From 6042fd68d4562d9ecc5b7d8b8ac0ad41f153e4b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9s=20=C3=81lvarez?=
<1671935+kir4h@users.noreply.github.com>
Date: Fri, 27 Aug 2021 23:32:01 +0200
Subject: [PATCH] feat: Promote authenticator_security_group to GA modules
(#989)
---
README.md | 1 +
autogen/main/cluster.tf.tmpl | 6 +++---
autogen/main/main.tf.tmpl | 7 ++++---
autogen/main/variables.tf.tmpl | 2 +-
cluster.tf | 7 +++++++
main.tf | 5 +++++
modules/beta-private-cluster-update-variant/main.tf | 5 +++--
modules/beta-private-cluster/main.tf | 5 +++--
modules/beta-public-cluster-update-variant/main.tf | 5 +++--
modules/beta-public-cluster/main.tf | 5 +++--
modules/private-cluster-update-variant/README.md | 1 +
modules/private-cluster-update-variant/cluster.tf | 7 +++++++
modules/private-cluster-update-variant/main.tf | 5 +++++
modules/private-cluster-update-variant/variables.tf | 6 ++++++
modules/private-cluster/README.md | 1 +
modules/private-cluster/cluster.tf | 7 +++++++
modules/private-cluster/main.tf | 5 +++++
modules/private-cluster/variables.tf | 6 ++++++
variables.tf | 6 ++++++
19 files changed, 77 insertions(+), 15 deletions(-)
diff --git a/README.md b/README.md
index 22326105d..d45a4987e 100644
--- a/README.md
+++ b/README.md
@@ -127,6 +127,7 @@ Then perform the following commands on the root folder:
| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
}) | {
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index 754779b7f..9f13114ce 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -323,7 +323,6 @@ resource "google_container_cluster" "primary" {
}
}
-{% if beta_cluster %}
dynamic "authenticator_groups_config" {
for_each = local.cluster_authenticator_security_group
content {
@@ -331,6 +330,7 @@ resource "google_container_cluster" "primary" {
}
}
+{% if beta_cluster %}
notification_config {
pubsub {
enabled = var.notification_config_topic != "" ? true : false
@@ -480,7 +480,7 @@ resource "google_container_node_pool" "pools" {
}
}
{% endif %}
-
+
management {
auto_repair = lookup(each.value, "auto_repair", true)
auto_upgrade = lookup(each.value, "auto_upgrade", local.default_auto_upgrade)
@@ -539,7 +539,7 @@ resource "google_container_node_pool" "pools" {
{% if beta_cluster %}
dynamic "ephemeral_storage_config" {
- for_each = lookup(each.value, "local_ssd_ephemeral_count",0) > 0 ? [each.value.local_ssd_ephemeral_count] : []
+ for_each = lookup(each.value, "local_ssd_ephemeral_count",0) > 0 ? [each.value.local_ssd_ephemeral_count] : []
content {
local_ssd_count = ephemeral_storage_config.value
}
diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl
index d6fb37282..b4a65db06 100644
--- a/autogen/main/main.tf.tmpl
+++ b/autogen/main/main.tf.tmpl
@@ -105,13 +105,14 @@ locals {
cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }]
+ cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
+
+{% endif %}
+
cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
security_group = var.authenticator_security_group
}]
- cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
-
-{% endif %}
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
node_metadata = var.node_metadata
}]
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index 52013bd38..3c8f2a640 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -524,13 +524,13 @@ variable "enable_intranode_visibility" {
description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"
default = false
}
+{% endif %}
variable "authenticator_security_group" {
type = string
description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
default = null
}
-{% endif %}
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
diff --git a/cluster.tf b/cluster.tf
index 26e7116ff..9a8ab4413 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -186,6 +186,13 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "authenticator_groups_config" {
+ for_each = local.cluster_authenticator_security_group
+ content {
+ security_group = authenticator_groups_config.value.security_group
+ }
+ }
+
}
/******************************************
diff --git a/main.tf b/main.tf
index bc2ab9fe6..eb511e724 100644
--- a/main.tf
+++ b/main.tf
@@ -81,6 +81,11 @@ locals {
provider = null
}]
+
+ cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+ security_group = var.authenticator_security_group
+ }]
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
node_metadata = var.node_metadata
}]
diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf
index 72478ec20..b1936826d 100644
--- a/modules/beta-private-cluster-update-variant/main.tf
+++ b/modules/beta-private-cluster-update-variant/main.tf
@@ -96,12 +96,13 @@ locals {
cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }]
+ cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
+
+
cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
security_group = var.authenticator_security_group
}]
- cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
-
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
node_metadata = var.node_metadata
}]
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
index 72478ec20..b1936826d 100644
--- a/modules/beta-private-cluster/main.tf
+++ b/modules/beta-private-cluster/main.tf
@@ -96,12 +96,13 @@ locals {
cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }]
+ cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
+
+
cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
security_group = var.authenticator_security_group
}]
- cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
-
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
node_metadata = var.node_metadata
}]
diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf
index f8768fd42..27a9762ca 100644
--- a/modules/beta-public-cluster-update-variant/main.tf
+++ b/modules/beta-public-cluster-update-variant/main.tf
@@ -96,12 +96,13 @@ locals {
cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }]
+ cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
+
+
cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
security_group = var.authenticator_security_group
}]
- cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
-
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
node_metadata = var.node_metadata
}]
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
index f8768fd42..27a9762ca 100644
--- a/modules/beta-public-cluster/main.tf
+++ b/modules/beta-public-cluster/main.tf
@@ -96,12 +96,13 @@ locals {
cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }]
+ cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
+
+
cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
security_group = var.authenticator_security_group
}]
- cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
-
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
node_metadata = var.node_metadata
}]
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
index 1335f96fd..4500cfbd9 100644
--- a/modules/private-cluster-update-variant/README.md
+++ b/modules/private-cluster-update-variant/README.md
@@ -155,6 +155,7 @@ Then perform the following commands on the root folder:
| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
}) | {
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
index edb968404..8945b5028 100644
--- a/modules/private-cluster-update-variant/cluster.tf
+++ b/modules/private-cluster-update-variant/cluster.tf
@@ -199,6 +199,13 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "authenticator_groups_config" {
+ for_each = local.cluster_authenticator_security_group
+ content {
+ security_group = authenticator_groups_config.value.security_group
+ }
+ }
+
}
/******************************************
diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf
index 0b3d323f7..9fbd46a8d 100644
--- a/modules/private-cluster-update-variant/main.tf
+++ b/modules/private-cluster-update-variant/main.tf
@@ -81,6 +81,11 @@ locals {
provider = null
}]
+
+ cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+ security_group = var.authenticator_security_group
+ }]
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
node_metadata = var.node_metadata
}]
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
index a299d887f..ea015fe06 100644
--- a/modules/private-cluster-update-variant/variables.tf
+++ b/modules/private-cluster-update-variant/variables.tf
@@ -388,6 +388,12 @@ variable "master_ipv4_cidr_block" {
default = "10.0.0.0/28"
}
+variable "authenticator_security_group" {
+ type = string
+ description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+ default = null
+}
+
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
default = "GKE_METADATA_SERVER"
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index a3b1d5754..eda2c868a 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -133,6 +133,7 @@ Then perform the following commands on the root folder:
| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
+| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
gpu_resources = list(object({ resource_type = string, minimum = number, maximum = number }))
}) | {
"enabled": false,
"gpu_resources": [],
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
index 8e0a3a1fc..85181fd09 100644
--- a/modules/private-cluster/cluster.tf
+++ b/modules/private-cluster/cluster.tf
@@ -199,6 +199,13 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "authenticator_groups_config" {
+ for_each = local.cluster_authenticator_security_group
+ content {
+ security_group = authenticator_groups_config.value.security_group
+ }
+ }
+
}
/******************************************
diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf
index 0b3d323f7..9fbd46a8d 100644
--- a/modules/private-cluster/main.tf
+++ b/modules/private-cluster/main.tf
@@ -81,6 +81,11 @@ locals {
provider = null
}]
+
+ cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{
+ security_group = var.authenticator_security_group
+ }]
+
cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{
node_metadata = var.node_metadata
}]
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index a299d887f..ea015fe06 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -388,6 +388,12 @@ variable "master_ipv4_cidr_block" {
default = "10.0.0.0/28"
}
+variable "authenticator_security_group" {
+ type = string
+ description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+ default = null
+}
+
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
default = "GKE_METADATA_SERVER"
diff --git a/variables.tf b/variables.tf
index c6a654cb0..ad21faac7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -364,6 +364,12 @@ variable "default_max_pods_per_node" {
default = 110
}
+variable "authenticator_security_group" {
+ type = string
+ description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com"
+ default = null
+}
+
variable "node_metadata" {
description = "Specifies how node metadata is exposed to the workload running on the node"
default = "GKE_METADATA_SERVER"