From 5791ac1f64cbd9355a9e2ee96f29d1c5b8686d60 Mon Sep 17 00:00:00 2001 From: Gabriel Totusek Date: Mon, 20 Apr 2020 21:43:08 -0700 Subject: [PATCH] feat: [safer-cluster] Replace "kubernetes_version" with "release_channel" (#487) BREAKING CHANGE: For the safer cluster module, you must now specify `release_channel` instead of `kubernetes_version`. --- README.md | 1 - autogen/main/main.tf.tmpl | 3 --- autogen/main/variables.tf.tmpl | 8 +------- autogen/safer-cluster/main.tf.tmpl | 4 ++-- autogen/safer-cluster/variables.tf.tmpl | 10 +++++----- main.tf | 3 --- modules/beta-private-cluster-update-variant/README.md | 3 +-- modules/beta-private-cluster-update-variant/main.tf | 3 --- .../beta-private-cluster-update-variant/variables.tf | 8 +------- modules/beta-private-cluster/README.md | 3 +-- modules/beta-private-cluster/main.tf | 3 --- modules/beta-private-cluster/variables.tf | 8 +------- modules/beta-public-cluster/README.md | 3 +-- modules/beta-public-cluster/main.tf | 3 --- modules/beta-public-cluster/variables.tf | 8 +------- modules/private-cluster-update-variant/README.md | 1 - modules/private-cluster-update-variant/main.tf | 3 --- modules/private-cluster-update-variant/variables.tf | 6 ------ modules/private-cluster/README.md | 1 - modules/private-cluster/main.tf | 3 --- modules/private-cluster/variables.tf | 6 ------ modules/safer-cluster-update-variant/README.md | 6 +++--- modules/safer-cluster-update-variant/main.tf | 4 ++-- modules/safer-cluster-update-variant/variables.tf | 10 +++++----- modules/safer-cluster/README.md | 6 +++--- modules/safer-cluster/main.tf | 4 ++-- modules/safer-cluster/variables.tf | 10 +++++----- variables.tf | 6 ------ 28 files changed, 34 insertions(+), 103 deletions(-) diff --git a/README.md b/README.md index 250c197c9..6c4ef7f5a 100644 --- a/README.md +++ b/README.md @@ -133,7 +133,6 @@ Then perform the following commands on the root folder: | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `` | no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `` | no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no | diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index b840e4bea..04773f187 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -44,10 +44,7 @@ locals { // Kubernetes version master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version - node_version_regional = var.node_version != "" && var.regional ? var.node_version : local.master_version_regional - node_version_zonal = var.node_version != "" && ! var.regional ? var.node_version : local.master_version_zonal master_version = var.regional ? local.master_version_regional : local.master_version_zonal - node_version = var.regional ? local.node_version_regional : local.node_version_zonal // Build a map of maps of node pools from a list of objects node_pool_names = [for np in toset(var.node_pools) : np.name] diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index b8b2afcb3..d36d063da 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -72,12 +72,6 @@ variable "kubernetes_version" { default = "latest" } -variable "node_version" { - type = string - description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." - default = "" -} - variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." @@ -448,7 +442,7 @@ variable "node_metadata" { variable "sandbox_enabled" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." default = false } diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 7cfd0e97e..507b637f4 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -34,14 +34,14 @@ module "gke" { // We need to enforce a minimum Kubernetes Version to ensure // that the necessary security features are enabled. - kubernetes_version = "latest" + kubernetes_version = var.kubernetes_version // Nodes are created with a default version. The nodepool enables // auto_upgrade so that the node versions can be kept up to date with // the master upgrades. // // https://cloud.google.com/kubernetes-engine/versioning-and-upgrades - node_version = "" + release_channel = var.release_channel master_authorized_networks = var.master_authorized_networks diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 79ed0fc7b..9e1a54dbc 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -68,13 +68,13 @@ variable "subnetwork" { variable "kubernetes_version" { type = string description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. " - default = "latest" + default = null } -variable "node_version" { +variable "release_channel" { type = string - description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." - default = "" + description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." + default = "REGULAR" } variable "master_authorized_networks" { @@ -270,7 +270,7 @@ variable "resource_usage_export_dataset_id" { variable "sandbox_enabled" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." default = false } diff --git a/main.tf b/main.tf index c2aac9941..579e2837e 100644 --- a/main.tf +++ b/main.tf @@ -40,10 +40,7 @@ locals { // Kubernetes version master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version - node_version_regional = var.node_version != "" && var.regional ? var.node_version : local.master_version_regional - node_version_zonal = var.node_version != "" && ! var.regional ? var.node_version : local.master_version_zonal master_version = var.regional ? local.master_version_regional : local.master_version_zonal - node_version = var.regional ? local.node_version_regional : local.node_version_zonal // Build a map of maps of node pools from a list of objects node_pool_names = [for np in toset(var.node_pools) : np.name] diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 25c316aaa..e9fa0122c 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -210,7 +210,6 @@ Then perform the following commands on the root folder: | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `` | no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `` | no | | pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | @@ -220,7 +219,7 @@ Then perform the following commands on the root folder: | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | string | `"null"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | -| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index ebac61e7c..8fd0633f3 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -40,10 +40,7 @@ locals { // Kubernetes version master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version - node_version_regional = var.node_version != "" && var.regional ? var.node_version : local.master_version_regional - node_version_zonal = var.node_version != "" && ! var.regional ? var.node_version : local.master_version_zonal master_version = var.regional ? local.master_version_regional : local.master_version_zonal - node_version = var.regional ? local.node_version_regional : local.node_version_zonal // Build a map of maps of node pools from a list of objects node_pool_names = [for np in toset(var.node_pools) : np.name] diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 1104c0ca6..ade9eb208 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -72,12 +72,6 @@ variable "kubernetes_version" { default = "latest" } -variable "node_version" { - type = string - description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." - default = "" -} - variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." @@ -441,7 +435,7 @@ variable "node_metadata" { variable "sandbox_enabled" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." default = false } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 745347006..0b9d9b1dc 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -188,7 +188,6 @@ Then perform the following commands on the root folder: | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `` | no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `` | no | | pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | @@ -198,7 +197,7 @@ Then perform the following commands on the root folder: | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | string | `"null"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | -| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index ebac61e7c..8fd0633f3 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -40,10 +40,7 @@ locals { // Kubernetes version master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version - node_version_regional = var.node_version != "" && var.regional ? var.node_version : local.master_version_regional - node_version_zonal = var.node_version != "" && ! var.regional ? var.node_version : local.master_version_zonal master_version = var.regional ? local.master_version_regional : local.master_version_zonal - node_version = var.regional ? local.node_version_regional : local.node_version_zonal // Build a map of maps of node pools from a list of objects node_pool_names = [for np in toset(var.node_pools) : np.name] diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 1104c0ca6..ade9eb208 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -72,12 +72,6 @@ variable "kubernetes_version" { default = "latest" } -variable "node_version" { - type = string - description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." - default = "" -} - variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." @@ -441,7 +435,7 @@ variable "node_metadata" { variable "sandbox_enabled" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." default = false } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 07c5e4b47..8eabf9981 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -166,7 +166,6 @@ Then perform the following commands on the root folder: | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `` | no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `` | no | | pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | @@ -176,7 +175,7 @@ Then perform the following commands on the root folder: | release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `UNSPECIFIED`. | string | `"null"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | -| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 208d44520..2512552bd 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -40,10 +40,7 @@ locals { // Kubernetes version master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version - node_version_regional = var.node_version != "" && var.regional ? var.node_version : local.master_version_regional - node_version_zonal = var.node_version != "" && ! var.regional ? var.node_version : local.master_version_zonal master_version = var.regional ? local.master_version_regional : local.master_version_zonal - node_version = var.regional ? local.node_version_regional : local.node_version_zonal // Build a map of maps of node pools from a list of objects node_pool_names = [for np in toset(var.node_pools) : np.name] diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 6f9c063cd..df9dbf31a 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -72,12 +72,6 @@ variable "kubernetes_version" { default = "latest" } -variable "node_version" { - type = string - description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." - default = "" -} - variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." @@ -417,7 +411,7 @@ variable "node_metadata" { variable "sandbox_enabled" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." default = false } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index d49193154..b56d8dff7 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -177,7 +177,6 @@ Then perform the following commands on the root folder: | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `` | no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `` | no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no | diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 5cd4ca251..f9b57ff9b 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -40,10 +40,7 @@ locals { // Kubernetes version master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version - node_version_regional = var.node_version != "" && var.regional ? var.node_version : local.master_version_regional - node_version_zonal = var.node_version != "" && ! var.regional ? var.node_version : local.master_version_zonal master_version = var.regional ? local.master_version_regional : local.master_version_zonal - node_version = var.regional ? local.node_version_regional : local.node_version_zonal // Build a map of maps of node pools from a list of objects node_pool_names = [for np in toset(var.node_pools) : np.name] diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index a5986705e..fc5bf996d 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -72,12 +72,6 @@ variable "kubernetes_version" { default = "latest" } -variable "node_version" { - type = string - description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." - default = "" -} - variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index ec17aaaea..087ca5e19 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -155,7 +155,6 @@ Then perform the following commands on the root folder: | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map(map(string)) | `` | no | | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `` | no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no | diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 5cd4ca251..f9b57ff9b 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -40,10 +40,7 @@ locals { // Kubernetes version master_version_regional = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version - node_version_regional = var.node_version != "" && var.regional ? var.node_version : local.master_version_regional - node_version_zonal = var.node_version != "" && ! var.regional ? var.node_version : local.master_version_zonal master_version = var.regional ? local.master_version_regional : local.master_version_zonal - node_version = var.regional ? local.node_version_regional : local.node_version_zonal // Build a map of maps of node pools from a list of objects node_pool_names = [for np in toset(var.node_pools) : np.name] diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index a5986705e..fc5bf996d 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -72,12 +72,6 @@ variable "kubernetes_version" { default = "latest" } -variable "node_version" { - type = string - description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." - default = "" -} - variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)." diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index cdf3426e9..7853a18eb 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -220,7 +220,7 @@ For simplicity, we suggest using `roles/container.admin` and | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | | istio | (Beta) Enable Istio addon | string | `"false"` | no | | istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no | -| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"latest"` | no | +| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"null"` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | object | `` | no | @@ -235,14 +235,14 @@ For simplicity, we suggest using `roles/container.admin` and | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `` | no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in | string | n/a | yes | | region | The region to host the cluster in | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no | +| release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | string | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | -| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | bool | `"false"` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in | string | n/a | yes | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 59b4ac84c..57bba6ba0 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -30,14 +30,14 @@ module "gke" { // We need to enforce a minimum Kubernetes Version to ensure // that the necessary security features are enabled. - kubernetes_version = "latest" + kubernetes_version = var.kubernetes_version // Nodes are created with a default version. The nodepool enables // auto_upgrade so that the node versions can be kept up to date with // the master upgrades. // // https://cloud.google.com/kubernetes-engine/versioning-and-upgrades - node_version = "" + release_channel = var.release_channel master_authorized_networks = var.master_authorized_networks diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index b6f62e2d6..848b76830 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -68,13 +68,13 @@ variable "subnetwork" { variable "kubernetes_version" { type = string description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. " - default = "latest" + default = null } -variable "node_version" { +variable "release_channel" { type = string - description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." - default = "" + description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." + default = "REGULAR" } variable "master_authorized_networks" { @@ -270,7 +270,7 @@ variable "resource_usage_export_dataset_id" { variable "sandbox_enabled" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." default = false } diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index cdf3426e9..7853a18eb 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -220,7 +220,7 @@ For simplicity, we suggest using `roles/container.admin` and | ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes | | istio | (Beta) Enable Istio addon | string | `"false"` | no | | istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no | -| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"latest"` | no | +| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"null"` | no | | logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no | | maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | object | `` | no | @@ -235,14 +235,14 @@ For simplicity, we suggest using `roles/container.admin` and | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `` | no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | -| node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in | string | n/a | yes | | region | The region to host the cluster in | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no | +| release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | string | `"REGULAR"` | no | | resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | -| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | bool | `"false"` | no | | skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in | string | n/a | yes | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 746da10fb..dc2d6657d 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -30,14 +30,14 @@ module "gke" { // We need to enforce a minimum Kubernetes Version to ensure // that the necessary security features are enabled. - kubernetes_version = "latest" + kubernetes_version = var.kubernetes_version // Nodes are created with a default version. The nodepool enables // auto_upgrade so that the node versions can be kept up to date with // the master upgrades. // // https://cloud.google.com/kubernetes-engine/versioning-and-upgrades - node_version = "" + release_channel = var.release_channel master_authorized_networks = var.master_authorized_networks diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index b6f62e2d6..848b76830 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -68,13 +68,13 @@ variable "subnetwork" { variable "kubernetes_version" { type = string description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. " - default = "latest" + default = null } -variable "node_version" { +variable "release_channel" { type = string - description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." - default = "" + description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." + default = "REGULAR" } variable "master_authorized_networks" { @@ -270,7 +270,7 @@ variable "resource_usage_export_dataset_id" { variable "sandbox_enabled" { type = bool - description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it)." default = false } diff --git a/variables.tf b/variables.tf index 1de98c0ac..fd039cc94 100644 --- a/variables.tf +++ b/variables.tf @@ -72,12 +72,6 @@ variable "kubernetes_version" { default = "latest" } -variable "node_version" { - type = string - description = "The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation." - default = "" -} - variable "master_authorized_networks" { type = list(object({ cidr_block = string, display_name = string })) description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)."