From ace0b86f1965be5d0dccf4af48fe118099326598 Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Wed, 12 Aug 2020 19:31:46 +0200 Subject: [PATCH 1/8] Add variable disable_default_snat --- autogen/main/cluster.tf.tmpl | 5 +++++ autogen/main/variables.tf.tmpl | 8 ++++++++ autogen/main/versions.tf.tmpl | 2 +- modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 3 +++ modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 3 +++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/cluster.tf | 3 +++ modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 3 +++ modules/beta-public-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster/versions.tf | 2 +- 18 files changed, 57 insertions(+), 5 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 16fb4723be..7621acdb53 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -57,6 +57,11 @@ resource "google_container_cluster" "primary" { subnetwork = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}" +{% if beta_cluster %} + default_snat_status{ + disabled = var.disable_default_snat + } +{% endif %} {% if beta_cluster %} min_master_version = var.release_channel != null ? null : local.master_version {% else %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d597d21104..051df31f91 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -550,3 +550,11 @@ variable "gcloud_skip_download" { description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)" default = true } + +{% if beta_cluster %} +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +} +{% endif %} diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index aeab7ae540..f98246afaa 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -19,7 +19,7 @@ terraform { required_providers { {% if beta_cluster %} - google-beta = ">= 3.29.0, <4.0.0" + google-beta = ">= 3.35.0, <4.0.0" {% else %} google = ">= 3.16, <4.0.0" {% endif %} diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 2a6df855c4..fb2b48688a 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -159,6 +159,7 @@ Then perform the following commands on the root folder: | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no | | description | The description of the cluster | string | `""` | no | +| disable\_default\_snat | bool | Whether to disable the default SNAT to support the private use of public IP addresses. | `"false"` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 1c4fa4e878..5bc19f5dcc 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -51,6 +51,9 @@ resource "google_container_cluster" "primary" { subnetwork = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}" + default_snat_status { + disabled = var.disable_default_snat + } min_master_version = var.release_channel != null ? null : local.master_version logging_service = var.logging_service diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 9d958a00de..f092bb5d78 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -540,3 +540,9 @@ variable "gcloud_skip_download" { description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)" default = true } + +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +} diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index a8d571865b..267e66e1b6 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">=0.12.6, <0.14" required_providers { - google-beta = ">= 3.29.0, <4.0.0" + google-beta = ">= 3.35.0, <4.0.0" } } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 9b9049bc36..c7169d2c9f 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -137,6 +137,7 @@ Then perform the following commands on the root folder: | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no | | description | The description of the cluster | string | `""` | no | +| disable\_default\_snat | bool | Whether to disable the default SNAT to support the private use of public IP addresses. | `"false"` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 14275fd1a8..38717b6bdb 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -51,6 +51,9 @@ resource "google_container_cluster" "primary" { subnetwork = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}" + default_snat_status { + disabled = var.disable_default_snat + } min_master_version = var.release_channel != null ? null : local.master_version logging_service = var.logging_service diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 9d958a00de..f092bb5d78 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -540,3 +540,9 @@ variable "gcloud_skip_download" { description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)" default = true } + +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +} diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index a8d571865b..267e66e1b6 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">=0.12.6, <0.14" required_providers { - google-beta = ">= 3.29.0, <4.0.0" + google-beta = ">= 3.35.0, <4.0.0" } } diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 5c9f2f2a64..913020353f 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -51,6 +51,9 @@ resource "google_container_cluster" "primary" { subnetwork = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}" + default_snat_status { + disabled = var.disable_default_snat + } min_master_version = var.release_channel != null ? null : local.master_version logging_service = var.logging_service diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 042356852f..a14d2c30b9 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -509,3 +509,9 @@ variable "gcloud_skip_download" { description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)" default = true } + +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +} diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index a8d571865b..267e66e1b6 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">=0.12.6, <0.14" required_providers { - google-beta = ">= 3.29.0, <4.0.0" + google-beta = ">= 3.35.0, <4.0.0" } } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index ec2a33e42b..01b6c91f31 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -130,6 +130,7 @@ Then perform the following commands on the root folder: | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | description | The description of the cluster | string | `""` | no | +| disable\_default\_snat | bool | Whether to disable the default SNAT to support the private use of public IP addresses. | `"false"` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 33f04f4c1a..4467bc2ae2 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -51,6 +51,9 @@ resource "google_container_cluster" "primary" { subnetwork = "projects/${local.network_project_id}/regions/${var.region}/subnetworks/${var.subnetwork}" + default_snat_status { + disabled = var.disable_default_snat + } min_master_version = var.release_channel != null ? null : local.master_version logging_service = var.logging_service diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 042356852f..a14d2c30b9 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -509,3 +509,9 @@ variable "gcloud_skip_download" { description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)" default = true } + +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +} diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index a8d571865b..267e66e1b6 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">=0.12.6, <0.14" required_providers { - google-beta = ">= 3.29.0, <4.0.0" + google-beta = ">= 3.35.0, <4.0.0" } } From d8171afc6cccdcd99f3be24604d6e4bd34e82b48 Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Thu, 13 Aug 2020 08:45:55 +0200 Subject: [PATCH 2/8] Adjust min beta provider version to 3.32.0 --- autogen/main/versions.tf.tmpl | 2 +- modules/beta-private-cluster-update-variant/versions.tf | 2 +- modules/beta-private-cluster/versions.tf | 2 +- modules/beta-public-cluster-update-variant/versions.tf | 2 +- modules/beta-public-cluster/versions.tf | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index f98246afaa..622ecd96ed 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -19,7 +19,7 @@ terraform { required_providers { {% if beta_cluster %} - google-beta = ">= 3.35.0, <4.0.0" + google-beta = ">= 3.32.0, <4.0.0" {% else %} google = ">= 3.16, <4.0.0" {% endif %} diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 267e66e1b6..abc3492f16 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">=0.12.6, <0.14" required_providers { - google-beta = ">= 3.35.0, <4.0.0" + google-beta = ">= 3.32.0, <4.0.0" } } diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 267e66e1b6..abc3492f16 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">=0.12.6, <0.14" required_providers { - google-beta = ">= 3.35.0, <4.0.0" + google-beta = ">= 3.32.0, <4.0.0" } } diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 267e66e1b6..abc3492f16 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">=0.12.6, <0.14" required_providers { - google-beta = ">= 3.35.0, <4.0.0" + google-beta = ">= 3.32.0, <4.0.0" } } diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 267e66e1b6..abc3492f16 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -18,6 +18,6 @@ terraform { required_version = ">=0.12.6, <0.14" required_providers { - google-beta = ">= 3.35.0, <4.0.0" + google-beta = ">= 3.32.0, <4.0.0" } } From e840f962582b34bd33603c2b1ca18ab708bbc763 Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Thu, 13 Aug 2020 08:49:07 +0200 Subject: [PATCH 3/8] pin tools image to 0.12.0 --- build/int.cloudbuild.yaml | 2 +- build/lint.cloudbuild.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 28d2c72666..a2c469c9b7 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -429,6 +429,6 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.12.0' options: machineType: 'N1_HIGHCPU_8' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index 84fbf15328..ff1c6cfe5e 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -22,4 +22,4 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '0.12.0' From 350b21efbc3ff3a734144722239834642ce0dabf Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Thu, 13 Aug 2020 09:25:31 +0200 Subject: [PATCH 4/8] Bumping the google-beta provider to 3.32.0 --- examples/node_pool/main.tf | 2 +- examples/node_pool_update_variant_beta/main.tf | 2 +- examples/regional_private_node_pool_oauth_scopes/provider.tf | 2 +- examples/safer_cluster/main.tf | 2 +- examples/safer_cluster_iap_bastion/provider.tf | 4 ++-- examples/simple_regional_beta/main.tf | 2 +- examples/simple_regional_private_beta/main.tf | 2 +- examples/simple_zonal_with_asm/main.tf | 2 +- examples/workload_metadata_config/main.tf | 2 +- test/setup/versions.tf | 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 321534494d..3cacf0bb63 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.29.0" + version = "~> 3.32.0" region = var.region } diff --git a/examples/node_pool_update_variant_beta/main.tf b/examples/node_pool_update_variant_beta/main.tf index 407b7f565a..12e1d52cad 100644 --- a/examples/node_pool_update_variant_beta/main.tf +++ b/examples/node_pool_update_variant_beta/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.29.0" + version = "~> 3.32.0" credentials = file(var.credentials_path) region = var.region } diff --git a/examples/regional_private_node_pool_oauth_scopes/provider.tf b/examples/regional_private_node_pool_oauth_scopes/provider.tf index e1c1042b80..48644bf6c1 100644 --- a/examples/regional_private_node_pool_oauth_scopes/provider.tf +++ b/examples/regional_private_node_pool_oauth_scopes/provider.tf @@ -19,5 +19,5 @@ provider "google" { } provider "google-beta" { - version = "~> 3.29.0" + version = "~> 3.32.0" } diff --git a/examples/safer_cluster/main.tf b/examples/safer_cluster/main.tf index df2e553264..a1087f607d 100644 --- a/examples/safer_cluster/main.tf +++ b/examples/safer_cluster/main.tf @@ -34,7 +34,7 @@ provider "google" { } provider "google-beta" { - version = "~> 3.29.0" + version = "~> 3.32.0" } module "gke" { diff --git a/examples/safer_cluster_iap_bastion/provider.tf b/examples/safer_cluster_iap_bastion/provider.tf index 32d96a52af..7f894855b6 100644 --- a/examples/safer_cluster_iap_bastion/provider.tf +++ b/examples/safer_cluster_iap_bastion/provider.tf @@ -15,9 +15,9 @@ */ provider "google" { - version = "~> 3.29.0" + version = "~> 3.32.0" } provider "google-beta" { - version = "~> 3.29.0" + version = "~> 3.32.0" } diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 81b053c82b..3a883b4353 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.29.0" + version = "~> 3.32.0" region = var.region } diff --git a/examples/simple_regional_private_beta/main.tf b/examples/simple_regional_private_beta/main.tf index 4336225fa4..51216fefa7 100644 --- a/examples/simple_regional_private_beta/main.tf +++ b/examples/simple_regional_private_beta/main.tf @@ -24,7 +24,7 @@ provider "google" { } provider "google-beta" { - version = "~> 3.29.0" + version = "~> 3.32.0" region = var.region } diff --git a/examples/simple_zonal_with_asm/main.tf b/examples/simple_zonal_with_asm/main.tf index c639992c9a..cbf1d3f19f 100644 --- a/examples/simple_zonal_with_asm/main.tf +++ b/examples/simple_zonal_with_asm/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.29.0" + version = "~> 3.32.0" region = var.region } diff --git a/examples/workload_metadata_config/main.tf b/examples/workload_metadata_config/main.tf index 49a567d7a7..65ec36ce3a 100644 --- a/examples/workload_metadata_config/main.tf +++ b/examples/workload_metadata_config/main.tf @@ -19,7 +19,7 @@ locals { } provider "google-beta" { - version = "~> 3.29.0" + version = "~> 3.32.0" region = var.region } diff --git a/test/setup/versions.tf b/test/setup/versions.tf index 4f8f9a028d..cec9f1d44e 100644 --- a/test/setup/versions.tf +++ b/test/setup/versions.tf @@ -23,5 +23,5 @@ provider "google" { } provider "google-beta" { - version = "3.25.0" + version = "3.32.0" } From b33b397ddef68ea9c44888d403e062e909ddfd25 Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Thu, 13 Aug 2020 20:27:52 +0200 Subject: [PATCH 5/8] Pin to Terraform 0.12.0 --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 705a0c7e66..4f49e8c52b 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 0.12.0 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd From 71845b5bd362365fe4592b448f066b799e954ac2 Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Thu, 13 Aug 2020 20:28:29 +0200 Subject: [PATCH 6/8] Terraform Linter --- modules/beta-private-cluster-update-variant/README.md | 2 +- modules/beta-private-cluster/README.md | 2 +- modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster/README.md | 2 +- modules/private-cluster-update-variant/variables.tf | 1 + modules/private-cluster/variables.tf | 1 + variables.tf | 1 + 7 files changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index fb2b48688a..f31cec96ac 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -159,7 +159,7 @@ Then perform the following commands on the root folder: | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no | | description | The description of the cluster | string | `""` | no | -| disable\_default\_snat | bool | Whether to disable the default SNAT to support the private use of public IP addresses. | `"false"` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index c7169d2c9f..312e1c907a 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -137,7 +137,7 @@ Then perform the following commands on the root folder: | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no | | description | The description of the cluster | string | `""` | no | -| disable\_default\_snat | bool | Whether to disable the default SNAT to support the private use of public IP addresses. | `"false"` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 7467d5bc34..c5ca570b8e 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -152,6 +152,7 @@ Then perform the following commands on the root folder: | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | description | The description of the cluster | string | `""` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 01b6c91f31..5900966e09 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -130,7 +130,7 @@ Then perform the following commands on the root folder: | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | description | The description of the cluster | string | `""` | no | -| disable\_default\_snat | bool | Whether to disable the default SNAT to support the private use of public IP addresses. | `"false"` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 896196f295..8188c2afd0 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -374,3 +374,4 @@ variable "gcloud_skip_download" { description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)" default = true } + diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 896196f295..8188c2afd0 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -374,3 +374,4 @@ variable "gcloud_skip_download" { description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)" default = true } + diff --git a/variables.tf b/variables.tf index d9dab264d5..08beb9f7b3 100644 --- a/variables.tf +++ b/variables.tf @@ -350,3 +350,4 @@ variable "gcloud_skip_download" { description = "Whether to skip downloading gcloud (assumes gcloud is already available outside the module)" default = true } + From 38687af07d793c547b139bda0b93c1a580a96bb4 Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Thu, 13 Aug 2020 20:33:49 +0200 Subject: [PATCH 7/8] Update safercluster --- autogen/safer-cluster/main.tf.tmpl | 2 ++ autogen/safer-cluster/variables.tf.tmpl | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 4ec677235e..df2a73a1f0 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -49,6 +49,8 @@ module "gke" { ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services + disable_default_snat = var.disable_default_snat + add_cluster_firewall_rules = var.add_cluster_firewall_rules firewall_priority = var.firewall_priority firewall_inbound_ports = var.firewall_inbound_ports diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 1170330d00..31c696ecb1 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -363,3 +363,9 @@ variable "config_connector" { description = "(Beta) Whether ConfigConnector is enabled for this cluster." default = false } + +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +} From c6a849ff95b93f710f4d9398d149e1d7b1d04918 Mon Sep 17 00:00:00 2001 From: Saverio Proto Date: Thu, 13 Aug 2020 20:37:44 +0200 Subject: [PATCH 8/8] update safercluster --- modules/safer-cluster-update-variant/README.md | 1 + modules/safer-cluster-update-variant/main.tf | 2 ++ modules/safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/README.md | 1 + modules/safer-cluster/main.tf | 2 ++ modules/safer-cluster/variables.tf | 6 ++++++ 6 files changed, 18 insertions(+) diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 9d6cdc716e..4adecdbc54 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -209,6 +209,7 @@ For simplicity, we suggest using `roles/container.admin` and | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | description | The description of the cluster | string | `""` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 86f819885f..4505c7e925 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -45,6 +45,8 @@ module "gke" { ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services + disable_default_snat = var.disable_default_snat + add_cluster_firewall_rules = var.add_cluster_firewall_rules firewall_priority = var.firewall_priority firewall_inbound_ports = var.firewall_inbound_ports diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 6f24d35cff..fdf4e98436 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -363,3 +363,9 @@ variable "config_connector" { description = "(Beta) Whether ConfigConnector is enabled for this cluster." default = false } + +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +} diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 9d6cdc716e..4adecdbc54 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -209,6 +209,7 @@ For simplicity, we suggest using `roles/container.admin` and | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | description | The description of the cluster | string | `""` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | bool | `"false"` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 2375b63a9d..f5fd724d31 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -45,6 +45,8 @@ module "gke" { ip_range_pods = var.ip_range_pods ip_range_services = var.ip_range_services + disable_default_snat = var.disable_default_snat + add_cluster_firewall_rules = var.add_cluster_firewall_rules firewall_priority = var.firewall_priority firewall_inbound_ports = var.firewall_inbound_ports diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 6f24d35cff..fdf4e98436 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -363,3 +363,9 @@ variable "config_connector" { description = "(Beta) Whether ConfigConnector is enabled for this cluster." default = false } + +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +}