GKE Dataplane v2 provisioning support

[brancz]

I apologize in advance if this is the wrong place or if this already exits (I may just not be able to find how to do it if so I would appreciate a link to the docs).

Google recently announced Cilium support in the form of the "dataplane-v2" feature, it would be great if it was possible to provision a cluster with this feature enabled.

I've never worked with terraform modules but with some hints, I would be happy to add this functionality if it doesn't already exist! :)

[bharathkkb]

Hi @brancz
Looks like the provider has not yet exposed this, so I have gone ahead and opened an issue there to confirm. Once this is added to the resource, we can add this to the module.

[bharathkkb]

Hi @brancz
Thanks for adding it in the provider. When it is released, we can add it to our beta modules. An example PR would be #497

[keskiju]

Looks like the datapath_provider was released in terraform-provider-google-beta v3.41.0.

Sidenote: Currently network_policy_provider default value is CALICO for the kubernetes-engine module. Shouldn't it be UNSPECIFIED so that the network_policy_provider is selected automatically based on the datapath_provider value?

[ryan-atkins]

First Issue! Took a stab at it but still not quite sure best path forward on making network_policy_provider working nicely together.

[tferi]

Since there's no documentation about this feature, I'll leave this here for others googling the topic.
Enabling Dataplane v2 in the terraform provider's current state requires setting the following:

google_container_cluster {
  ...
  network_policy {
    # Enabling NetworkPolicy for clusters with DatapathProvider=ADVANCED_DATAPATH is not allowed (yields error)
    enabled  = var.enable_dataplane_v2 ? false : true
    # CALICO provider overrides datapath_provider setting, leaving Dataplane v2 disabled
    provider = var.enable_dataplane_v2 ? "PROVIDER_UNSPECIFIED" : "CALICO"
  }
  # This is where Dataplane V2 is enabled.
  datapath_provider = var.enable_dataplane_v2 ? "ADVANCED_DATAPATH" : "DATAPATH_PROVIDER_UNSPECIFIED"
}

[brettcurtis]

Has anyone tried to update an existing cluster with this? I'm not using this module but a similar one and wouldn't expect to see this. If it's a bug in the provider, others are probably seeing it here as well?

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.kubernetes_engine.google_container_cluster.this will be updated in-place
  ~ resource "google_container_cluster" "this" ***
      + datapath_provider           = "ADVANCED_DATAPATH"
        id                          = "projects/my-project-tf1ed0cd-sb/locations/us-east1/clusters/development-tools-us-east1"
        name                        = "development-tools-us-east1"
        # (27 unchanged attributes hidden)

        # (22 unchanged blocks hidden)
    ***

Apply runs successfully but cluster isn't changed. I expect a destroy / recreate.

[kevholmes]

@brettcurtis I see the same behavior when modifying an existing cluster.

[brettcurtis]

@brettcurtis I see the same behavior when modifying an existing cluster.

Thanks for confirming, I'll open a bug in the provider and see where it goes, I'll reference this thread.