diff --git a/autogen/main/README.md b/autogen/main/README.md index c377d8199..e7ea96338 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -84,6 +84,7 @@ module "gke" { {% if beta_cluster %} istio = true cloudrun = true + dns_cache = false {% endif %} node_pools = [ diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 7e9946a7f..8cc0bda8b 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -157,6 +157,10 @@ resource "google_container_cluster" "primary" { disabled = cloudrun_config.value.disabled } } + + dns_cache_config { + enabled = var.dns_cache + } {% endif %} } diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 022102c55..cf817de22 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -160,6 +160,7 @@ locals { # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled cluster_cloudrun_enabled = var.cloudrun + cluster_dns_cache_enabled = var.dns_cache cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index 2cfcd178c..222d4b94c 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -138,6 +138,11 @@ output "cloudrun_enabled" { value = local.cluster_cloudrun_enabled } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 93ac47714..b8b2afcb3 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -399,6 +399,12 @@ variable "istio_auth" { default = "AUTH_MUTUAL_TLS" } +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." + default = false +} + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index ad0bb77a2..7cfd0e97e 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -122,6 +122,8 @@ module "gke" { cloudrun = var.cloudrun + dns_cache = var.dns_cache + default_max_pods_per_node = var.default_max_pods_per_node database_encryption = var.database_encryption diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 512527368..79ed0fc7b 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -237,6 +237,12 @@ variable "istio_auth" { default = "AUTH_MUTUAL_TLS" } +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." + default = false +} + variable "default_max_pods_per_node" { description = "The maximum number of pods to schedule per node" default = 110 diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 6bcf9994b..81681dd50 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.12.0" + version = "~> 3.14.0" region = var.region } diff --git a/examples/node_pool_update_variant/main.tf b/examples/node_pool_update_variant/main.tf index f027970d3..6225e631b 100644 --- a/examples/node_pool_update_variant/main.tf +++ b/examples/node_pool_update_variant/main.tf @@ -19,7 +19,7 @@ locals { } provider "google" { - version = "~> 3.12.0" + version = "~> 3.14.0" region = var.region } diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf index e2fee1bcf..0bd1b664d 100644 --- a/examples/node_pool_update_variant_beta/main.tf +++ b/examples/node_pool_update_variant_beta/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.12.0" + version = "~> 3.14.0" credentials = file(var.credentials_path) region = var.region } diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index d91eb93ab..bf1328cd9 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -30,11 +30,11 @@ locals { } provider "google" { - version = "~> 3.12.0" + version = "~> 3.14.0" } provider "google-beta" { - version = "~> 3.12.0" + version = "~> 3.14.0" } module "gke" { diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md index 9b31404ba..0c805e578 100644 --- a/examples/simple_regional_beta/README.md +++ b/examples/simple_regional_beta/README.md @@ -11,6 +11,7 @@ This example illustrates how to create a simple cluster with beta features. | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | +| dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for services | string | n/a | yes | diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 1434894a1..301c03adb 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.12.0" + version = "~> 3.14.0" region = var.region } @@ -38,6 +38,7 @@ module "gke" { service_account = var.compute_engine_service_account istio = var.istio cloudrun = var.cloudrun + dns_cache = var.dns_cache node_metadata = var.node_metadata sandbox_enabled = var.sandbox_enabled remove_default_node_pool = var.remove_default_node_pool diff --git a/examples/simple_regional_beta/variables.tf b/examples/simple_regional_beta/variables.tf index 496b42f45..65a1e890a 100644 --- a/examples/simple_regional_beta/variables.tf +++ b/examples/simple_regional_beta/variables.tf @@ -57,6 +57,12 @@ variable "cloudrun" { default = true } +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." + default = false +} + variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "SECURE" diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index 04c00f024..92f2a1a8d 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -19,12 +19,12 @@ locals { } provider "google" { - version = "~> 3.12.0" + version = "~> 3.14.0" region = var.region } provider "google-beta" { - version = "~> 3.12.0" + version = "~> 3.14.0" region = var.region } @@ -56,8 +56,9 @@ module "gke" { }, ] - istio = var.istio - cloudrun = var.cloudrun + istio = var.istio + cloudrun = var.cloudrun + dns_cache = var.dns_cache } data "google_client_config" "default" { diff --git a/examples/simple_regional_private_beta/variables.tf b/examples/simple_regional_private_beta/variables.tf index b05d008bf..1ee4c32c2 100644 --- a/examples/simple_regional_private_beta/variables.tf +++ b/examples/simple_regional_private_beta/variables.tf @@ -57,3 +57,7 @@ variable "cloudrun" { default = true } +variable "dns_cache" { + description = "Boolean to enable / disable NodeLocal DNSCache " + default = false +} diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index eb27bcdb5..6d810f6e3 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -19,7 +19,7 @@ locals { } provider "google" { - version = "~> 3.12.0" + version = "~> 3.14.0" region = var.region } diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index 8ef920199..655c37619 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.12.0" + version = "~> 3.14.0" region = var.region } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 187358249..3b6d2636d 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -76,6 +76,7 @@ module "gke" { master_ipv4_cidr_block = "10.0.0.0/28" istio = true cloudrun = true + dns_cache = false node_pools = [ { @@ -169,6 +170,7 @@ Then perform the following commands on the root folder: | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | +| dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no | @@ -232,6 +234,7 @@ Then perform the following commands on the root folder: |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cloudrun\_enabled | Whether CloudRun enabled | +| dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index a00299e51..66f2024c4 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -142,6 +142,10 @@ resource "google_container_cluster" "primary" { disabled = cloudrun_config.value.disabled } } + + dns_cache_config { + enabled = var.dns_cache + } } ip_allocation_policy { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 2e99a08fd..439bd3167 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -145,6 +145,7 @@ locals { # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled cluster_cloudrun_enabled = var.cloudrun + cluster_dns_cache_enabled = var.dns_cache cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index cf3e38781..3ba1c77e7 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -135,6 +135,11 @@ output "cloudrun_enabled" { value = local.cluster_cloudrun_enabled } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 6bad5261f..1104c0ca6 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -392,6 +392,12 @@ variable "istio_auth" { default = "AUTH_MUTUAL_TLS" } +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." + default = false +} + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 5254e53e2..951c6ad14 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -54,6 +54,7 @@ module "gke" { master_ipv4_cidr_block = "10.0.0.0/28" istio = true cloudrun = true + dns_cache = false node_pools = [ { @@ -147,6 +148,7 @@ Then perform the following commands on the root folder: | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | +| dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no | @@ -210,6 +212,7 @@ Then perform the following commands on the root folder: |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cloudrun\_enabled | Whether CloudRun enabled | +| dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index b5ad8698c..403d9eaae 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -142,6 +142,10 @@ resource "google_container_cluster" "primary" { disabled = cloudrun_config.value.disabled } } + + dns_cache_config { + enabled = var.dns_cache + } } ip_allocation_policy { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 2e99a08fd..439bd3167 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -145,6 +145,7 @@ locals { # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled cluster_cloudrun_enabled = var.cloudrun + cluster_dns_cache_enabled = var.dns_cache cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index cf3e38781..3ba1c77e7 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -135,6 +135,11 @@ output "cloudrun_enabled" { value = local.cluster_cloudrun_enabled } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 6bad5261f..1104c0ca6 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -392,6 +392,12 @@ variable "istio_auth" { default = "AUTH_MUTUAL_TLS" } +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." + default = false +} + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 64ef38e91..07c5e4b47 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -36,6 +36,7 @@ module "gke" { network_policy = true istio = true cloudrun = true + dns_cache = false node_pools = [ { @@ -128,6 +129,7 @@ Then perform the following commands on the root folder: | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | +| dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no | @@ -188,6 +190,7 @@ Then perform the following commands on the root folder: |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cloudrun\_enabled | Whether CloudRun enabled | +| dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index dd2f89b3b..26651b917 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -142,6 +142,10 @@ resource "google_container_cluster" "primary" { disabled = cloudrun_config.value.disabled } } + + dns_cache_config { + enabled = var.dns_cache + } } ip_allocation_policy { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 81b17148a..208d44520 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -145,6 +145,7 @@ locals { # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled cluster_cloudrun_enabled = var.cloudrun + cluster_dns_cache_enabled = var.dns_cache cluster_pod_security_policy_enabled = local.cluster_output_pod_security_policy_enabled cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 2fccac6bc..0115c2098 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -129,6 +129,11 @@ output "cloudrun_enabled" { value = local.cluster_cloudrun_enabled } +output "dns_cache_enabled" { + description = "Whether DNS Cache enabled" + value = local.cluster_dns_cache_enabled +} + output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" value = local.cluster_pod_security_policy_enabled diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 2c09f7240..6f9c063cd 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -368,6 +368,12 @@ variable "istio_auth" { default = "AUTH_MUTUAL_TLS" } +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." + default = false +} + variable "database_encryption" { description = "Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: \"ENCRYPTED\"; \"DECRYPTED\". key_name is the name of a CloudKMS key." type = list(object({ state = string, key_name = string })) diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 3ea5b1945..467e1e316 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -207,6 +207,7 @@ For simplicity, we suggest using `roles/container.admin` and | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | description | The description of the cluster | string | `""` | no | +| dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable_private_nodes is true | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 26b5f7e89..59b4ac84c 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -118,6 +118,8 @@ module "gke" { cloudrun = var.cloudrun + dns_cache = var.dns_cache + default_max_pods_per_node = var.default_max_pods_per_node database_encryption = var.database_encryption diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 61ad1fce7..b6f62e2d6 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -237,6 +237,12 @@ variable "istio_auth" { default = "AUTH_MUTUAL_TLS" } +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." + default = false +} + variable "default_max_pods_per_node" { description = "The maximum number of pods to schedule per node" default = 110 diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 3ea5b1945..467e1e316 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -207,6 +207,7 @@ For simplicity, we suggest using `roles/container.admin` and | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | description | The description of the cluster | string | `""` | no | +| dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable_private_nodes is true | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 21e634ad6..746da10fb 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -118,6 +118,8 @@ module "gke" { cloudrun = var.cloudrun + dns_cache = var.dns_cache + default_max_pods_per_node = var.default_max_pods_per_node database_encryption = var.database_encryption diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 61ad1fce7..b6f62e2d6 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -237,6 +237,12 @@ variable "istio_auth" { default = "AUTH_MUTUAL_TLS" } +variable "dns_cache" { + type = bool + description = "(Beta) The status of the NodeLocal DNSCache addon." + default = false +} + variable "default_max_pods_per_node" { description = "The maximum number of pods to schedule per node" default = 110 diff --git a/test/fixtures/beta_cluster/main.tf b/test/fixtures/beta_cluster/main.tf index 82f65126b..e53572d4c 100644 --- a/test/fixtures/beta_cluster/main.tf +++ b/test/fixtures/beta_cluster/main.tf @@ -54,6 +54,8 @@ module "this" { cloudrun = true + dns_cache = true + enable_binary_authorization = true pod_security_policy_config = [{ diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index 26de68f7a..9ebcd5b9c 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -58,6 +58,9 @@ "networkPolicyConfig" => {}, "istioConfig" => {"auth"=>"AUTH_MUTUAL_TLS"}, "cloudRunConfig" => {}, + "dnsCacheConfig" => { + "enabled" => true, + } }) end