diff --git a/README.md b/README.md
index cbafbe9a7..be33562ca 100644
--- a/README.md
+++ b/README.md
@@ -148,12 +148,10 @@ Then perform the following commands on the root folder:
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
-| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
-| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
diff --git a/autogen/main/dns.tf.tmpl b/autogen/main/dns.tf.tmpl
index 00297d687..b9db91ca2 100644
--- a/autogen/main/dns.tf.tmpl
+++ b/autogen/main/dns.tf.tmpl
@@ -17,43 +17,15 @@
{{ autogeneration_note }}
/******************************************
- Delete default kube-dns configmap
+ Manage kube-dns configmaps
*****************************************/
-module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 3.1"
-
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
- impersonate_service_account = var.impersonate_service_account
-
- kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
- kubectl_destroy_command = ""
-
- module_depends_on = concat(
- [google_container_cluster.primary.master_version],
- {% if autopilot_cluster != true %}
- [for pool in google_container_node_pool.pools : pool.name]
- {% endif %}
- )
-}
-/******************************************
- Create kube-dns confimap
- *****************************************/
-resource "kubernetes_config_map" "kube-dns" {
+resource "kubernetes_config_map_v1_data" "kube-dns" {
count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -62,8 +34,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
{% if autopilot_cluster != true %}
google_container_node_pool.pools,
@@ -71,17 +44,12 @@ EOF
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" {
count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
- name = "kube-dns"
-
+ name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -90,8 +58,9 @@ ${jsonencode(var.upstream_nameservers)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
{% if autopilot_cluster != true %}
google_container_node_pool.pools,
@@ -99,16 +68,12 @@ EOF
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" {
count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -121,8 +86,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
{% if autopilot_cluster != true %}
google_container_node_pool.pools,
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index c1bb12176..399b1db09 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -458,12 +458,6 @@ variable "firewall_inbound_ports" {
default = ["8443", "9443", "15017"]
}
-variable "gcloud_upgrade" {
- type = bool
- description = "Whether to upgrade gcloud at runtime"
- default = false
-}
-
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
@@ -490,12 +484,6 @@ variable "disable_default_snat" {
}
{% endif %}
-variable "impersonate_service_account" {
- type = string
- description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
- default = ""
-}
-
{% if beta_cluster %}
variable "notification_config_topic" {
type = string
diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl
index 7a4d7ccb3..478869dc3 100644
--- a/autogen/main/versions.tf.tmpl
+++ b/autogen/main/versions.tf.tmpl
@@ -28,7 +28,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google-beta" {
@@ -42,7 +42,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google" {
diff --git a/dns.tf b/dns.tf
index 1a4c059a3..bf0d05b72 100644
--- a/dns.tf
+++ b/dns.tf
@@ -17,41 +17,15 @@
// This file was automatically generated from a template in ./autogen/main
/******************************************
- Delete default kube-dns configmap
+ Manage kube-dns configmaps
*****************************************/
-module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 3.1"
-
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
- impersonate_service_account = var.impersonate_service_account
-
- kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
- kubectl_destroy_command = ""
-
- module_depends_on = concat(
- [google_container_cluster.primary.master_version],
- [for pool in google_container_node_pool.pools : pool.name]
- )
-}
-/******************************************
- Create kube-dns confimap
- *****************************************/
-resource "kubernetes_config_map" "kube-dns" {
+resource "kubernetes_config_map_v1_data" "kube-dns" {
count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" {
count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
- name = "kube-dns"
-
+ name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" {
count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
diff --git a/docs/upgrading_to_v21.0.md b/docs/upgrading_to_v21.0.md
new file mode 100644
index 000000000..199bc067f
--- /dev/null
+++ b/docs/upgrading_to_v21.0.md
@@ -0,0 +1,16 @@
+# Upgrading to v21.0
+
+The v21.0 release of *kubernetes-engine* is a backwards incompatible
+release.
+
+### Terraform Kubernetes Engine Module
+
+The [Terraform Kubernetes Engine Module](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine) has been rewritten to use the 'kubernetes_config_map_v1_data' resouce added to the Terraform Kubernetes provider version 2.10.
+
+1. Run `terraform state rm module.gke.kubernetes_config_map.kube-dns`
+2. Update the module version to v21.0
+4. Run `terraform apply`
+
+### Kubernetes Provider upgrade
+The Terraform Kubernetes Engine module now requires version 2.10 or higher of
+the Kubernetes Provider.
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
index 477ca75f0..b529daa28 100644
--- a/modules/beta-autopilot-private-cluster/README.md
+++ b/modules/beta-autopilot-private-cluster/README.md
@@ -91,12 +91,10 @@ Then perform the following commands on the root folder:
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
-| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
-| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes |
diff --git a/modules/beta-autopilot-private-cluster/dns.tf b/modules/beta-autopilot-private-cluster/dns.tf
index 07f05d132..d9c4d7518 100644
--- a/modules/beta-autopilot-private-cluster/dns.tf
+++ b/modules/beta-autopilot-private-cluster/dns.tf
@@ -17,40 +17,15 @@
// This file was automatically generated from a template in ./autogen/main
/******************************************
- Delete default kube-dns configmap
+ Manage kube-dns configmaps
*****************************************/
-module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 3.1"
-
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
- impersonate_service_account = var.impersonate_service_account
-
- kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
- kubectl_destroy_command = ""
-
- module_depends_on = concat(
- [google_container_cluster.primary.master_version],
- )
-}
-/******************************************
- Create kube-dns confimap
- *****************************************/
-resource "kubernetes_config_map" "kube-dns" {
+resource "kubernetes_config_map_v1_data" "kube-dns" {
count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -59,23 +34,19 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" {
count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
- name = "kube-dns"
-
+ name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -84,22 +55,19 @@ ${jsonencode(var.upstream_nameservers)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" {
count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -112,8 +80,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
]
}
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
index b6fb9443b..c59bd0576 100644
--- a/modules/beta-autopilot-private-cluster/variables.tf
+++ b/modules/beta-autopilot-private-cluster/variables.tf
@@ -337,12 +337,6 @@ variable "firewall_inbound_ports" {
default = ["8443", "9443", "15017"]
}
-variable "gcloud_upgrade" {
- type = bool
- description = "Whether to upgrade gcloud at runtime"
- default = false
-}
-
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
@@ -367,12 +361,6 @@ variable "disable_default_snat" {
default = false
}
-variable "impersonate_service_account" {
- type = string
- description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
- default = ""
-}
-
variable "notification_config_topic" {
type = string
description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}."
diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf
index 9f174e011..432f7dfc5 100644
--- a/modules/beta-autopilot-private-cluster/versions.tf
+++ b/modules/beta-autopilot-private-cluster/versions.tf
@@ -25,7 +25,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google-beta" {
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
index 0f186d676..dea8aa765 100644
--- a/modules/beta-autopilot-public-cluster/README.md
+++ b/modules/beta-autopilot-public-cluster/README.md
@@ -82,12 +82,10 @@ Then perform the following commands on the root folder:
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
-| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
-| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes |
diff --git a/modules/beta-autopilot-public-cluster/dns.tf b/modules/beta-autopilot-public-cluster/dns.tf
index 07f05d132..d9c4d7518 100644
--- a/modules/beta-autopilot-public-cluster/dns.tf
+++ b/modules/beta-autopilot-public-cluster/dns.tf
@@ -17,40 +17,15 @@
// This file was automatically generated from a template in ./autogen/main
/******************************************
- Delete default kube-dns configmap
+ Manage kube-dns configmaps
*****************************************/
-module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 3.1"
-
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
- impersonate_service_account = var.impersonate_service_account
-
- kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
- kubectl_destroy_command = ""
-
- module_depends_on = concat(
- [google_container_cluster.primary.master_version],
- )
-}
-/******************************************
- Create kube-dns confimap
- *****************************************/
-resource "kubernetes_config_map" "kube-dns" {
+resource "kubernetes_config_map_v1_data" "kube-dns" {
count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -59,23 +34,19 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" {
count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
- name = "kube-dns"
-
+ name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -84,22 +55,19 @@ ${jsonencode(var.upstream_nameservers)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" {
count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -112,8 +80,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
]
}
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
index 92045a506..dbeb0e9d3 100644
--- a/modules/beta-autopilot-public-cluster/variables.tf
+++ b/modules/beta-autopilot-public-cluster/variables.tf
@@ -306,12 +306,6 @@ variable "firewall_inbound_ports" {
default = ["8443", "9443", "15017"]
}
-variable "gcloud_upgrade" {
- type = bool
- description = "Whether to upgrade gcloud at runtime"
- default = false
-}
-
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
@@ -336,12 +330,6 @@ variable "disable_default_snat" {
default = false
}
-variable "impersonate_service_account" {
- type = string
- description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
- default = ""
-}
-
variable "notification_config_topic" {
type = string
description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}."
diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf
index 0b2172447..30805b2d9 100644
--- a/modules/beta-autopilot-public-cluster/versions.tf
+++ b/modules/beta-autopilot-public-cluster/versions.tf
@@ -25,7 +25,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google-beta" {
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index 58552c320..198261873 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -198,12 +198,10 @@ Then perform the following commands on the root folder:
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
-| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
-| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
diff --git a/modules/beta-private-cluster-update-variant/dns.tf b/modules/beta-private-cluster-update-variant/dns.tf
index 1a4c059a3..bf0d05b72 100644
--- a/modules/beta-private-cluster-update-variant/dns.tf
+++ b/modules/beta-private-cluster-update-variant/dns.tf
@@ -17,41 +17,15 @@
// This file was automatically generated from a template in ./autogen/main
/******************************************
- Delete default kube-dns configmap
+ Manage kube-dns configmaps
*****************************************/
-module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 3.1"
-
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
- impersonate_service_account = var.impersonate_service_account
-
- kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
- kubectl_destroy_command = ""
-
- module_depends_on = concat(
- [google_container_cluster.primary.master_version],
- [for pool in google_container_node_pool.pools : pool.name]
- )
-}
-/******************************************
- Create kube-dns confimap
- *****************************************/
-resource "kubernetes_config_map" "kube-dns" {
+resource "kubernetes_config_map_v1_data" "kube-dns" {
count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" {
count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
- name = "kube-dns"
-
+ name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" {
count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index b0deff194..a36617596 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -434,12 +434,6 @@ variable "firewall_inbound_ports" {
default = ["8443", "9443", "15017"]
}
-variable "gcloud_upgrade" {
- type = bool
- description = "Whether to upgrade gcloud at runtime"
- default = false
-}
-
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
@@ -464,12 +458,6 @@ variable "disable_default_snat" {
default = false
}
-variable "impersonate_service_account" {
- type = string
- description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
- default = ""
-}
-
variable "notification_config_topic" {
type = string
description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}."
diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf
index 46a2039bd..43d651161 100644
--- a/modules/beta-private-cluster-update-variant/versions.tf
+++ b/modules/beta-private-cluster-update-variant/versions.tf
@@ -25,7 +25,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google-beta" {
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index 12fceb743..7adb7a271 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -176,12 +176,10 @@ Then perform the following commands on the root folder:
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
-| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
-| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
diff --git a/modules/beta-private-cluster/dns.tf b/modules/beta-private-cluster/dns.tf
index 1a4c059a3..bf0d05b72 100644
--- a/modules/beta-private-cluster/dns.tf
+++ b/modules/beta-private-cluster/dns.tf
@@ -17,41 +17,15 @@
// This file was automatically generated from a template in ./autogen/main
/******************************************
- Delete default kube-dns configmap
+ Manage kube-dns configmaps
*****************************************/
-module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 3.1"
-
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
- impersonate_service_account = var.impersonate_service_account
-
- kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
- kubectl_destroy_command = ""
-
- module_depends_on = concat(
- [google_container_cluster.primary.master_version],
- [for pool in google_container_node_pool.pools : pool.name]
- )
-}
-/******************************************
- Create kube-dns confimap
- *****************************************/
-resource "kubernetes_config_map" "kube-dns" {
+resource "kubernetes_config_map_v1_data" "kube-dns" {
count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" {
count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
- name = "kube-dns"
-
+ name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" {
count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index b0deff194..a36617596 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -434,12 +434,6 @@ variable "firewall_inbound_ports" {
default = ["8443", "9443", "15017"]
}
-variable "gcloud_upgrade" {
- type = bool
- description = "Whether to upgrade gcloud at runtime"
- default = false
-}
-
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
@@ -464,12 +458,6 @@ variable "disable_default_snat" {
default = false
}
-variable "impersonate_service_account" {
- type = string
- description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
- default = ""
-}
-
variable "notification_config_topic" {
type = string
description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}."
diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf
index 5e4229cea..d00560dff 100644
--- a/modules/beta-private-cluster/versions.tf
+++ b/modules/beta-private-cluster/versions.tf
@@ -25,7 +25,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google-beta" {
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
index d0475292c..5fb644722 100644
--- a/modules/beta-public-cluster-update-variant/README.md
+++ b/modules/beta-public-cluster-update-variant/README.md
@@ -189,12 +189,10 @@ Then perform the following commands on the root folder:
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
-| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
-| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
diff --git a/modules/beta-public-cluster-update-variant/dns.tf b/modules/beta-public-cluster-update-variant/dns.tf
index 1a4c059a3..bf0d05b72 100644
--- a/modules/beta-public-cluster-update-variant/dns.tf
+++ b/modules/beta-public-cluster-update-variant/dns.tf
@@ -17,41 +17,15 @@
// This file was automatically generated from a template in ./autogen/main
/******************************************
- Delete default kube-dns configmap
+ Manage kube-dns configmaps
*****************************************/
-module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 3.1"
-
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
- impersonate_service_account = var.impersonate_service_account
-
- kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
- kubectl_destroy_command = ""
-
- module_depends_on = concat(
- [google_container_cluster.primary.master_version],
- [for pool in google_container_node_pool.pools : pool.name]
- )
-}
-/******************************************
- Create kube-dns confimap
- *****************************************/
-resource "kubernetes_config_map" "kube-dns" {
+resource "kubernetes_config_map_v1_data" "kube-dns" {
count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" {
count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
- name = "kube-dns"
-
+ name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" {
count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
index cfbd3e080..7ed1614d3 100644
--- a/modules/beta-public-cluster-update-variant/variables.tf
+++ b/modules/beta-public-cluster-update-variant/variables.tf
@@ -403,12 +403,6 @@ variable "firewall_inbound_ports" {
default = ["8443", "9443", "15017"]
}
-variable "gcloud_upgrade" {
- type = bool
- description = "Whether to upgrade gcloud at runtime"
- default = false
-}
-
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
@@ -433,12 +427,6 @@ variable "disable_default_snat" {
default = false
}
-variable "impersonate_service_account" {
- type = string
- description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
- default = ""
-}
-
variable "notification_config_topic" {
type = string
description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}."
diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf
index a89a6116f..8ef24c453 100644
--- a/modules/beta-public-cluster-update-variant/versions.tf
+++ b/modules/beta-public-cluster-update-variant/versions.tf
@@ -25,7 +25,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google-beta" {
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index 3fd495cee..91766a636 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -167,12 +167,10 @@ Then perform the following commands on the root folder:
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
-| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
-| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
diff --git a/modules/beta-public-cluster/dns.tf b/modules/beta-public-cluster/dns.tf
index 1a4c059a3..bf0d05b72 100644
--- a/modules/beta-public-cluster/dns.tf
+++ b/modules/beta-public-cluster/dns.tf
@@ -17,41 +17,15 @@
// This file was automatically generated from a template in ./autogen/main
/******************************************
- Delete default kube-dns configmap
+ Manage kube-dns configmaps
*****************************************/
-module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 3.1"
-
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
- impersonate_service_account = var.impersonate_service_account
-
- kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
- kubectl_destroy_command = ""
-
- module_depends_on = concat(
- [google_container_cluster.primary.master_version],
- [for pool in google_container_node_pool.pools : pool.name]
- )
-}
-/******************************************
- Create kube-dns confimap
- *****************************************/
-resource "kubernetes_config_map" "kube-dns" {
+resource "kubernetes_config_map_v1_data" "kube-dns" {
count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" {
count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
- name = "kube-dns"
-
+ name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" {
count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index cfbd3e080..7ed1614d3 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -403,12 +403,6 @@ variable "firewall_inbound_ports" {
default = ["8443", "9443", "15017"]
}
-variable "gcloud_upgrade" {
- type = bool
- description = "Whether to upgrade gcloud at runtime"
- default = false
-}
-
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
@@ -433,12 +427,6 @@ variable "disable_default_snat" {
default = false
}
-variable "impersonate_service_account" {
- type = string
- description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
- default = ""
-}
-
variable "notification_config_topic" {
type = string
description = "The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}."
diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf
index 82fb95dd8..a88675cd8 100644
--- a/modules/beta-public-cluster/versions.tf
+++ b/modules/beta-public-cluster/versions.tf
@@ -25,7 +25,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google-beta" {
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
index f82124de2..e10051ca1 100644
--- a/modules/private-cluster-update-variant/README.md
+++ b/modules/private-cluster-update-variant/README.md
@@ -179,12 +179,10 @@ Then perform the following commands on the root folder:
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
-| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
-| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
diff --git a/modules/private-cluster-update-variant/dns.tf b/modules/private-cluster-update-variant/dns.tf
index 1a4c059a3..bf0d05b72 100644
--- a/modules/private-cluster-update-variant/dns.tf
+++ b/modules/private-cluster-update-variant/dns.tf
@@ -17,41 +17,15 @@
// This file was automatically generated from a template in ./autogen/main
/******************************************
- Delete default kube-dns configmap
+ Manage kube-dns configmaps
*****************************************/
-module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 3.1"
-
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
- impersonate_service_account = var.impersonate_service_account
-
- kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
- kubectl_destroy_command = ""
-
- module_depends_on = concat(
- [google_container_cluster.primary.master_version],
- [for pool in google_container_node_pool.pools : pool.name]
- )
-}
-/******************************************
- Create kube-dns confimap
- *****************************************/
-resource "kubernetes_config_map" "kube-dns" {
+resource "kubernetes_config_map_v1_data" "kube-dns" {
count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" {
count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
- name = "kube-dns"
-
+ name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" {
count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
index 82f9bc4a9..17a02fb46 100644
--- a/modules/private-cluster-update-variant/variables.tf
+++ b/modules/private-cluster-update-variant/variables.tf
@@ -391,12 +391,6 @@ variable "firewall_inbound_ports" {
default = ["8443", "9443", "15017"]
}
-variable "gcloud_upgrade" {
- type = bool
- description = "Whether to upgrade gcloud at runtime"
- default = false
-}
-
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
@@ -410,12 +404,6 @@ variable "shadow_firewall_rules_priority" {
}
-variable "impersonate_service_account" {
- type = string
- description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
- default = ""
-}
-
variable "network_policy" {
type = bool
description = "Enable network policy addon"
diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf
index 4733793cd..66b6540fb 100644
--- a/modules/private-cluster-update-variant/versions.tf
+++ b/modules/private-cluster-update-variant/versions.tf
@@ -25,7 +25,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google" {
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index 35af609e5..879e3f65b 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -157,12 +157,10 @@ Then perform the following commands on the root folder:
| filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
-| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
-| impersonate\_service\_account | An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials. | `string` | `""` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
diff --git a/modules/private-cluster/dns.tf b/modules/private-cluster/dns.tf
index 1a4c059a3..bf0d05b72 100644
--- a/modules/private-cluster/dns.tf
+++ b/modules/private-cluster/dns.tf
@@ -17,41 +17,15 @@
// This file was automatically generated from a template in ./autogen/main
/******************************************
- Delete default kube-dns configmap
+ Manage kube-dns configmaps
*****************************************/
-module "gcloud_delete_default_kube_dns_configmap" {
- source = "terraform-google-modules/gcloud/google//modules/kubectl-wrapper"
- version = "~> 3.1"
-
- enabled = (local.custom_kube_dns_config || local.upstream_nameservers_config) && !var.skip_provisioners
- cluster_name = google_container_cluster.primary.name
- cluster_location = google_container_cluster.primary.location
- project_id = var.project_id
- upgrade = var.gcloud_upgrade
- impersonate_service_account = var.impersonate_service_account
-
- kubectl_create_command = "${path.module}/scripts/delete-default-resource.sh kube-system configmap kube-dns"
- kubectl_destroy_command = ""
-
- module_depends_on = concat(
- [google_container_cluster.primary.master_version],
- [for pool in google_container_node_pool.pools : pool.name]
- )
-}
-/******************************************
- Create kube-dns confimap
- *****************************************/
-resource "kubernetes_config_map" "kube-dns" {
+resource "kubernetes_config_map_v1_data" "kube-dns" {
count = local.custom_kube_dns_config && !local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -60,24 +34,20 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-namservers" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-namservers" {
count = !local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
- name = "kube-dns"
-
+ name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -86,23 +56,20 @@ ${jsonencode(var.upstream_nameservers)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
}
-resource "kubernetes_config_map" "kube-dns-upstream-nameservers-and-stub-domains" {
+resource "kubernetes_config_map_v1_data" "kube-dns-upstream-nameservers-and-stub-domains" {
count = local.custom_kube_dns_config && local.upstream_nameservers_config ? 1 : 0
metadata {
name = "kube-dns"
namespace = "kube-system"
-
- labels = {
- maintained_by = "terraform"
- }
}
data = {
@@ -115,8 +82,9 @@ ${jsonencode(var.stub_domains)}
EOF
}
+ force = true
+
depends_on = [
- module.gcloud_delete_default_kube_dns_configmap.wait,
google_container_cluster.primary,
google_container_node_pool.pools,
]
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index 82f9bc4a9..17a02fb46 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -391,12 +391,6 @@ variable "firewall_inbound_ports" {
default = ["8443", "9443", "15017"]
}
-variable "gcloud_upgrade" {
- type = bool
- description = "Whether to upgrade gcloud at runtime"
- default = false
-}
-
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
@@ -410,12 +404,6 @@ variable "shadow_firewall_rules_priority" {
}
-variable "impersonate_service_account" {
- type = string
- description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
- default = ""
-}
-
variable "network_policy" {
type = bool
description = "Enable network policy addon"
diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf
index 088a05ec1..10a89c491 100644
--- a/modules/private-cluster/versions.tf
+++ b/modules/private-cluster/versions.tf
@@ -25,7 +25,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google" {
diff --git a/test/integration/node_pool/controls/gcloud.rb b/test/integration/node_pool/controls/gcloud.rb
index 5ed27d791..1b2a6e24d 100644
--- a/test/integration/node_pool/controls/gcloud.rb
+++ b/test/integration/node_pool/controls/gcloud.rb
@@ -60,7 +60,7 @@
end
describe "node pools" do
- let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" } }
+ let(:node_pools) { data['nodePools'].reject { |p| p['name'] == "default-pool" || p['name'] =~ %r{^nap-.*} } }
it "has 3" do
expect(node_pools.count).to eq 3
diff --git a/test/integration/stub_domains/controls/kubectl.rb b/test/integration/stub_domains/controls/kubectl.rb
index 1e53883a2..861bedb9d 100644
--- a/test/integration/stub_domains/controls/kubectl.rb
+++ b/test/integration/stub_domains/controls/kubectl.rb
@@ -46,8 +46,8 @@
describe "kube-dns" do
let(:kubedns_configmap) { client.get_config_map("kube-dns", "kube-system") }
- it "is created by Terraform" do
- expect(kubedns_configmap.metadata.labels.maintained_by).to eq "terraform"
+ it "is managed by Terraform" do
+ expect(kubedns_configmap.metadata.managedFields[0].manager).to eq "Terraform"
end
it "reflects the stub_domains configuration" do
diff --git a/test/integration/stub_domains_private/controls/kubectl.rb b/test/integration/stub_domains_private/controls/kubectl.rb
index 17502685d..1c819c209 100644
--- a/test/integration/stub_domains_private/controls/kubectl.rb
+++ b/test/integration/stub_domains_private/controls/kubectl.rb
@@ -42,8 +42,8 @@
describe "kube-dns" do
let(:kubedns_configmap) { client.get_config_map("kube-dns", "kube-system") }
- it "is created by Terraform" do
- expect(kubedns_configmap.metadata.labels.maintained_by).to eq "terraform"
+ it "is managed by Terraform" do
+ expect(kubedns_configmap.metadata.managedFields[0].manager).to eq "Terraform"
end
it "reflects the stub_domains configuration" do
diff --git a/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb b/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb
index 8e8dfe086..548140fc3 100644
--- a/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb
+++ b/test/integration/stub_domains_upstream_nameservers/controls/kubectl.rb
@@ -46,8 +46,8 @@
describe "kube-dns" do
let(:kubedns_configmap) { client.get_config_map("kube-dns", "kube-system") }
- it "is created by Terraform" do
- expect(kubedns_configmap.metadata.labels.maintained_by).to eq "terraform"
+ it "is managed by Terraform" do
+ expect(kubedns_configmap.metadata.managedFields[0].manager).to eq "Terraform"
end
it "reflects the stub_domains configuration" do
diff --git a/test/integration/upstream_nameservers/controls/kubectl.rb b/test/integration/upstream_nameservers/controls/kubectl.rb
index 21ec09c32..788c9f11d 100644
--- a/test/integration/upstream_nameservers/controls/kubectl.rb
+++ b/test/integration/upstream_nameservers/controls/kubectl.rb
@@ -46,8 +46,8 @@
describe "kube-dns" do
let(:kubedns_configmap) { client.get_config_map("kube-dns", "kube-system") }
- it "is created by Terraform" do
- expect(kubedns_configmap.metadata.labels.maintained_by).to eq "terraform"
+ it "is managed by Terraform" do
+ expect(kubedns_configmap.metadata.managedFields[0].manager).to eq "Terraform"
end
it "reflects the upstream_nameservers configuration" do
diff --git a/variables.tf b/variables.tf
index f1b02095c..9e2be9dd5 100644
--- a/variables.tf
+++ b/variables.tf
@@ -367,12 +367,6 @@ variable "firewall_inbound_ports" {
default = ["8443", "9443", "15017"]
}
-variable "gcloud_upgrade" {
- type = bool
- description = "Whether to upgrade gcloud at runtime"
- default = false
-}
-
variable "add_shadow_firewall_rules" {
type = bool
description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
@@ -386,12 +380,6 @@ variable "shadow_firewall_rules_priority" {
}
-variable "impersonate_service_account" {
- type = string
- description = "An optional service account to impersonate for gcloud commands. If this service account is not specified, the module will use Application Default Credentials."
- default = ""
-}
-
variable "network_policy" {
type = bool
description = "Enable network policy addon"
diff --git a/versions.tf b/versions.tf
index dc54c6487..2a8dbe62e 100644
--- a/versions.tf
+++ b/versions.tf
@@ -25,7 +25,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
- version = "~> 2.0"
+ version = "~> 2.10"
}
}
provider_meta "google" {