Firewall support #470
Firewall support #470
Conversation
Dev25
requested review from
adrienthebo,
Jberlinsky and
morgante
as code owners
Signed-off-by: Dev <Dev25@users.noreply.github.com>
Signed-off-by: Dev <Dev25@users.noreply.github.com>
autogen/main/networks.tf
Outdated
|
|
||
| {{ autogeneration_note }} | ||
|
|
||
| data "google_compute_network" "gke_network" { |
There was a problem hiding this comment.
Note this might raise some issues with networks created inline. Could we make these data sources conditional on the firewall_enabled var?
There was a problem hiding this comment.
Will look into doing that.
There was a problem hiding this comment.
I think the regular count conditional approach should work on datasources too
There was a problem hiding this comment.
I think this is the only thing blocking merge now.
There was a problem hiding this comment.
Should be fixed in 8ffa5e8
Also removed the top level network datasource since it seems unused
There was a problem hiding this comment.
Plus ceef395 to fix attribute errors, not pretty but it works/keeps it all conditional.
Error: Unsupported attribute
on .terraform/modules/blue_gke.gke/main.tf line 75, in locals:
75: cluster_alias_ranges_cidr = { for range in toset(data.google_compute_subnetwork.gke_subnetwork.*.secondary_ip_range) : range.range_name => range.ip_cidr_range }Signed-off-by: Dev <Dev25@users.noreply.github.com>
Signed-off-by: Dev <Dev25@users.noreply.github.com>
Signed-off-by: Dev <Dev25@users.noreply.github.com>
|
@Dev25 This is the error which shows up for that test: |
|
That does seem weird, let me try re running - svpc example seems fine to me |
autogen/main/networks.tf
Outdated
|
|
||
| {{ autogeneration_note }} | ||
|
|
||
| data "google_compute_network" "gke_network" { |
There was a problem hiding this comment.
I think this is the only thing blocking merge now.
Signed-off-by: Dev <Dev25@users.noreply.github.com>
|
btw a old CI job seems to be stuck, you may want to explicitly cancel it: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/runs/605516376
|
|
@Dev25 that succeeded on cloud build, for some reason it didnt report back to GH |
Signed-off-by: Dev <Dev25@users.noreply.github.com>
| @@ -71,6 +71,9 @@ locals { | |||
| // auto upgrade by defaults only for regional cluster as long it has multiple masters versus zonal clusters have only have a single master so upgrades are more dangerous. | |||
| default_auto_upgrade = var.regional ? true : false | |||
|
|
|||
| cluster_subnet_cidr = var.add_cluster_firewall_rules ? data.google_compute_subnetwork.gke_subnetwork[0].ip_cidr_range : null | |||
| cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {} | |||
There was a problem hiding this comment.
I'm getting the following error on terraform plan (also applies to apply, refresh, etc.) thrown by this line:
Error: Iteration over null value
on .terraform/modules/corp-dev-us-east1-c-01.gke/terraform-google-kubernetes-engine-10.0.0/modules/beta-private-cluster-update-variant/main.tf line 72, in locals:
72: cluster_alias_ranges_cidr = var.add_cluster_firewall_rules ? { for range in toset(data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range) : range.range_name => range.ip_cidr_range } : {}
|----------------
| data.google_compute_subnetwork.gke_subnetwork[0].secondary_ip_range is null
A null value cannot be used as the collection in a 'for' expression.
I'm having a hard time troubleshooting this on our end and would appreciate any feedback y'all have on this. cc: @bharathkkb @morgante
There was a problem hiding this comment.
Could you open a new issue w/ your Terraform config?
…s#470) * Squash Commits Signed-off-by: Dev <Dev25@users.noreply.github.com> * Fix example Signed-off-by: Dev <Dev25@users.noreply.github.com> * Rename var + update README Signed-off-by: Dev <Dev25@users.noreply.github.com> * Set to false as default Signed-off-by: Dev <Dev25@users.noreply.github.com> * Enable firewall support in shared_vpc example Signed-off-by: Dev <Dev25@users.noreply.github.com> * Remove network datasource and make subnetwork conditional on firewall Signed-off-by: Dev <Dev25@users.noreply.github.com> * Fix attribute error Signed-off-by: Dev <Dev25@users.noreply.github.com>
Closes #452
Add the 2 firewall rules raised in that issue, which can be opted out using
var.firewall_enabled.Common inbound ports are also white listed by default (8443/9443 and 15017 for istio 1.5) for a better UX (port list controlled by
var.firewall_inbound_ports)Refactoring:
"gke-${var.name}"network tag format into locals, this module already adds that network tag to all node poolsnetworks.tftoautogen/so module variants have access todata.google_compute_subnetwork.gke_subnetworkwhich can be used to determine pod CIDRmake build docker_test_lintTODO: