From 8913ef27d6c97ae2c57d747ff29ca175a15833e7 Mon Sep 17 00:00:00 2001 From: bgvdiscord <122317969+bgvdiscord@users.noreply.github.com> Date: Mon, 11 Sep 2023 13:48:14 -0500 Subject: [PATCH] feat: mesh_certificates support (#1712) --- README.md | 2 ++ autogen/main/cluster.tf.tmpl | 10 ++++++++++ autogen/main/main.tf.tmpl | 6 ++++++ autogen/main/outputs.tf.tmpl | 11 +++++++++++ autogen/main/variables.tf.tmpl | 9 ++++++++- autogen/safer-cluster/main.tf.tmpl | 3 +++ autogen/safer-cluster/outputs.tf.tmpl | 5 +++++ autogen/safer-cluster/variables.tf.tmpl | 6 ++++++ cluster.tf | 8 ++++++++ main.tf | 4 ++++ modules/beta-autopilot-private-cluster/cluster.tf | 1 + modules/beta-autopilot-private-cluster/main.tf | 1 + modules/beta-autopilot-private-cluster/outputs.tf | 2 ++ modules/beta-autopilot-private-cluster/variables.tf | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 1 + modules/beta-autopilot-public-cluster/main.tf | 1 + modules/beta-autopilot-public-cluster/outputs.tf | 2 ++ modules/beta-autopilot-public-cluster/variables.tf | 1 + modules/beta-private-cluster-update-variant/README.md | 2 ++ .../beta-private-cluster-update-variant/cluster.tf | 8 ++++++++ modules/beta-private-cluster-update-variant/main.tf | 4 ++++ .../beta-private-cluster-update-variant/outputs.tf | 9 +++++++++ .../beta-private-cluster-update-variant/variables.tf | 7 ++++++- modules/beta-private-cluster/README.md | 2 ++ modules/beta-private-cluster/cluster.tf | 8 ++++++++ modules/beta-private-cluster/main.tf | 4 ++++ modules/beta-private-cluster/outputs.tf | 9 +++++++++ modules/beta-private-cluster/variables.tf | 7 ++++++- modules/beta-public-cluster-update-variant/README.md | 2 ++ modules/beta-public-cluster-update-variant/cluster.tf | 8 ++++++++ modules/beta-public-cluster-update-variant/main.tf | 4 ++++ modules/beta-public-cluster-update-variant/outputs.tf | 9 +++++++++ .../beta-public-cluster-update-variant/variables.tf | 7 ++++++- modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster.tf | 8 ++++++++ modules/beta-public-cluster/main.tf | 4 ++++ modules/beta-public-cluster/outputs.tf | 9 +++++++++ modules/beta-public-cluster/variables.tf | 7 ++++++- modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 8 ++++++++ modules/private-cluster-update-variant/main.tf | 4 ++++ modules/private-cluster-update-variant/outputs.tf | 9 +++++++++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 8 ++++++++ modules/private-cluster/main.tf | 4 ++++ modules/private-cluster/outputs.tf | 9 +++++++++ modules/private-cluster/variables.tf | 6 ++++++ modules/safer-cluster-update-variant/README.md | 2 ++ modules/safer-cluster-update-variant/main.tf | 3 +++ modules/safer-cluster-update-variant/outputs.tf | 5 +++++ modules/safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/README.md | 2 ++ modules/safer-cluster/main.tf | 3 +++ modules/safer-cluster/outputs.tf | 5 +++++ modules/safer-cluster/variables.tf | 6 ++++++ outputs.tf | 9 +++++++++ test/integration/safer_cluster/safer_cluster_test.go | 1 + .../safer_cluster/testdata/TestSaferCluster.json | 3 +++ variables.tf | 6 ++++++ 60 files changed, 298 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 79513bd60..01be7adf6 100644 --- a/README.md +++ b/README.md @@ -154,6 +154,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | @@ -237,6 +238,7 @@ Then perform the following commands on the root folder: | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index ea7c68fdf..efa4cea50 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -517,6 +517,16 @@ resource "google_container_cluster" "primary" { } {% endif %} + {% if autopilot_cluster != true %} + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + {% endif %} + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 80679d4f7..26c410d5f 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -219,6 +219,12 @@ locals { cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + {% if autopilot_cluster != true %} + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + {% endif %} + {% if beta_cluster %} # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index d22e8bd08..832054f9c 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -170,6 +170,17 @@ output "identity_namespace" { google_container_cluster.primary ] } + +{% if autopilot_cluster != true %} +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} +{% endif %} + {% if private_cluster %} output "master_ipv4_cidr_block" { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index a2effe8e0..2525d0724 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -466,6 +466,14 @@ variable "identity_namespace" { default = "enabled" } +{% if autopilot_cluster != true %} +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} +{% endif %} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -763,7 +771,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 7459598fb..e36976254 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -185,6 +185,9 @@ module "gke" { // We enable Workload Identity by default. identity_namespace = "${var.project_id}.svc.id.goog" + // Enabling mesh certificates requires Workload Identity + enable_mesh_certificates = var.enable_mesh_certificates + authenticator_security_group = var.authenticator_security_group enable_shielded_nodes = var.enable_shielded_nodes diff --git a/autogen/safer-cluster/outputs.tf.tmpl b/autogen/safer-cluster/outputs.tf.tmpl index e84d0aad3..5c1f5539e 100644 --- a/autogen/safer-cluster/outputs.tf.tmpl +++ b/autogen/safer-cluster/outputs.tf.tmpl @@ -122,3 +122,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = module.gke.peering_name } + +output "enable_mesh_certificates" { + description = "Mesh certificate configuration value" + value = var.enable_mesh_certificates +} diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 22b17ea68..caf0f537e 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} diff --git a/cluster.tf b/cluster.tf index a7d07d0a7..a8fd5d7d1 100644 --- a/cluster.tf +++ b/cluster.tf @@ -359,6 +359,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/main.tf b/main.tf index e307ff82a..2cf487799 100644 --- a/main.tf +++ b/main.tf @@ -162,6 +162,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 5d836127b..5e79c23da 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -228,6 +228,7 @@ resource "google_container_cluster" "primary" { } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 8a17e2946..dd7466ff3 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -121,6 +121,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index a56e4b4fa..0d955524a 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -142,6 +142,8 @@ output "identity_namespace" { ] } + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index a9bd58431..86483f30d 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -299,6 +299,7 @@ variable "identity_namespace" { default = "enabled" } + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 75e6e67f3..4c9569106 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -209,6 +209,7 @@ resource "google_container_cluster" "primary" { } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 1c0deb7aa..874bbb76f 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -120,6 +120,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 533f81884..e33c8aafa 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -142,6 +142,8 @@ output "identity_namespace" { ] } + + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = false diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index e244b7372..c8776f685 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -269,6 +269,7 @@ variable "identity_namespace" { default = "enabled" } + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 6b3283c00..936e0018c 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -194,6 +194,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | @@ -295,6 +296,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 8e5613585..e1132720e 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -443,6 +443,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 6f0139cfb..931844d9a 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -181,6 +181,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index abdf16f90..72aee4055 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 5daeb3daa..119f9a5c0 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -439,6 +439,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -722,7 +728,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index da568a971..c424a77ad 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -172,6 +172,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | @@ -273,6 +274,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 2a61b84bc..a5b45f882 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -443,6 +443,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 6f0139cfb..931844d9a 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -181,6 +181,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index abdf16f90..72aee4055 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 5daeb3daa..119f9a5c0 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -439,6 +439,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -722,7 +728,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 6ac0ba92f..461a30f0c 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -187,6 +187,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | @@ -283,6 +284,7 @@ Then perform the following commands on the root folder: | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 86742e65c..db27e34d1 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -424,6 +424,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index febe76581..c6327ea6f 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -180,6 +180,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index ed73acae2..bb7cdcc72 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 2b900e4f9..05bab8df6 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -409,6 +409,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -692,7 +698,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index f325ea56a..25cc3549e 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -165,6 +165,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | @@ -261,6 +262,7 @@ Then perform the following commands on the root folder: | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 69f984259..b37e1020e 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -424,6 +424,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index febe76581..c6327ea6f 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -180,6 +180,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index ed73acae2..bb7cdcc72 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 2b900e4f9..05bab8df6 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -409,6 +409,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -692,7 +698,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 596cc827b..6f8dde0f5 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -183,6 +183,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | @@ -271,6 +272,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 8f75d404a..d16fda5fb 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -378,6 +378,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 6d4b06f7d..54d054edc 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -163,6 +163,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 28350e722..722e3b8fd 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index ca215e309..22e808f61 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -431,6 +431,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index c4b7c59ba..7c73067c9 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -161,6 +161,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | @@ -249,6 +250,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index a621347dc..c10084dd4 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -378,6 +378,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 6d4b06f7d..54d054edc 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -163,6 +163,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 28350e722..722e3b8fd 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index ca215e309..22e808f61 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -431,6 +431,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index eb7efac8d..f9b515f89 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -219,6 +219,7 @@ For simplicity, we suggest using `roles/container.admin` and | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | @@ -278,6 +279,7 @@ For simplicity, we suggest using `roles/container.admin` and |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | +| enable\_mesh\_certificates | Mesh certificate configuration value | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 9bd0429ca..b0017462b 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -181,6 +181,9 @@ module "gke" { // We enable Workload Identity by default. identity_namespace = "${var.project_id}.svc.id.goog" + // Enabling mesh certificates requires Workload Identity + enable_mesh_certificates = var.enable_mesh_certificates + authenticator_security_group = var.authenticator_security_group enable_shielded_nodes = var.enable_shielded_nodes diff --git a/modules/safer-cluster-update-variant/outputs.tf b/modules/safer-cluster-update-variant/outputs.tf index 5be616ff6..8928f321a 100644 --- a/modules/safer-cluster-update-variant/outputs.tf +++ b/modules/safer-cluster-update-variant/outputs.tf @@ -122,3 +122,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = module.gke.peering_name } + +output "enable_mesh_certificates" { + description = "Mesh certificate configuration value" + value = var.enable_mesh_certificates +} diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 6b6405d01..d9b47d90e 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index eb7efac8d..f9b515f89 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -219,6 +219,7 @@ For simplicity, we suggest using `roles/container.admin` and | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | @@ -278,6 +279,7 @@ For simplicity, we suggest using `roles/container.admin` and |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | +| enable\_mesh\_certificates | Mesh certificate configuration value | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index b87a2f1d8..2732ea26c 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -181,6 +181,9 @@ module "gke" { // We enable Workload Identity by default. identity_namespace = "${var.project_id}.svc.id.goog" + // Enabling mesh certificates requires Workload Identity + enable_mesh_certificates = var.enable_mesh_certificates + authenticator_security_group = var.authenticator_security_group enable_shielded_nodes = var.enable_shielded_nodes diff --git a/modules/safer-cluster/outputs.tf b/modules/safer-cluster/outputs.tf index 5be616ff6..8928f321a 100644 --- a/modules/safer-cluster/outputs.tf +++ b/modules/safer-cluster/outputs.tf @@ -122,3 +122,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = module.gke.peering_name } + +output "enable_mesh_certificates" { + description = "Mesh certificate configuration value" + value = var.enable_mesh_certificates +} diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 6b6405d01..d9b47d90e 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} diff --git a/outputs.tf b/outputs.tf index ca55e48b8..04bbc957f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -160,3 +160,12 @@ output "identity_namespace" { google_container_cluster.primary ] } + +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + diff --git a/test/integration/safer_cluster/safer_cluster_test.go b/test/integration/safer_cluster/safer_cluster_test.go index 79b482ff1..f440bc8c0 100644 --- a/test/integration/safer_cluster/safer_cluster_test.go +++ b/test/integration/safer_cluster/safer_cluster_test.go @@ -52,6 +52,7 @@ func TestSaferCluster(t *testing.T) { "networkConfig.datapathProvider", "binaryAuthorization.evaluationMode", "legacyAbac", + "meshCertificates.enableCertificates", "nodePools.autoscaling", "nodePools.config.machineType", "nodePools.config.diskSizeGb", diff --git a/test/integration/safer_cluster/testdata/TestSaferCluster.json b/test/integration/safer_cluster/testdata/TestSaferCluster.json index 793eaf9a5..0af5138e8 100755 --- a/test/integration/safer_cluster/testdata/TestSaferCluster.json +++ b/test/integration/safer_cluster/testdata/TestSaferCluster.json @@ -90,6 +90,9 @@ ], "enabled": true }, + "meshCertificates": { + "enableCertificates": false + }, "monitoringConfig": { "componentConfig": { "enableComponents": [ diff --git a/variables.tf b/variables.tf index f1be61ecb..69911eb95 100644 --- a/variables.tf +++ b/variables.tf @@ -401,6 +401,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`."