From 3fcef77de2cb73d753b64ac3f3adc855607dedf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20J=C4=99drzejewski?= <33068017+matilote@users.noreply.github.com> Date: Tue, 4 Jul 2023 19:08:56 +0200 Subject: [PATCH 01/17] Update cluster.tf --- modules/beta-public-cluster/cluster.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index ed021f26be..2d829b9db1 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -571,6 +571,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -796,6 +803,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", From ba93f6375dfc5289458a8c01974a34aff672f77a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mateusz=20J=C4=99drzejewski?= Date: Fri, 7 Jul 2023 14:16:48 +0200 Subject: [PATCH 02/17] add local nvme block in autogen templates instead --- autogen/main/README.md | 1 + autogen/main/cluster.tf.tmpl | 7 +++++++ modules/beta-public-cluster/cluster.tf | 14 -------------- 3 files changed, 8 insertions(+), 14 deletions(-) diff --git a/autogen/main/README.md b/autogen/main/README.md index 0b76b30307..f739a1f183 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -207,6 +207,7 @@ The node_pools variable takes the following parameters: | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | {% if beta_cluster %} | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | {% endif %} | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 58ab5a57cb..f69e804770 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -786,6 +786,13 @@ resource "google_container_node_pool" "windows_pools" { local_ssd_count = ephemeral_storage_config.value } } + + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } {% endif %} service_account = lookup( diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 2d829b9db1..ed021f26be 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -571,13 +571,6 @@ resource "google_container_node_pool" "pools" { } } - dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] - content { - local_ssd_count = local_nvme_ssd_block_config.value - } - } - service_account = lookup( each.value, "service_account", @@ -803,13 +796,6 @@ resource "google_container_node_pool" "windows_pools" { } } - dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] - content { - local_ssd_count = local_nvme_ssd_block_config.value - } - } - service_account = lookup( each.value, "service_account", From 9896a4c5aa31330a2e546d8231d2151186ab9e53 Mon Sep 17 00:00:00 2001 From: matilote Date: Tue, 12 Dec 2023 18:04:55 +0000 Subject: [PATCH 03/17] update modules with make build --- modules/acm/README.md | 2 +- .../beta-private-cluster-update-variant/README.md | 1 + .../beta-private-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 14 ++++++++++++++ .../beta-public-cluster-update-variant/README.md | 1 + .../beta-public-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 14 ++++++++++++++ 9 files changed, 61 insertions(+), 1 deletion(-) diff --git a/modules/acm/README.md b/modules/acm/README.md index ec56c25c7e..8fb4ca68fe 100644 --- a/modules/acm/README.md +++ b/modules/acm/README.md @@ -91,7 +91,7 @@ data "google_client_config" "default" {} | install\_template\_library | Whether to install the default Policy Controller template library | `bool` | `true` | no | | location | GCP location used to reach cluster. | `string` | n/a | yes | | metrics\_gcp\_sa\_name | The name of the Google service account for ACM metrics writing | `string` | `"acm-metrics-writer"` | no | -| policy\_bundles | A list of Policy Controller policy bundles git urls (example: ) to install on the cluster. | `list(string)` | `[]` | no | +| policy\_bundles | A list of Policy Controller policy bundles git urls (example: https://github.com/GoogleCloudPlatform/acm-policy-controller-library.git/bundles/policy-essentials-v2022) to install on the cluster. | `list(string)` | `[]` | no | | policy\_dir | Subfolder containing configs in ACM Git repo. If un-set, uses Config Management default. | `string` | `""` | no | | project\_id | GCP project\_id used to reach cluster. | `string` | n/a | yes | | secret\_type | git authentication secret type, is passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | `string` | `"ssh"` | no | diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index c782d85e1e..09b33d1308 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -339,6 +339,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 519c54d8f2..c747ad311a 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -684,6 +684,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -910,6 +917,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f707b3f289..b5aee00475 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -317,6 +317,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index b53205c4d8..a90ff5a292 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -590,6 +590,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -815,6 +822,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 233b62570d..7509dff766 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -326,6 +326,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index c086223b59..6d3587182a 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -665,6 +665,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -891,6 +898,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index be5efc9a01..6dc34fecb7 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -304,6 +304,7 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index ed021f26be..2d829b9db1 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -571,6 +571,13 @@ resource "google_container_node_pool" "pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -796,6 +803,13 @@ resource "google_container_node_pool" "windows_pools" { } } + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", From 0c0382c1023d9aeab8ad5cfe46f5d3b40bc57dbc Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Mon, 26 Feb 2024 10:19:25 -0800 Subject: [PATCH 04/17] feat: add direct fleet registration option (#1878) --- README.md | 2 ++ autogen/main/cluster.tf.tmpl | 7 +++++++ autogen/main/main.tf.tmpl | 2 ++ autogen/main/outputs.tf.tmpl | 5 +++++ autogen/main/variables.tf.tmpl | 6 ++++++ cluster.tf | 7 +++++++ examples/simple_regional/main.tf | 1 + examples/simple_zonal_with_hub/README.md | 1 + examples/simple_zonal_with_hub/outputs.tf | 5 +++++ main.tf | 2 ++ modules/beta-autopilot-private-cluster/README.md | 2 ++ modules/beta-autopilot-private-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-private-cluster/main.tf | 2 ++ modules/beta-autopilot-private-cluster/outputs.tf | 5 +++++ modules/beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/README.md | 2 ++ modules/beta-autopilot-public-cluster/cluster.tf | 7 +++++++ modules/beta-autopilot-public-cluster/main.tf | 2 ++ modules/beta-autopilot-public-cluster/outputs.tf | 5 +++++ modules/beta-autopilot-public-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/README.md | 2 ++ modules/beta-private-cluster-update-variant/cluster.tf | 7 +++++++ modules/beta-private-cluster-update-variant/main.tf | 2 ++ modules/beta-private-cluster-update-variant/outputs.tf | 5 +++++ modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 2 ++ modules/beta-private-cluster/cluster.tf | 7 +++++++ modules/beta-private-cluster/main.tf | 2 ++ modules/beta-private-cluster/outputs.tf | 5 +++++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 2 ++ modules/beta-public-cluster-update-variant/cluster.tf | 7 +++++++ modules/beta-public-cluster-update-variant/main.tf | 2 ++ modules/beta-public-cluster-update-variant/outputs.tf | 5 +++++ modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster.tf | 7 +++++++ modules/beta-public-cluster/main.tf | 2 ++ modules/beta-public-cluster/outputs.tf | 5 +++++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster-update-variant/cluster.tf | 7 +++++++ modules/private-cluster-update-variant/main.tf | 2 ++ modules/private-cluster-update-variant/outputs.tf | 5 +++++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster.tf | 7 +++++++ modules/private-cluster/main.tf | 2 ++ modules/private-cluster/outputs.tf | 5 +++++ modules/private-cluster/variables.tf | 6 ++++++ outputs.tf | 5 +++++ variables.tf | 6 ++++++ 52 files changed, 225 insertions(+) diff --git a/README.md b/README.md index 581cf77bc3..23a04c47f5 100644 --- a/README.md +++ b/README.md @@ -167,6 +167,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -239,6 +240,7 @@ Then perform the following commands on the root folder: | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 393192a151..1dc683dbf3 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -347,6 +347,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index 2b75d8e5ca..49b847fcba 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -60,6 +60,8 @@ locals { windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) {% endif %} + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/autogen/main/outputs.tf.tmpl b/autogen/main/outputs.tf.tmpl index eb84418487..afedce7f55 100644 --- a/autogen/main/outputs.tf.tmpl +++ b/autogen/main/outputs.tf.tmpl @@ -234,3 +234,8 @@ output "identity_service_enabled" { value = local.cluster_pod_security_policy_enabled } {% endif %} + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 682ea65300..e625e3d4ce 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -857,3 +857,9 @@ variable "allow_net_admin" { default = null } {% endif %} + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/cluster.tf b/cluster.tf index be4e3cbc3f..2236446061 100644 --- a/cluster.tf +++ b/cluster.tf @@ -231,6 +231,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index 710f98f326..11a34fa0c6 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -43,5 +43,6 @@ module "gke" { enable_cost_allocation = true enable_binary_authorization = var.enable_binary_authorization gcs_fuse_csi_driver = true + fleet_project = var.project_id deletion_protection = false } diff --git a/examples/simple_zonal_with_hub/README.md b/examples/simple_zonal_with_hub/README.md index ce0a513ac0..e167ac323f 100644 --- a/examples/simple_zonal_with_hub/README.md +++ b/examples/simple_zonal_with_hub/README.md @@ -23,6 +23,7 @@ It incorporates the standard cluster module, the [registration module](../../mod | ca\_certificate | n/a | | client\_token | n/a | | cluster\_name | Cluster name | +| hub\_location | The location of the hub membership. | | ip\_range\_pods | The secondary IP range used for pods | | ip\_range\_services | The secondary IP range used for services | | kubernetes\_endpoint | n/a | diff --git a/examples/simple_zonal_with_hub/outputs.tf b/examples/simple_zonal_with_hub/outputs.tf index d953d1b3db..d824225879 100644 --- a/examples/simple_zonal_with_hub/outputs.tf +++ b/examples/simple_zonal_with_hub/outputs.tf @@ -79,3 +79,8 @@ output "master_kubernetes_version" { description = "The master Kubernetes version" value = module.gke.master_version } + +output "hub_location" { + description = "The location of the hub membership." + value = module.hub.location +} diff --git a/main.tf b/main.tf index 89889acbf1..4025b6063c 100644 --- a/main.tf +++ b/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 1fd8c3deeb..ff40b31c79 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -98,6 +98,7 @@ Then perform the following commands on the root folder: | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | @@ -153,6 +154,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 00c767d99a..ae074625a1 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -147,6 +147,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-private-cluster/main.tf b/modules/beta-autopilot-private-cluster/main.tf index a7e90a1f5f..f0d22b5840 100644 --- a/modules/beta-autopilot-private-cluster/main.tf +++ b/modules/beta-autopilot-private-cluster/main.tf @@ -49,6 +49,8 @@ locals { master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version master_version = var.regional ? local.master_version_regional : local.master_version_zonal + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-autopilot-private-cluster/outputs.tf b/modules/beta-autopilot-private-cluster/outputs.tf index 8ba200ea1c..f2888c0aa1 100644 --- a/modules/beta-autopilot-private-cluster/outputs.tf +++ b/modules/beta-autopilot-private-cluster/outputs.tf @@ -188,3 +188,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 2a24cc62dd..35325d6774 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -460,3 +460,9 @@ variable "allow_net_admin" { type = bool default = null } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 56a0389895..198fde422e 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -89,6 +89,7 @@ Then perform the following commands on the root folder: | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `true` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | @@ -142,6 +143,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index bb7f73ae6b..39b4c57bbe 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -147,6 +147,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-autopilot-public-cluster/main.tf b/modules/beta-autopilot-public-cluster/main.tf index 0199ec231b..24bcb36d3d 100644 --- a/modules/beta-autopilot-public-cluster/main.tf +++ b/modules/beta-autopilot-public-cluster/main.tf @@ -49,6 +49,8 @@ locals { master_version_zonal = var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version master_version = var.regional ? local.master_version_regional : local.master_version_zonal + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-autopilot-public-cluster/outputs.tf b/modules/beta-autopilot-public-cluster/outputs.tf index e60b61f903..9b26f835f8 100644 --- a/modules/beta-autopilot-public-cluster/outputs.tf +++ b/modules/beta-autopilot-public-cluster/outputs.tf @@ -178,3 +178,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index caf41cda82..0d3c5cdd5c 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -430,3 +430,9 @@ variable "allow_net_admin" { type = bool default = null } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 6f2915a946..80d13d8ffe 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -211,6 +211,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -293,6 +294,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index d605aed2ed..39fb8c080b 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index b7f8f664ed..f7ef1e33d2 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-private-cluster-update-variant/outputs.tf b/modules/beta-private-cluster-update-variant/outputs.tf index 64465ccde9..2d8e768f7c 100644 --- a/modules/beta-private-cluster-update-variant/outputs.tf +++ b/modules/beta-private-cluster-update-variant/outputs.tf @@ -214,3 +214,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 753d7b93bb..eeefad4291 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -811,3 +811,9 @@ variable "enable_gcfs" { description = "Enable image streaming on cluster level." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index bdc485688e..87b62787d3 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -189,6 +189,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -271,6 +272,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 576b63e48e..be7350b995 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index b7f8f664ed..f7ef1e33d2 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index 64465ccde9..2d8e768f7c 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -214,3 +214,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 753d7b93bb..eeefad4291 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -811,3 +811,9 @@ variable "enable_gcfs" { description = "Enable image streaming on cluster level." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index d46477fc4d..a74c2ef727 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -202,6 +202,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -282,6 +283,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 6751fd6779..cfc8dc43bb 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index ee6ec17917..d92b11fadd 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-public-cluster-update-variant/outputs.tf b/modules/beta-public-cluster-update-variant/outputs.tf index 5d199a4ed4..e388fb4406 100644 --- a/modules/beta-public-cluster-update-variant/outputs.tf +++ b/modules/beta-public-cluster-update-variant/outputs.tf @@ -204,3 +204,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 5863324c52..ff2f84c094 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -781,3 +781,9 @@ variable "enable_gcfs" { description = "Enable image streaming on cluster level." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 8fac3e23cc..9879cdc944 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -180,6 +180,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -260,6 +261,7 @@ Then perform the following commands on the root folder: | cluster\_id | Cluster ID | | dns\_cache\_enabled | Whether DNS Cache enabled | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index ee5db256b8..760b3913b0 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -281,6 +281,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index ee6ec17917..d92b11fadd 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index 5d199a4ed4..e388fb4406 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -204,3 +204,8 @@ output "identity_service_enabled" { description = "Whether Identity Service is enabled" value = local.cluster_pod_security_policy_enabled } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 5863324c52..ff2f84c094 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -781,3 +781,9 @@ variable "enable_gcfs" { description = "Enable image streaming on cluster level." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 9407ab5fb6..c8c38ed6ec 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -198,6 +198,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -272,6 +273,7 @@ Then perform the following commands on the root folder: | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 91f632c958..c468560690 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -231,6 +231,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/private-cluster-update-variant/main.tf b/modules/private-cluster-update-variant/main.tf index 98283ce979..f2a6e28ea8 100644 --- a/modules/private-cluster-update-variant/main.tf +++ b/modules/private-cluster-update-variant/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/private-cluster-update-variant/outputs.tf b/modules/private-cluster-update-variant/outputs.tf index 5b6a461d7a..e1e27f7bba 100644 --- a/modules/private-cluster-update-variant/outputs.tf +++ b/modules/private-cluster-update-variant/outputs.tf @@ -184,3 +184,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = local.cluster_peering_name } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 3d493dc4a7..6c7e643132 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -721,3 +721,9 @@ variable "config_connector" { description = "Whether ConfigConnector is enabled for this cluster." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 54e5080862..8a8a961ad2 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -176,6 +176,7 @@ Then perform the following commands on the root folder: | filestore\_csi\_driver | The status of the Filestore CSI driver addon, which allows the usage of filestore instance as volumes | `bool` | `false` | no | | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | +| fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | @@ -250,6 +251,7 @@ Then perform the following commands on the root folder: | ca\_certificate | Cluster ca certificate (base64 encoded) | | cluster\_id | Cluster ID | | endpoint | Cluster endpoint | +| fleet\_membership | Fleet membership (if registered) | | gateway\_api\_channel | The gateway api channel of this cluster. | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 7bacc938d8..7bb8f67db2 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -231,6 +231,13 @@ resource "google_container_cluster" "primary" { vulnerability_mode = var.security_posture_vulnerability_mode } + dynamic "fleet" { + for_each = var.fleet_project != null ? [1] : [] + content { + project = var.fleet_project + } + } + ip_allocation_policy { cluster_secondary_range_name = var.ip_range_pods services_secondary_range_name = var.ip_range_services diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 98283ce979..f2a6e28ea8 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -54,6 +54,8 @@ locals { windows_node_pool_names = [for np in toset(var.windows_node_pools) : np.name] windows_node_pools = zipmap(local.windows_node_pool_names, tolist(toset(var.windows_node_pools))) + fleet_membership = var.fleet_project != null ? google_container_cluster.primary.fleet[0].membership : null + release_channel = var.release_channel != null ? [{ channel : var.release_channel }] : [] gateway_api_config = var.gateway_api_channel != null ? [{ channel : var.gateway_api_channel }] : [] diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 5b6a461d7a..e1e27f7bba 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -184,3 +184,8 @@ output "peering_name" { description = "The name of the peering between this cluster and the Google owned VPC." value = local.cluster_peering_name } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 3d493dc4a7..6c7e643132 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -721,3 +721,9 @@ variable "config_connector" { description = "Whether ConfigConnector is enabled for this cluster." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} diff --git a/outputs.tf b/outputs.tf index 232d0b1f29..6ed32741f2 100644 --- a/outputs.tf +++ b/outputs.tf @@ -174,3 +174,8 @@ output "mesh_certificates_config" { ] } + +output "fleet_membership" { + description = "Fleet membership (if registered)" + value = local.fleet_membership +} diff --git a/variables.tf b/variables.tf index 0b47543630..ddfbb6d741 100644 --- a/variables.tf +++ b/variables.tf @@ -691,3 +691,9 @@ variable "config_connector" { description = "Whether ConfigConnector is enabled for this cluster." default = false } + +variable "fleet_project" { + description = "(Optional) Register the cluster with the fleet in this project." + type = string + default = null +} From 2a0bd9e94f44cb014bb0966ad1e83e60e0002ac6 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Mon, 4 Mar 2024 16:15:47 -0800 Subject: [PATCH 05/17] chore(master): release 30.1.0 (#1865) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 13 +++++++++++++ autogen/main/versions.tf.tmpl | 4 ++-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- .../beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- .../beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 22 files changed, 37 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 935ede58f0..c2679604a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [30.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.0.0...v30.1.0) (2024-02-26) + + +### Features + +* add direct fleet registration option ([#1878](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1878)) ([6b267bd](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/6b267bd91362cd78e06850a267a04c0fd2427b1c)) +* add optional membership_location to fleet-membership ([#1860](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1860)) ([163de39](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/163de3917b3973cab9eeca83054e718c195bff14)) + + +### Bug Fixes + +* handle missing fleet membership and extend asm timeout ([#1880](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1880)) ([22896b0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/22896b0835a4f68aed92c5330c1e9a65faa97a1c)) + ## [30.0.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v29.0.0...v30.0.0) (2024-01-31) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 3b93e48cc9..707a3b2747 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 8dd35a33f1..542b84b2b6 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index c24898975d..557f677e42 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.1.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.1.0" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 933f50a41c..161403d4f9 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.1.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.1.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 1c8f405ba7..87862337c5 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.1.0" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 4ff8f3fb3c..d80b7f0fce 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.1.0" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 1e674be455..ad536dbc26 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.1.0" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index b432332bd7..7fc2de48e4 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.1.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index ad4034c518..ded29b9a0e 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.1.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 0e8e0b4f07..2a8c09d960 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.1.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 40150b132d..eaea9cbf80 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.1.0" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index de201913b2..fea953ed24 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.1.0" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 2fccb43e5b..4962a916f8 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.1.0" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index 72acc25d2c..a497d17c02 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.1.0" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index 5cb3f64e62..c953d4c17a 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.1.0" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 1bff64386b..0cc68f07f8 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.1.0" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index bf4ad323fa..e7f7ab6a9c 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.1.0" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index ae90c16d2f..648847290e 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.1.0" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 1f79600450..2f0d9ef972 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.1.0" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 175a49c973..34aa4cb45c 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.1.0" } } diff --git a/versions.tf b/versions.tf index 00bbe68445..65c47efec4 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.0.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.1.0" } } From f3f4bf520e30a404ed67f666d20459ce9fe98a29 Mon Sep 17 00:00:00 2001 From: Andrew Peabody Date: Thu, 7 Mar 2024 16:02:35 -0800 Subject: [PATCH 06/17] feat: add cross project fleet service agent (#1896) --- autogen/main/cluster.tf.tmpl | 4 ++++ autogen/main/sa.tf.tmpl | 16 ++++++++++++++++ autogen/main/variables.tf.tmpl | 8 ++++++++ modules/beta-autopilot-private-cluster/README.md | 1 + .../beta-autopilot-private-cluster/cluster.tf | 2 ++ modules/beta-autopilot-private-cluster/sa.tf | 14 ++++++++++++++ .../beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 2 ++ modules/beta-autopilot-public-cluster/sa.tf | 14 ++++++++++++++ .../beta-autopilot-public-cluster/variables.tf | 6 ++++++ .../README.md | 1 + .../cluster.tf | 2 ++ .../beta-private-cluster-update-variant/sa.tf | 14 ++++++++++++++ .../variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 2 ++ modules/beta-private-cluster/sa.tf | 14 ++++++++++++++ modules/beta-private-cluster/variables.tf | 6 ++++++ .../beta-public-cluster-update-variant/README.md | 1 + .../cluster.tf | 2 ++ modules/beta-public-cluster-update-variant/sa.tf | 14 ++++++++++++++ .../variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 2 ++ modules/beta-public-cluster/sa.tf | 14 ++++++++++++++ modules/beta-public-cluster/variables.tf | 6 ++++++ 27 files changed, 166 insertions(+) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 1dc683dbf3..79e792e2d0 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -584,6 +584,10 @@ resource "google_container_cluster" "primary" { } } {% endif %} + {% if beta_cluster %} + + depends_on = [google_project_iam_member.service_agent] + {% endif %} } {% if autopilot_cluster != true %} /****************************************** diff --git a/autogen/main/sa.tf.tmpl b/autogen/main/sa.tf.tmpl index 1ab198a8b5..a775fbe6af 100644 --- a/autogen/main/sa.tf.tmpl +++ b/autogen/main/sa.tf.tmpl @@ -65,3 +65,19 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } +{% if beta_cluster %} + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} +{% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index e625e3d4ce..71c3214e3e 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -863,3 +863,11 @@ variable "fleet_project" { type = string default = null } +{% if beta_cluster %} + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} +{% endif %} diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index ff40b31c79..4d2b5d81c4 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -99,6 +99,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index ae074625a1..b0af2e3623 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -268,4 +268,6 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + depends_on = [google_project_iam_member.service_agent] } diff --git a/modules/beta-autopilot-private-cluster/sa.tf b/modules/beta-autopilot-private-cluster/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-autopilot-private-cluster/sa.tf +++ b/modules/beta-autopilot-private-cluster/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 35325d6774..b1987188b4 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -466,3 +466,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 198fde422e..81f6883bbd 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -90,6 +90,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer and artifactregistry.reader roles. | `bool` | `false` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 39b4c57bbe..43878c77b2 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -249,4 +249,6 @@ resource "google_container_cluster" "primary" { topic = var.notification_config_topic } } + + depends_on = [google_project_iam_member.service_agent] } diff --git a/modules/beta-autopilot-public-cluster/sa.tf b/modules/beta-autopilot-public-cluster/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-autopilot-public-cluster/sa.tf +++ b/modules/beta-autopilot-public-cluster/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 0d3c5cdd5c..29a3db949b 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -436,3 +436,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 80d13d8ffe..12baf22cd5 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -212,6 +212,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 39fb8c080b..4a82fb55c1 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -500,6 +500,8 @@ resource "google_container_cluster" "primary" { } } } + + depends_on = [google_project_iam_member.service_agent] } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-private-cluster-update-variant/sa.tf b/modules/beta-private-cluster-update-variant/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-private-cluster-update-variant/sa.tf +++ b/modules/beta-private-cluster-update-variant/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index eeefad4291..558d1b9118 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -817,3 +817,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 87b62787d3..2aa9ae0c97 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -190,6 +190,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index be7350b995..917c19bf60 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -500,6 +500,8 @@ resource "google_container_cluster" "primary" { } } } + + depends_on = [google_project_iam_member.service_agent] } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index eeefad4291..558d1b9118 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -817,3 +817,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index a74c2ef727..70df4ad514 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -203,6 +203,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index cfc8dc43bb..41cd404172 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -481,6 +481,8 @@ resource "google_container_cluster" "primary" { } } } + + depends_on = [google_project_iam_member.service_agent] } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-public-cluster-update-variant/sa.tf b/modules/beta-public-cluster-update-variant/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-public-cluster-update-variant/sa.tf +++ b/modules/beta-public-cluster-update-variant/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index ff2f84c094..40023d59b2 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -787,3 +787,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 9879cdc944..4b30abba49 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -181,6 +181,7 @@ Then perform the following commands on the root folder: | firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers. Either flag `add_master_webhook_firewall_rules` or `add_cluster_firewall_rules` (also adds egress rules) must be set to `true` for inbound-ports firewall rules to be applied. | `list(string)` | 
[
  "8443",
  "9443",
  "15017"
]
| no | | firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no | | fleet\_project | (Optional) Register the cluster with the fleet in this project. | `string` | `null` | no | +| fleet\_project\_grant\_service\_agent | (Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles. | `bool` | `false` | no | | gateway\_api\_channel | The gateway api channel of this cluster. Accepted values are `CHANNEL_STANDARD` and `CHANNEL_DISABLED`. | `string` | `null` | no | | gce\_pd\_csi\_driver | Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `true` | no | | gcs\_fuse\_csi\_driver | Whether GCE FUSE CSI driver is enabled for this cluster. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 760b3913b0..10305e86d6 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -481,6 +481,8 @@ resource "google_container_cluster" "primary" { } } } + + depends_on = [google_project_iam_member.service_agent] } /****************************************** Create Container Cluster node pools diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 6f89899bee..6c6e1f663b 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -65,3 +65,17 @@ resource "google_project_iam_member" "cluster_service_account-artifact-registry" role = "roles/artifactregistry.reader" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_service_identity" "fleet_project" { + count = var.fleet_project_grant_service_agent ? 1 : 0 + provider = google-beta + project = var.fleet_project + service = "gkehub.googleapis.com" +} + +resource "google_project_iam_member" "service_agent" { + for_each = var.fleet_project_grant_service_agent ? toset(["roles/gkehub.serviceAgent", "roles/gkehub.crossProjectServiceAgent"]) : [] + project = var.project_id + role = each.value + member = "serviceAccount:${google_project_service_identity.fleet_project[0].email}" +} diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index ff2f84c094..40023d59b2 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -787,3 +787,9 @@ variable "fleet_project" { type = string default = null } + +variable "fleet_project_grant_service_agent" { + description = "(Optional) Grant the fleet project service identity the `roles/gkehub.serviceAgent` and `roles/gkehub.crossProjectServiceAgent` roles." + type = bool + default = false +} From 153d23f9eeb9ad16d217f5df7dbc4f9db17b6a28 Mon Sep 17 00:00:00 2001 From: "release-please[bot]" <55107282+release-please[bot]@users.noreply.github.com> Date: Fri, 8 Mar 2024 10:28:24 -0800 Subject: [PATCH 07/17] chore(master): release 30.2.0 (#1897) Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ autogen/main/versions.tf.tmpl | 4 ++-- autogen/safer-cluster/versions.tf.tmpl | 2 +- modules/acm/versions.tf | 4 ++-- modules/asm/versions.tf | 4 ++-- modules/auth/versions.tf | 2 +- modules/beta-autopilot-private-cluster/versions.tf | 2 +- modules/beta-autopilot-public-cluster/versions.tf | 2 +- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- modules/binary-authorization/versions.tf | 2 +- modules/fleet-membership/versions.tf | 2 +- modules/hub-legacy/versions.tf | 2 +- modules/private-cluster-update-variant/versions.tf | 2 +- modules/private-cluster/versions.tf | 2 +- modules/safer-cluster-update-variant/versions.tf | 2 +- modules/safer-cluster/versions.tf | 2 +- modules/services/versions.tf | 2 +- modules/workload-identity/versions.tf | 2 +- versions.tf | 2 +- 22 files changed, 31 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2679604a6..48369da056 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 Extending the adopted spec, each change should have a link to its corresponding pull request appended. +## [30.2.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.1.0...v30.2.0) (2024-03-08) + + +### Features + +* add cross project fleet service agent ([#1896](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/issues/1896)) ([59d36b9](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/commit/59d36b9c2ce27e2830f174afe8dd42416b664833)) + ## [30.1.0](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v30.0.0...v30.1.0) (2024-02-26) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 707a3b2747..c0668b2330 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -40,7 +40,7 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.2.0" } {% else %} required_providers { @@ -58,7 +58,7 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.2.0" } {% endif %} } diff --git a/autogen/safer-cluster/versions.tf.tmpl b/autogen/safer-cluster/versions.tf.tmpl index 542b84b2b6..3135a334e1 100644 --- a/autogen/safer-cluster/versions.tf.tmpl +++ b/autogen/safer-cluster/versions.tf.tmpl @@ -23,6 +23,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine{% if module_registry_name %}:{{ module_registry_name }}{% endif %}/v30.2.0" } } diff --git a/modules/acm/versions.tf b/modules/acm/versions.tf index 557f677e42..fa8aea6590 100644 --- a/modules/acm/versions.tf +++ b/modules/acm/versions.tf @@ -19,11 +19,11 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.2.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:acm/v30.2.0" } required_providers { diff --git a/modules/asm/versions.tf b/modules/asm/versions.tf index 161403d4f9..c97e274253 100644 --- a/modules/asm/versions.tf +++ b/modules/asm/versions.tf @@ -36,10 +36,10 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.2.0" } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:asm/v30.2.0" } } diff --git a/modules/auth/versions.tf b/modules/auth/versions.tf index 87862337c5..ae15435ef5 100644 --- a/modules/auth/versions.tf +++ b/modules/auth/versions.tf @@ -26,6 +26,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:auth/v30.2.0" } } diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index d80b7f0fce..41dd788f36 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-private-cluster/v30.2.0" } } diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index ad536dbc26..a9fd481366 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-autopilot-public-cluster/v30.2.0" } } diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 7fc2de48e4..420dfc7b60 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster-update-variant/v30.2.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index ded29b9a0e..25e552d1d0 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-private-cluster/v30.2.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 2a8c09d960..8af82e5096 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster-update-variant/v30.2.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index eaea9cbf80..ea131cbe79 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -37,6 +37,6 @@ terraform { } } provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:beta-public-cluster/v30.2.0" } } diff --git a/modules/binary-authorization/versions.tf b/modules/binary-authorization/versions.tf index fea953ed24..6bc50b416d 100644 --- a/modules/binary-authorization/versions.tf +++ b/modules/binary-authorization/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:binary-authorization/v30.2.0" } } diff --git a/modules/fleet-membership/versions.tf b/modules/fleet-membership/versions.tf index 4962a916f8..4529032fc3 100644 --- a/modules/fleet-membership/versions.tf +++ b/modules/fleet-membership/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.2.0" } } diff --git a/modules/hub-legacy/versions.tf b/modules/hub-legacy/versions.tf index a497d17c02..a771cb95e3 100644 --- a/modules/hub-legacy/versions.tf +++ b/modules/hub-legacy/versions.tf @@ -28,6 +28,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:hub/v30.2.0" } } diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf index c953d4c17a..b90321600d 100644 --- a/modules/private-cluster-update-variant/versions.tf +++ b/modules/private-cluster-update-variant/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster-update-variant/v30.2.0" } } diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf index 0cc68f07f8..db427f19ea 100644 --- a/modules/private-cluster/versions.tf +++ b/modules/private-cluster/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:private-cluster/v30.2.0" } } diff --git a/modules/safer-cluster-update-variant/versions.tf b/modules/safer-cluster-update-variant/versions.tf index e7f7ab6a9c..5a1a57f882 100644 --- a/modules/safer-cluster-update-variant/versions.tf +++ b/modules/safer-cluster-update-variant/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster-update-variant/v30.2.0" } } diff --git a/modules/safer-cluster/versions.tf b/modules/safer-cluster/versions.tf index 648847290e..70b588b4de 100644 --- a/modules/safer-cluster/versions.tf +++ b/modules/safer-cluster/versions.tf @@ -21,6 +21,6 @@ terraform { required_version = ">=1.3" provider_meta "google-beta" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:safer-cluster/v30.2.0" } } diff --git a/modules/services/versions.tf b/modules/services/versions.tf index 2f0d9ef972..00f96eee6f 100644 --- a/modules/services/versions.tf +++ b/modules/services/versions.tf @@ -19,6 +19,6 @@ terraform { required_version = ">= 0.13.0" provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:services/v30.2.0" } } diff --git a/modules/workload-identity/versions.tf b/modules/workload-identity/versions.tf index 34aa4cb45c..48076ba01f 100644 --- a/modules/workload-identity/versions.tf +++ b/modules/workload-identity/versions.tf @@ -30,6 +30,6 @@ terraform { } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine:workload-identity/v30.2.0" } } diff --git a/versions.tf b/versions.tf index 65c47efec4..202e0d1965 100644 --- a/versions.tf +++ b/versions.tf @@ -33,6 +33,6 @@ terraform { } } provider_meta "google" { - module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.1.0" + module_name = "blueprints/terraform/terraform-google-kubernetes-engine/v30.2.0" } } From 7bef577aa5e6e1f3b0b14e48187c5a7408ec9681 Mon Sep 17 00:00:00 2001 From: Amina Mansour Date: Thu, 14 Mar 2024 17:11:24 -0700 Subject: [PATCH 08/17] fix: make master_ipv4_cidr_block optional for autopilot (#1902) --- autogen/main/variables.tf.tmpl | 6 +++++- examples/simple_autopilot_private/main.tf | 1 - examples/simple_autopilot_private_non_default_sa/main.tf | 1 - modules/beta-autopilot-private-cluster/README.md | 2 +- modules/beta-autopilot-private-cluster/variables.tf | 4 ++-- modules/beta-private-cluster-update-variant/README.md | 2 +- modules/beta-private-cluster-update-variant/variables.tf | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 2 +- modules/private-cluster-update-variant/README.md | 2 +- modules/private-cluster-update-variant/variables.tf | 2 +- modules/private-cluster/README.md | 2 +- modules/private-cluster/variables.tf | 2 +- 13 files changed, 16 insertions(+), 14 deletions(-) diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 71c3214e3e..009c181324 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -441,8 +441,12 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + {% if autopilot_cluster == true%} + default = null + {% else %} default = "10.0.0.0/28" + {% endif %} } variable "master_global_access_enabled" { diff --git a/examples/simple_autopilot_private/main.tf b/examples/simple_autopilot_private/main.tf index ee628d8459..125ba24706 100644 --- a/examples/simple_autopilot_private/main.tf +++ b/examples/simple_autopilot_private/main.tf @@ -49,7 +49,6 @@ module "gke" { enable_vertical_pod_autoscaling = true enable_private_endpoint = true enable_private_nodes = true - master_ipv4_cidr_block = "172.16.0.0/28" network_tags = [local.cluster_type] deletion_protection = false diff --git a/examples/simple_autopilot_private_non_default_sa/main.tf b/examples/simple_autopilot_private_non_default_sa/main.tf index 1da730e987..b9ff6e92a5 100644 --- a/examples/simple_autopilot_private_non_default_sa/main.tf +++ b/examples/simple_autopilot_private_non_default_sa/main.tf @@ -49,7 +49,6 @@ module "gke" { enable_vertical_pod_autoscaling = true enable_private_endpoint = true enable_private_nodes = true - master_ipv4_cidr_block = "172.16.0.0/28" deletion_protection = false master_authorized_networks = [ diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 4d2b5d81c4..e7fc994480 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -117,7 +117,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `null` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index b1987188b4..faa9d3d1f7 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -283,8 +283,8 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" - default = "10.0.0.0/28" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." + default = null } variable "master_global_access_enabled" { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 12baf22cd5..fd84aac19e 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -239,7 +239,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 558d1b9118..d149edca13 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -423,7 +423,7 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 2aa9ae0c97..ee09dd8363 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -217,7 +217,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 558d1b9118..d149edca13 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -423,7 +423,7 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index c8c38ed6ec..ddd8cc56e6 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -222,7 +222,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 6c7e643132..e0884739d7 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -417,7 +417,7 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 8a8a961ad2..91d314167f 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -200,7 +200,7 @@ Then perform the following commands on the root folder: | maintenance\_start\_time | Time window specified for daily or recurring maintenance operations in RFC3339 format | `string` | `"05:00"` | no | | master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | `[]` | no | | master\_global\_access\_enabled | Whether the cluster master is accessible globally (from any region) or only within the same region as the private endpoint. | `bool` | `true` | no | -| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network | `string` | `"10.0.0.0/28"` | no | +| master\_ipv4\_cidr\_block | (Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters. | `string` | `"10.0.0.0/28"` | no | | monitoring\_enable\_managed\_prometheus | Configuration for Managed Service for Prometheus. Whether or not the managed collection is enabled. | `bool` | `false` | no | | monitoring\_enable\_observability\_metrics | Whether or not the advanced datapath metrics are enabled. | `bool` | `false` | no | | monitoring\_enabled\_components | List of services to monitor: SYSTEM\_COMPONENTS, WORKLOADS (provider version >= 3.89.0). Empty list is default GKE configuration. | `list(string)` | `[]` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 6c7e643132..e0884739d7 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -417,7 +417,7 @@ variable "enable_private_nodes" { variable "master_ipv4_cidr_block" { type = string - description = "(Beta) The IP range in CIDR notation to use for the hosted master network" + description = "(Beta) The IP range in CIDR notation to use for the hosted master network. Optional for Autopilot clusters." default = "10.0.0.0/28" } From c52a5abb7028be043db30a881e0533470f94fd84 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 21 Mar 2024 23:02:27 +0000 Subject: [PATCH 09/17] chore(deps): Update go modules and/or dev-tools (#1889) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- test/integration/go.mod | 10 +++++----- test/integration/go.sum | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/test/integration/go.mod b/test/integration/go.mod index fdc5577793..342f622d96 100644 --- a/test/integration/go.mod +++ b/test/integration/go.mod @@ -5,9 +5,10 @@ go 1.21 toolchain go1.21.5 require ( - github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.12.1 + github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.1 github.com/gruntwork-io/terratest v0.46.11 - github.com/stretchr/testify v1.8.4 + github.com/stretchr/testify v1.9.0 + github.com/tidwall/gjson v1.17.1 ) require ( @@ -71,7 +72,6 @@ require ( github.com/pquerna/otp v1.4.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/tidwall/gjson v1.17.0 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tidwall/pretty v1.2.1 // indirect github.com/tidwall/sjson v1.2.5 // indirect @@ -82,7 +82,7 @@ require ( github.com/zclconf/go-cty v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect golang.org/x/crypto v0.17.0 // indirect - golang.org/x/mod v0.15.0 // indirect + golang.org/x/mod v0.16.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.4.0 // indirect @@ -97,7 +97,7 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/grpc v1.58.3 // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/test/integration/go.sum b/test/integration/go.sum index f2743cd309..0549f453d9 100644 --- a/test/integration/go.sum +++ b/test/integration/go.sum @@ -187,8 +187,8 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.12.1 h1:4K4HIuu95U6A56orD4LAX+yabfUmIRaoUV0JJWOZPjE= -github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.12.1/go.mod h1:iipeDC0VhxKtIVOZyz0ofiJ2x6sh9+VYEbG3JKsPqPw= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.1 h1:8eKlk/DQeXPb6ITTLLWk/LdmyC9FRNMQF2ZR0sKaGEA= +github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test v0.13.1/go.mod h1:jIatwk/2sLSDtnMaExpzZpQVuBbEhx+NeiP1obo/IlY= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= @@ -487,11 +487,11 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= -github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM= -github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/gjson v1.17.1 h1:wlYEnwqAHgzmhNUFfw7Xalt2JzQvsMx2Se4PcoFCT/U= +github.com/tidwall/gjson v1.17.1/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= @@ -570,8 +570,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8= -golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= +golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1036,8 +1036,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= From 90d4a3a260e80e48b7a8c8abe5d8a8e9c8ed385f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 22 Mar 2024 00:05:22 +0000 Subject: [PATCH 10/17] chore(deps): Update nginx Docker tag to v1.25.4 (#1877) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- examples/deploy_service/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/deploy_service/main.tf b/examples/deploy_service/main.tf index a36e40b5fa..e80252d2a9 100644 --- a/examples/deploy_service/main.tf +++ b/examples/deploy_service/main.tf @@ -55,7 +55,7 @@ resource "kubernetes_pod" "nginx-example" { spec { container { - image = "nginx:1.25.3" + image = "nginx:1.25.4" name = "nginx-example" } } From 1b8bcfe9ce58b9d15fee96e4c09e0f5b1b3323ec Mon Sep 17 00:00:00 2001 From: florianMalbranque <82934052+florianMalbranque@users.noreply.github.com> Date: Mon, 8 Apr 2024 13:25:03 +0200 Subject: [PATCH 11/17] Update autogen/main/cluster.tf.tmpl Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index aa2368050c..f47fcd7eb3 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -849,7 +849,7 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } From bae2b8109fc54bb1df6d54ea6460665baf7f9840 Mon Sep 17 00:00:00 2001 From: florianMalbranque <82934052+florianMalbranque@users.noreply.github.com> Date: Mon, 8 Apr 2024 13:25:34 +0200 Subject: [PATCH 12/17] Update autogen/main/README.md Co-authored-by: Andrew Peabody --- autogen/main/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autogen/main/README.md b/autogen/main/README.md index 20cfc6fadd..1024d90f27 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -213,7 +213,7 @@ The node_pools variable takes the following parameters: | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | {% if beta_cluster %} | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | -| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node. Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | {% endif %} | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | From 28140ed4bab67bcf65034034182a7854b7d352d0 Mon Sep 17 00:00:00 2001 From: florianMalbranque Date: Mon, 8 Apr 2024 13:30:05 +0200 Subject: [PATCH 13/17] Enable nvme ssd for non beta clusters --- autogen/main/README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/autogen/main/README.md b/autogen/main/README.md index 1024d90f27..f26716b06e 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -211,10 +211,8 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | -{% if beta_cluster %} | local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | -| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node. Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | -{% endif %} +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | From 049e1f143d32159158ee47760a49d48dce2ce97d Mon Sep 17 00:00:00 2001 From: florianMalbranque Date: Mon, 8 Apr 2024 18:07:19 +0200 Subject: [PATCH 14/17] run codegen --- README.md | 2 ++ modules/beta-private-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/beta-public-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-public-cluster/cluster.tf | 4 ++-- modules/private-cluster-update-variant/README.md | 2 ++ modules/private-cluster/README.md | 2 ++ 7 files changed, 14 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index c0bb7e6291..50ab53e66a 100644 --- a/README.md +++ b/README.md @@ -295,6 +295,8 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index d2adf527b0..ef9ba2b92e 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -734,7 +734,7 @@ resource "google_container_node_pool" "pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -976,7 +976,7 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 22ca1b7823..7610189c68 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -659,7 +659,7 @@ resource "google_container_node_pool" "pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -900,7 +900,7 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 2d7b25218e..363664a8a8 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -715,7 +715,7 @@ resource "google_container_node_pool" "pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -957,7 +957,7 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index b634e2a418..3c4f6e7337 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -640,7 +640,7 @@ resource "google_container_node_pool" "pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } @@ -881,7 +881,7 @@ resource "google_container_node_pool" "windows_pools" { } dynamic "local_nvme_ssd_block_config" { - for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [each.value.local_nvme_ssd_count] : [] + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] content { local_ssd_count = local_nvme_ssd_block_config.value } diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 399c510441..601556338d 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -330,6 +330,8 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 0d9db112d0..8cbdd9a88f 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -308,6 +308,8 @@ The node_pools variable takes the following parameters: | key | The key required for the taint | | Required | | logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional | | local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional | +| local_ssd_ephemeral_count | The amount of local SSD disks that will be attached to each cluster node and assigned as scratch space as an `emptyDir` volume. If unspecified, ephemeral storage is backed by the cluster node boot disk. | 0 | Optional | +| local_nvme_ssd_count | Number of raw-block local NVMe SSD disks to be attached to the node.Each local SSD is 375 GB in size. If zero, it means no raw-block local NVMe SSD disks to be attached to the node. | 0 | Optional | | machine_type | The name of a Google Compute Engine machine type | e2-medium | Optional | | min_cpu_platform | Minimum CPU platform to be used by the nodes in the pool. The nodes may be scheduled on the specified or newer CPU platform. | " " | Optional | | max_count | Maximum number of nodes in the NodePool. Must be >= min_count. Cannot be used with total limits. | 100 | Optional | From 0b934e4b37f4894e75a1016ebcad33e616af5f5d Mon Sep 17 00:00:00 2001 From: florianMalbranque <82934052+florianMalbranque@users.noreply.github.com> Date: Fri, 12 Apr 2024 08:15:50 +0200 Subject: [PATCH 15/17] Update autogen/main/cluster.tf.tmpl Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 1 + 1 file changed, 1 insertion(+) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index f47fcd7eb3..6e0d2258b5 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -847,6 +847,7 @@ resource "google_container_node_pool" "windows_pools" { local_ssd_count = ephemeral_storage_config.value } } +{% endif %} dynamic "local_nvme_ssd_block_config" { for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] From b694395c7ad83ebb28886eb182dd12707e71d23c Mon Sep 17 00:00:00 2001 From: florianMalbranque <82934052+florianMalbranque@users.noreply.github.com> Date: Fri, 12 Apr 2024 08:15:57 +0200 Subject: [PATCH 16/17] Update autogen/main/cluster.tf.tmpl Co-authored-by: Andrew Peabody --- autogen/main/cluster.tf.tmpl | 1 - 1 file changed, 1 deletion(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 6e0d2258b5..778da30a72 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -855,7 +855,6 @@ resource "google_container_node_pool" "windows_pools" { local_ssd_count = local_nvme_ssd_block_config.value } } - {% endif %} service_account = lookup( each.value, From 86939dfeda5e02aa7490165787b91058e1bd119e Mon Sep 17 00:00:00 2001 From: florianMalbranque Date: Fri, 12 Apr 2024 08:26:13 +0200 Subject: [PATCH 17/17] keep ephemeral_storage_config in beta --- autogen/main/cluster.tf.tmpl | 2 +- cluster.tf | 14 ++++++++++++++ modules/private-cluster-update-variant/cluster.tf | 14 ++++++++++++++ modules/private-cluster/cluster.tf | 14 ++++++++++++++ 4 files changed, 43 insertions(+), 1 deletion(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 778da30a72..67e79418ae 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -847,7 +847,7 @@ resource "google_container_node_pool" "windows_pools" { local_ssd_count = ephemeral_storage_config.value } } -{% endif %} + {% endif %} dynamic "local_nvme_ssd_block_config" { for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] diff --git a/cluster.tf b/cluster.tf index c1cad5be79..1447a6708e 100644 --- a/cluster.tf +++ b/cluster.tf @@ -565,6 +565,13 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -774,6 +781,13 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index f4bb50769b..b402f4d72f 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -659,6 +659,13 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -869,6 +876,13 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 3b95e41d60..1dab1801d9 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -584,6 +584,13 @@ resource "google_container_node_pool" "pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account", @@ -793,6 +800,13 @@ resource "google_container_node_pool" "windows_pools" { disk_type = lookup(each.value, "disk_type", "pd-standard") + dynamic "local_nvme_ssd_block_config" { + for_each = lookup(each.value, "local_nvme_ssd_count", 0) > 0 ? [1] : [] + content { + local_ssd_count = local_nvme_ssd_block_config.value + } + } + service_account = lookup( each.value, "service_account",