From dbb57a2e7a5fe91c8b56c48f2a29bdbb881c4db0 Mon Sep 17 00:00:00 2001 From: Laura Seidler <42136707+lauraseidler@users.noreply.github.com> Date: Wed, 27 Sep 2023 02:10:40 +0200 Subject: [PATCH] feat!: support for enabling image streaming at cluster level (#1696) --- autogen/main/cluster.tf.tmpl | 10 ++++++++++ autogen/main/variables.tf.tmpl | 6 ++++++ autogen/safer-cluster/main.tf.tmpl | 2 ++ autogen/safer-cluster/variables.tf.tmpl | 6 ++++++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 8 ++++++++ .../beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 8 ++++++++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 8 ++++++++ .../beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 8 ++++++++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/safer-cluster-update-variant/README.md | 1 + modules/safer-cluster-update-variant/main.tf | 2 ++ modules/safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/README.md | 1 + modules/safer-cluster/main.tf | 2 ++ modules/safer-cluster/variables.tf | 6 ++++++ 22 files changed, 102 insertions(+) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index a9a7719e6..714b90fb8 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -546,6 +546,16 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + {% if beta_cluster and autopilot_cluster != true %} + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } + {% endif %} } {% if autopilot_cluster != true %} /****************************************** diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index e7a2e77f2..c75927e03 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -800,5 +800,11 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} {% endif %} {% endif %} diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index e36976254..ea4052fb0 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -198,4 +198,6 @@ module "gke" { notification_config_topic = var.notification_config_topic timeouts = var.timeouts + + enable_gcfs = var.enable_gcfs } diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index caf0f537e..8f3283dbb 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -485,6 +485,12 @@ variable "timeouts" { } } +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} + variable "enable_mesh_certificates" { type = bool default = false diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 10b1630c3..ff2a9b498 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -192,6 +192,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 756d6e0ba..29770ab8f 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -466,6 +466,14 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index f872cf31b..77daf4b0e 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -757,3 +757,9 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index b3a75fc13..e5f765341 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -170,6 +170,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 81c79e47e..1ddb1a76e 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -466,6 +466,14 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index f872cf31b..77daf4b0e 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -757,3 +757,9 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 8782c424f..a3fd0b1c3 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -185,6 +185,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 4b3bb173f..d35a15d49 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -447,6 +447,14 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index f1247ad30..dfaacc3c6 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -727,3 +727,9 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 39cee6f59..7476d1ea2 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -163,6 +163,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 007cbd144..4857f5752 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -447,6 +447,14 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + node_pool_defaults { + node_config_defaults { + gcfs_config { + enabled = var.enable_gcfs + } + } + } } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index f1247ad30..dfaacc3c6 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -727,3 +727,9 @@ variable "enable_identity_service" { description = "Enable the Identity Service component, which allows customers to use external identity providers with the K8S API." default = false } + +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index f9b515f89..55487870b 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -218,6 +218,7 @@ For simplicity, we suggest using `roles/container.admin` and | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index b0017462b..d4ae3bfa7 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -194,4 +194,6 @@ module "gke" { notification_config_topic = var.notification_config_topic timeouts = var.timeouts + + enable_gcfs = var.enable_gcfs } diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index d9b47d90e..6c0efd8ad 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -485,6 +485,12 @@ variable "timeouts" { } } +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} + variable "enable_mesh_certificates" { type = bool default = false diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index f9b515f89..55487870b 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -218,6 +218,7 @@ For simplicity, we suggest using `roles/container.admin` and | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 2732ea26c..8e7de8439 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -194,4 +194,6 @@ module "gke" { notification_config_topic = var.notification_config_topic timeouts = var.timeouts + + enable_gcfs = var.enable_gcfs } diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index d9b47d90e..6c0efd8ad 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -485,6 +485,12 @@ variable "timeouts" { } } +variable "enable_gcfs" { + type = bool + description = "Enable image streaming on cluster level." + default = false +} + variable "enable_mesh_certificates" { type = bool default = false