_client\_certificate | Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | | kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. | `string` | `"latest"` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | `string` | `"logging.googleapis.com/kubernetes"` | no | +| maintenance\_end\_time | Time window specified for recurring maintenance operations in RFC3339 format | `string` | `""` | no | | maintenance\_exclusions | List of maintenance exclusions. A cluster can have up to three | `list(object({ name = string, start_time = string, end_time = string }))` | `[]` | no | +| maintenance\_recurrence | Frequency of the recurring maintenance window in RFC5545 format. | `string` | `""` | no | | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index e1f2cdfa0..d40cce9d8 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -124,8 +124,29 @@ resource "google_container_cluster" "primary" { } maintenance_policy { - daily_maintenance_window { - start_time = var.maintenance_start_time + dynamic "recurring_window" { + for_each = local.cluster_maintenance_window_is_recurring + content { + start_time = var.maintenance_start_time + end_time = var.maintenance_end_time + recurrence = var.maintenance_recurrence + } + } + + dynamic "daily_maintenance_window" { + for_each = local.cluster_maintenance_window_is_daily + content { + start_time = var.maintenance_start_time + } + } + + dynamic "maintenance_exclusion" { + for_each = var.maintenance_exclusions + content { + exclusion_name = maintenance_exclusion.value.name + start_time = maintenance_exclusion.value.start_time + end_time = maintenance_exclusion.value.end_time + } } } diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index c6e02efd5..7051be0fc 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -144,6 +144,8 @@ locals { workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] + cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] } /****************************************** diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 17a02fb46..6656854ad 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -114,6 +114,17 @@ variable "maintenance_exclusions" { default = [] } +variable "maintenance_end_time" { + type = string + description = "Time window specified for recurring maintenance operations in RFC3339 format" + default = "" +} + +variable "maintenance_recurrence" { + type = string + description = "Frequency of the recurring maintenance window in RFC5545 format." + default = "" +} variable "ip_range_pods" { type = string diff --git a/variables.tf b/variables.tf index 9e2be9dd5..37059c0ff 100644 --- a/variables.tf +++ b/variables.tf @@ -114,6 +114,17 @@ variable "maintenance_exclusions" { default = [] } +variable "maintenance_end_time" { + type = string + description = "Time window specified for recurring maintenance operations in RFC3339 format" + default = "" +} + +variable "maintenance_recurrence" { + type = string + description = "Frequency of the recurring maintenance window in RFC5545 format." + default = "" +} variable "ip_range_pods" { type = string