diff --git a/.github/renovate.json b/.github/renovate.json index b68ca8fbba..96668148b9 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -7,7 +7,7 @@ ":rebaseStalePrs" ], "minimumReleaseAge": "7 days", - "ignorePaths": [], + "ignorePaths": [".github/workflows/lint.yaml", ".github/workflows/stale.yml"], "labels": ["dependencies"], "vulnerabilityAlerts": { "labels": ["type:security"], @@ -17,11 +17,11 @@ "packageRules": [ { "matchFileNames": ["examples/**", "test/**", ".github/**"], - "extends": [":semanticCommitTypeAll(chore)"] + "commitMessagePrefix": "chore(deps):" }, { "matchFileNames": ["*", "modules/**"], - "extends": [":semanticCommitTypeAll(fix)"] + "commitMessagePrefix": "fix(deps):" }, { "matchFileNames": ["*", "modules/**"], @@ -41,7 +41,7 @@ "postUpdateOptions": ["gomodTidy"] }, { - "matchPackageNames": ["google", "google-beta"], + "matchDepNames": ["google", "google-beta"], "groupName": "Terraform Google Provider" } ], diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index fedc554dd6..d1ed16a57a 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -31,7 +31,7 @@ jobs: name: 'lint' runs-on: 'ubuntu-latest' steps: - - uses: 'actions/checkout@v3' + - uses: 'actions/checkout@v4' - id: variables run: | MAKEFILE=$(find . -name Makefile -print -quit) diff --git a/README.md b/README.md index 9d5175de53..45881e57fa 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no | @@ -238,6 +239,7 @@ Then perform the following commands on the root folder: | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 53a6b2f325..6312993cb4 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -519,6 +519,16 @@ resource "google_container_cluster" "primary" { } {% endif %} + {% if autopilot_cluster != true %} + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + {% endif %} + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 80679d4f7a..26c410d5fc 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -219,6 +219,12 @@ locals { cluster_workload_identity_config = ! local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + {% if autopilot_cluster != true %} + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + {% endif %} + {% if beta_cluster %} # BETA features cluster_istio_enabled = ! local.cluster_output_istio_disabled diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index d22e8bd087..832054f9cc 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -170,6 +170,17 @@ output "identity_namespace" { google_container_cluster.primary ] } + +{% if autopilot_cluster != true %} +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} +{% endif %} + {% if private_cluster %} output "master_ipv4_cidr_block" { diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index a2effe8e07..2525d07242 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -466,6 +466,14 @@ variable "identity_namespace" { default = "enabled" } +{% if autopilot_cluster != true %} +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} +{% endif %} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -763,7 +771,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 7459598fb6..e369762543 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -185,6 +185,9 @@ module "gke" { // We enable Workload Identity by default. identity_namespace = "${var.project_id}.svc.id.goog" + // Enabling mesh certificates requires Workload Identity + enable_mesh_certificates = var.enable_mesh_certificates + authenticator_security_group = var.authenticator_security_group enable_shielded_nodes = var.enable_shielded_nodes diff --git a/autogen/safer-cluster/outputs.tf.tmpl b/autogen/safer-cluster/outputs.tf.tmpl index e84d0aad38..5c1f5539e2 100644 --- a/autogen/safer-cluster/outputs.tf.tmpl +++ b/autogen/safer-cluster/outputs.tf.tmpl @@ -122,3 +122,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = module.gke.peering_name } + +output "enable_mesh_certificates" { + description = "Mesh certificate configuration value" + value = var.enable_mesh_certificates +} diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 22b17ea68f..caf0f537ee 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} diff --git a/cluster.tf b/cluster.tf index 896d4348b5..5767bce6db 100644 --- a/cluster.tf +++ b/cluster.tf @@ -361,6 +361,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/main.tf b/main.tf index e307ff82a4..2cf4877992 100644 --- a/main.tf +++ b/main.tf @@ -162,6 +162,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 5d836127bc..5e79c23dac 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -228,6 +228,7 @@ resource "google_container_cluster" "primary" { } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index 8a17e29466..dd7466ff31 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -121,6 +121,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index a56e4b4faf..0d955524ae 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -142,6 +142,8 @@ output "identity_namespace" { ] } + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index a9bd584314..86483f30d9 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -299,6 +299,7 @@ variable "identity_namespace" { default = "enabled" } + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 75e6e67f31..4c9569106a 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -209,6 +209,7 @@ resource "google_container_cluster" "primary" { } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 1c0deb7aa0..874bbb76f9 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -120,6 +120,7 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index 533f818844..e33c8aafa6 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -142,6 +142,8 @@ output "identity_namespace" { ] } + + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = false diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index e244b73728..c8776f6853 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -269,6 +269,7 @@ variable "identity_namespace" { default = "enabled" } + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index ecae89b5e6..e9aed6200b 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -195,6 +195,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | @@ -296,6 +297,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 1658899e4e..0234c223f2 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -445,6 +445,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index 6f0139cfb2..931844d9a5 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -181,6 +181,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index abdf16f900..72aee4055d 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 5daeb3daad..119f9a5c09 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -439,6 +439,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -722,7 +728,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 8634863c39..f47073beca 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -173,6 +173,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | @@ -274,6 +275,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 3a0ee4a1a5..02c6f3fca3 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -445,6 +445,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 6f0139cfb2..931844d9a5 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -181,6 +181,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index abdf16f900..72aee4055d 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 5daeb3daad..119f9a5c09 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -439,6 +439,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -722,7 +728,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 8a67039799..2ea2d6489d 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -188,6 +188,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | @@ -284,6 +285,7 @@ Then perform the following commands on the root folder: | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index be7bd9105d..43b03300df 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -426,6 +426,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index febe765811..c6327ea6f5 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -180,6 +180,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index ed73acae2e..bb7cdcc72c 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 2b900e4f93..05bab8df6b 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -409,6 +409,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -692,7 +698,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index f37c823000..eee0349812 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -166,6 +166,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | @@ -262,6 +263,7 @@ Then perform the following commands on the root folder: | logging\_service | Logging service used | | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 5065f855b4..1183a20d12 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -426,6 +426,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index febe765811..c6327ea6f5 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -180,6 +180,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + # BETA features cluster_istio_enabled = !local.cluster_output_istio_disabled cluster_dns_cache_enabled = var.dns_cache diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index ed73acae2e..bb7cdcc72c 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = local.cluster_cloudrun_enabled diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 2b900e4f93..05bab8df6b 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -409,6 +409,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." @@ -692,7 +698,6 @@ variable "enable_pod_security_policy" { default = false } - variable "enable_l4_ilb_subsetting" { type = bool description = "Enable L4 ILB Subsetting on the cluster" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 7c5705d642..0eea714f74 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -184,6 +184,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | @@ -272,6 +273,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 2a8340f247..a6bcda84ee 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -380,6 +380,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 6d4b06f7de..54d054edc0 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -163,6 +163,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 28350e722b..722e3b8fd1 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index ca215e3093..22e808f617 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -431,6 +431,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index e27be624b1..edbe5304d0 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -162,6 +162,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | @@ -250,6 +251,7 @@ Then perform the following commands on the root folder: | master\_authorized\_networks\_config | Networks from which access to master is permitted | | master\_ipv4\_cidr\_block | The IP range in CIDR notation used for the hosted master network | | master\_version | Current master kubernetes version | +| mesh\_certificates\_config | Mesh certificates configuration | | min\_master\_version | Minimum master kubernetes version | | monitoring\_service | Monitoring service used | | name | Cluster name | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 172d8bb205..9b3b5217ef 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -380,6 +380,14 @@ resource "google_container_cluster" "primary" { } } + dynamic "mesh_certificates" { + for_each = local.cluster_mesh_certificates_config + + content { + enable_certificates = mesh_certificates.value.enable_certificates + } + } + dynamic "authenticator_groups_config" { for_each = local.cluster_authenticator_security_group content { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 6d4b06f7de..54d054edc0 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -163,6 +163,10 @@ locals { cluster_workload_identity_config = !local.workload_identity_enabled ? [] : var.identity_namespace == "enabled" ? [{ workload_pool = "${var.project_id}.svc.id.goog" }] : [{ workload_pool = var.identity_namespace }] + cluster_mesh_certificates_config = local.workload_identity_enabled ? [{ + enable_certificates = var.enable_mesh_certificates + }] : [] + cluster_maintenance_window_is_recurring = var.maintenance_recurrence != "" && var.maintenance_end_time != "" ? [1] : [] cluster_maintenance_window_is_daily = length(local.cluster_maintenance_window_is_recurring) > 0 ? [] : [1] diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 28350e722b..722e3b8fd1 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -161,6 +161,15 @@ output "identity_namespace" { ] } +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + + output "master_ipv4_cidr_block" { description = "The IP range in CIDR notation used for the hosted master network" value = var.master_ipv4_cidr_block diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index ca215e3093..22e808f617 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -431,6 +431,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`." diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index eb7efac8d1..f9b515f890 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -219,6 +219,7 @@ For simplicity, we suggest using `roles/container.admin` and | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | @@ -278,6 +279,7 @@ For simplicity, we suggest using `roles/container.admin` and |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | +| enable\_mesh\_certificates | Mesh certificate configuration value | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 9bd0429ca2..b0017462b4 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -181,6 +181,9 @@ module "gke" { // We enable Workload Identity by default. identity_namespace = "${var.project_id}.svc.id.goog" + // Enabling mesh certificates requires Workload Identity + enable_mesh_certificates = var.enable_mesh_certificates + authenticator_security_group = var.authenticator_security_group enable_shielded_nodes = var.enable_shielded_nodes diff --git a/modules/safer-cluster-update-variant/outputs.tf b/modules/safer-cluster-update-variant/outputs.tf index 5be616ff66..8928f321ab 100644 --- a/modules/safer-cluster-update-variant/outputs.tf +++ b/modules/safer-cluster-update-variant/outputs.tf @@ -122,3 +122,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = module.gke.peering_name } + +output "enable_mesh_certificates" { + description = "Mesh certificate configuration value" + value = var.enable_mesh_certificates +} diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 6b6405d019..d9b47d90e8 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index eb7efac8d1..f9b515f890 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -219,6 +219,7 @@ For simplicity, we suggest using `roles/container.admin` and | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | `bool` | `true` | no | @@ -278,6 +279,7 @@ For simplicity, we suggest using `roles/container.admin` and |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | +| enable\_mesh\_certificates | Mesh certificate configuration value | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index b87a2f1d8c..2732ea26c2 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -181,6 +181,9 @@ module "gke" { // We enable Workload Identity by default. identity_namespace = "${var.project_id}.svc.id.goog" + // Enabling mesh certificates requires Workload Identity + enable_mesh_certificates = var.enable_mesh_certificates + authenticator_security_group = var.authenticator_security_group enable_shielded_nodes = var.enable_shielded_nodes diff --git a/modules/safer-cluster/outputs.tf b/modules/safer-cluster/outputs.tf index 5be616ff66..8928f321ab 100644 --- a/modules/safer-cluster/outputs.tf +++ b/modules/safer-cluster/outputs.tf @@ -122,3 +122,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = module.gke.peering_name } + +output "enable_mesh_certificates" { + description = "Mesh certificate configuration value" + value = var.enable_mesh_certificates +} diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 6b6405d019..d9b47d90e8 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -484,3 +484,9 @@ variable "timeouts" { error_message = "Only create, update, delete timeouts can be specified." } } + +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} diff --git a/outputs.tf b/outputs.tf index ca55e48b8e..04bbc957fe 100644 --- a/outputs.tf +++ b/outputs.tf @@ -160,3 +160,12 @@ output "identity_namespace" { google_container_cluster.primary ] } + +output "mesh_certificates_config" { + description = "Mesh certificates configuration" + value = local.cluster_mesh_certificates_config + depends_on = [ + google_container_cluster.primary + ] +} + diff --git a/test/integration/beta_cluster/beta_cluster_test.go b/test/integration/beta_cluster/beta_cluster_test.go index 5e662a0210..8032a50958 100755 --- a/test/integration/beta_cluster/beta_cluster_test.go +++ b/test/integration/beta_cluster/beta_cluster_test.go @@ -36,7 +36,6 @@ func TestBetaCluster(t *testing.T) { location := gke.GetStringOutput("location") clusterName := gke.GetStringOutput("cluster_name") serviceAccount := gke.GetStringOutput("service_account") - // gcloud.Runf(t, "config set project %s", projectId) op := gcloud.Runf(t, "beta container clusters describe %s --zone %s --project %s", clusterName, location, projectId) // save output as goldenfile g := golden.NewOrUpdate(t, op.String(), @@ -44,7 +43,6 @@ func TestBetaCluster(t *testing.T) { golden.WithSanitizer(golden.StringSanitizer(projectId, "PROJECT_ID")), golden.WithSanitizer(golden.StringSanitizer(clusterName, "CLUSTER_NAME")), ) - // assert json paths against goldenfile data validateJSONPaths := []string{ "status", diff --git a/test/integration/safer_cluster/safer_cluster_test.go b/test/integration/safer_cluster/safer_cluster_test.go index 79b482ff13..f440bc8c0e 100644 --- a/test/integration/safer_cluster/safer_cluster_test.go +++ b/test/integration/safer_cluster/safer_cluster_test.go @@ -52,6 +52,7 @@ func TestSaferCluster(t *testing.T) { "networkConfig.datapathProvider", "binaryAuthorization.evaluationMode", "legacyAbac", + "meshCertificates.enableCertificates", "nodePools.autoscaling", "nodePools.config.machineType", "nodePools.config.diskSizeGb", diff --git a/test/integration/safer_cluster/testdata/TestSaferCluster.json b/test/integration/safer_cluster/testdata/TestSaferCluster.json index 793eaf9a5f..0af5138e80 100755 --- a/test/integration/safer_cluster/testdata/TestSaferCluster.json +++ b/test/integration/safer_cluster/testdata/TestSaferCluster.json @@ -90,6 +90,9 @@ ], "enabled": true }, + "meshCertificates": { + "enableCertificates": false + }, "monitoringConfig": { "componentConfig": { "enableComponents": [ diff --git a/variables.tf b/variables.tf index f1be61ecbe..69911eb955 100644 --- a/variables.tf +++ b/variables.tf @@ -401,6 +401,12 @@ variable "identity_namespace" { default = "enabled" } +variable "enable_mesh_certificates" { + type = bool + default = false + description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." +} + variable "release_channel" { type = string description = "The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`."