diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 818116c8e..39a58e43d 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -145,6 +145,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting {% endif %} dynamic "master_authorized_networks_config" { diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 4b3f74105..0b587c952 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -147,6 +147,7 @@ locals { cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features {% endif %} diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 35ed78c1f..decba152d 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -184,6 +184,11 @@ output "vertical_pod_autoscaling_enabled" { value = local.cluster_vertical_pod_autoscaling_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_pod_security_policy_enabled +} + output "tpu_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the TPUs" value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d53d32cd9..b8e7c3bd0 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -527,6 +527,12 @@ variable "enable_intranode_visibility" { description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" default = false } + +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} {% endif %} variable "authenticator_security_group" { diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 511fbb135..47ebc1da6 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,7 +24,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.3.0, < 5.0" + version = ">= 4.6.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index a97cc09f1..9cc4425ef 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -49,6 +49,7 @@ module "gke" { database_encryption = var.database_encryption enable_binary_authorization = var.enable_binary_authorization enable_pod_security_policy = var.enable_pod_security_policy + enable_identity_service = true release_channel = "REGULAR" # Disable workload identity diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 8eee68ef9..3bee05fa1 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -180,6 +180,7 @@ Then perform the following commands on the root folder: | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | @@ -264,6 +265,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 4d062e91a..68ae3ea71 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -127,6 +127,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 80449dd5b..476f434c9 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -131,6 +131,7 @@ locals { cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index ff3263918..87369882e 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -181,6 +181,11 @@ output "vertical_pod_autoscaling_enabled" { value = local.cluster_vertical_pod_autoscaling_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_pod_security_policy_enabled +} + output "tpu_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the TPUs" value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 012027410..01c2f63e8 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -507,6 +507,12 @@ variable "enable_intranode_visibility" { default = false } +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 351e9d608..e68d00a3b 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.3.0, < 5.0" + version = ">= 4.6.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index ccf6d6061..db7f221de 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -158,6 +158,7 @@ Then perform the following commands on the root folder: | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | @@ -242,6 +243,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index e114591ca..aff68b8e1 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -127,6 +127,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 80449dd5b..476f434c9 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -131,6 +131,7 @@ locals { cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index ff3263918..87369882e 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -181,6 +181,11 @@ output "vertical_pod_autoscaling_enabled" { value = local.cluster_vertical_pod_autoscaling_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_pod_security_policy_enabled +} + output "tpu_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the TPUs" value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 012027410..01c2f63e8 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -507,6 +507,12 @@ variable "enable_intranode_visibility" { default = false } +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 1f86c9ec2..0ecb84ea9 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.3.0, < 5.0" + version = ">= 4.6.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index e7d3b7e2d..1c36a9eda 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -173,6 +173,7 @@ Then perform the following commands on the root folder: | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | @@ -253,6 +254,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index da6c6849f..9a67b1f79 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -127,6 +127,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index cf2f7bc0e..94acbd8c3 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -130,6 +130,7 @@ locals { cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index fe06ef81f..2cd7cb5c9 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -171,6 +171,11 @@ output "vertical_pod_autoscaling_enabled" { value = local.cluster_vertical_pod_autoscaling_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_pod_security_policy_enabled +} + output "tpu_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the TPUs" value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 18bc408e3..cbee75961 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -476,6 +476,12 @@ variable "enable_intranode_visibility" { default = false } +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 8042ccab9..b0d16dd6e 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.3.0, < 5.0" + version = ">= 4.6.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 42dd34965..f1f4508aa 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -151,6 +151,7 @@ Then perform the following commands on the root folder: | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | +| enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | @@ -231,6 +232,7 @@ Then perform the following commands on the root folder: | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | | identity\_namespace | Workload Identity pool | +| identity\_service\_enabled | Whether Identity Service is enabled | | instance\_group\_urls | List of GKE generated instance groups | | intranode\_visibility\_enabled | Whether intra-node visibility is enabled | | istio\_enabled | Whether Istio is enabled | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 102cdd1aa..ec1848a87 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -127,6 +127,13 @@ resource "google_container_cluster" "primary" { } } + dynamic "identity_service_config" { + for_each = var.enable_identity_service ? [var.enable_identity_service] : [] + content { + enabled = identity_service_config.value + } + } + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index cf2f7bc0e..94acbd8c3 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -130,6 +130,7 @@ locals { cluster_output_pod_security_policy_enabled = google_container_cluster.primary.pod_security_policy_config != null && length(google_container_cluster.primary.pod_security_policy_config) == 1 ? google_container_cluster.primary.pod_security_policy_config.0.enabled : false cluster_output_intranode_visbility_enabled = google_container_cluster.primary.enable_intranode_visibility cluster_output_vertical_pod_autoscaling_enabled = google_container_cluster.primary.vertical_pod_autoscaling != null && length(google_container_cluster.primary.vertical_pod_autoscaling) == 1 ? google_container_cluster.primary.vertical_pod_autoscaling.0.enabled : false + cluster_output_identity_service_enabled = google_container_cluster.primary.identity_service_config != null && length(google_container_cluster.primary.identity_service_config) == 1 ? google_container_cluster.primary.identity_service_config.0.enabled : false # /BETA features diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index fe06ef81f..2cd7cb5c9 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -171,6 +171,11 @@ output "vertical_pod_autoscaling_enabled" { value = local.cluster_vertical_pod_autoscaling_enabled } +output "identity_service_enabled" { + description = "Whether Identity Service is enabled" + value = local.cluster_pod_security_policy_enabled +} + output "tpu_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the TPUs" value = var.enable_tpu ? google_container_cluster.primary.tpu_ipv4_cidr_block : null diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 18bc408e3..cbee75961 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -476,6 +476,12 @@ variable "enable_intranode_visibility" { default = false } +variable "enable_identity_service" { + type = bool + description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." + default = false +} + variable "authenticator_security_group" { type = string description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index b84a22513..43ba811e6 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,7 +21,7 @@ terraform { required_providers { google-beta = { source = "hashicorp/google-beta" - version = ">= 4.3.0, < 5.0" + version = ">= 4.6.0, < 5.0" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index 6cba10bac..cc66b8f9e 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -97,6 +97,12 @@ "keyName" => attribute('database_encryption_key_name'), }) end + + it "has the expected identityServiceConfig config" do + expect(data['identityServiceConfig']).to eq({ + "enabled" => true, + }) + end end describe "default node pool" do