Enable project-factory support by allowing arbitrary service accounts…

… to be passed to cluster node pool creation

README.md

@@ -112,6 +112,7 @@ Then perform the following commands on the root folder:
 | project_id | The project ID to host the cluster in (required) | string | - | yes |
 | region | The region to host the cluster in (required) | string | - | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `true` | no |
+| service_account | The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account | string | `` | no |
 | stub_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | - | yes |
 | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | list | `<list>` | no |

cluster_regional.tf

@@ -78,7 +78,7 @@ resource "google_container_cluster" "primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", "")}"
+      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
     }
   }
 }
@@ -114,7 +114,7 @@ resource "google_container_node_pool" "pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", "")}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
 
     oauth_scopes = [
       "https://www.googleapis.com/auth/cloud-platform",

cluster_zonal.tf

@@ -78,7 +78,7 @@ resource "google_container_cluster" "zonal_primary" {
     name = "default-pool"
 
     node_config {
-      service_account = "${lookup(var.node_pools[0], "service_account", "")}"
+      service_account = "${lookup(var.node_pools[0], "service_account", var.service_account)}"
     }
   }
 }
@@ -114,7 +114,7 @@ resource "google_container_node_pool" "zonal_pools" {
 
     disk_size_gb    = "${lookup(var.node_pools[count.index], "disk_size_gb", 100)}"
     disk_type       = "${lookup(var.node_pools[count.index], "disk_type", "pd-standard")}"
-    service_account = "${lookup(var.node_pools[count.index], "service_account", "")}"
+    service_account = "${lookup(var.node_pools[count.index], "service_account", var.service_account)}"
 
     oauth_scopes = [
       "https://www.googleapis.com/auth/cloud-platform",

examples/deploy_service/README.md

@@ -15,6 +15,7 @@ It will:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| compute_engine_service_account | Service account to associate to the nodes in the cluster | string | - | yes |
 | ip_range_pods | The secondary ip range to use for pods | string | - | yes |
 | ip_range_services | The secondary ip range to use for pods | string | - | yes |
 | network | The VPC network to host the cluster in | string | - | yes |

examples/deploy_service/main.tf

@@ -42,6 +42,7 @@ module "gke" {
   ip_range_pods     = "${local.ip_range_pods}"
   ip_range_services = "${local.ip_range_services}"
   kubernetes_version = "1.9.7-gke.11"
+  service_account    = "${var.compute_engine_service_account}"
 }
 
 resource "kubernetes_pod" "nginx-example" {

examples/deploy_service/variables.tf

@@ -46,4 +46,6 @@ locals {
   subnetwork = "${var.subnetwork}"
   ip_range_pods = "${var.ip_range_pods}"
   ip_range_services = "${var.ip_range_services}"
+variable "compute_engine_service_account" {
+  description = "Service account to associate to the nodes in the cluster"
 }

examples/node_pool/README.md

@@ -9,10 +9,10 @@ This example illustrates how to create a cluster with multiple custom node-pool
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| compute_engine_service_account | Service account to associate to the nodes in the cluster | string | - | yes |
 | ip_range_pods | The secondary ip range to use for pods | string | - | yes |
 | ip_range_services | The secondary ip range to use for pods | string | - | yes |
 | network | The VPC network to host the cluster in | string | - | yes |
-| pool_01_service_account | Service account to associate to the nodes on pool-01 | string | - | yes |
 | project_id | The project ID to host the cluster in | string | - | yes |
 | region | The region to host the cluster in | string | - | yes |
 | subnetwork | The subnetwork to host the cluster in | string | - | yes |

examples/node_pool/main.tf

@@ -39,6 +39,7 @@ module "gke" {
     {
       name      = "pool-01"
       min_count = 4
+      service_account = "${var.compute_engine_service_account}"
     },
     {
       name            = "pool-02"
@@ -50,7 +51,7 @@ module "gke" {
       image_type      = "COS"
       auto_repair     = false
       auto_upgrade    = false
-      service_account = "${local.pool_01_service_account}"
+      service_account = "${var.compute_engine_service_account}"
     },
   ]
 

examples/node_pool/variables.tf

@@ -38,6 +38,6 @@ variable "ip_range_services" {
   description = "The secondary ip range to use for pods"
 }
 
-variable "pool_01_service_account" {
-  description = "Service account to associate to the nodes on pool-01"
+variable "compute_engine_service_account" {
+  description = "Service account to associate to the nodes in the cluster"
 }

examples/simple_regional/README.md

@@ -9,6 +9,7 @@ This example illustrates how to create a simple cluster.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| compute_engine_service_account | Service account to associate to the nodes in the cluster | string | - | yes |
 | ip_range_pods | The secondary ip range to use for pods | string | - | yes |
 | ip_range_services | The secondary ip range to use for pods | string | - | yes |
 | network | The VPC network to host the cluster in | string | - | yes |

examples/simple_regional/main.tf

@@ -35,6 +35,7 @@ module "gke" {
   ip_range_services = "${local.ip_range_services}"
   kubernetes_version = "1.9.7-gke.11"
   node_version = "1.9.7-gke.11"
+  service_account    = "${var.compute_engine_service_account}"
 }
 
 data "google_client_config" "default" {}

examples/simple_regional/variables.tf

@@ -46,4 +46,6 @@ locals {
   subnetwork = "${var.subnetwork}"
   ip_range_pods = "${var.ip_range_pods}"
   ip_range_services = "${var.ip_range_services}"
+variable "compute_engine_service_account" {
+  description = "Service account to associate to the nodes in the cluster"
 }

examples/simple_zonal/README.md

@@ -9,6 +9,7 @@ This example illustrates how to create a simple cluster.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| compute_engine_service_account | Service account to associate to the nodes in the cluster | string | - | yes |
 | ip_range_pods | The secondary ip range to use for pods | string | - | yes |
 | ip_range_services | The secondary ip range to use for pods | string | - | yes |
 | network | The VPC network to host the cluster in | string | - | yes |

examples/simple_zonal/main.tf

@@ -36,6 +36,7 @@ module "gke" {
   ip_range_services = "${local.ip_range_services}"
   kubernetes_version = "1.9.7-gke.11"
   node_version = "1.9.7-gke.11"
+  service_account    = "${var.compute_engine_service_account}"
 }
 
 data "google_client_config" "default" {}

examples/simple_zonal/variables.tf

@@ -51,4 +51,6 @@ locals {
   subnetwork = "${var.subnetwork}"
   ip_range_pods = "${var.ip_range_pods}"
   ip_range_services = "${var.ip_range_services}"
+variable "compute_engine_service_account" {
+  description = "Service account to associate to the nodes in the cluster"
 }

examples/stub_domains/README.md

@@ -14,6 +14,7 @@ It will:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| compute_engine_service_account | Service account to associate to the nodes in the cluster | string | - | yes |
 | ip_range_pods | The secondary ip range to use for pods | string | - | yes |
 | ip_range_services | The secondary ip range to use for pods | string | - | yes |
 | network | The VPC network to host the cluster in | string | - | yes |

examples/stub_domains/main.tf

@@ -35,6 +35,7 @@ module "gke" {
   network_policy = true
   kubernetes_version = "1.9.7-gke.11"
   node_version = "1.9.7-gke.11"
+  service_account    = "${var.compute_engine_service_account}"
 
   stub_domains {
     "example.com" = [

examples/stub_domains/variables.tf

@@ -46,4 +46,6 @@ locals {
   subnetwork = "${var.subnetwork}"
   ip_range_pods = "${var.ip_range_pods}"
   ip_range_services = "${var.ip_range_services}"
+variable "compute_engine_service_account" {
+  description = "Service account to associate to the nodes in the cluster"
 }

test/integration/node_pool/controls/gcloud.rb

@@ -223,17 +223,6 @@
           )
         end
 
-        it "has the right service account" do
-          expect(data['nodePools']).to include(
-            including(
-              "name" => "pool-02",
-              "config" => including(
-                "serviceAccount" => "default",
-              ),
-            )
-          )
-        end
-
         it "has the expected labels" do
           expect(data['nodePools']).to include(
             including(

variables.tf

@@ -189,3 +189,8 @@ variable "monitoring_service" {
   description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none"
   default     = "monitoring.googleapis.com"
 }
+
+variable "service_account" {
+  description = "The service account to default running nodes as if not overridden in `node_pools`. Defaults to the compute engine default service account"
+  default = ""
+}